Jinja2 Switch Templating with FreeZTP

About a year ago /u/packetsar shared FreeZTP on reddit, just in time for a project that required upgrade/configuration of 400+ IOS-XE switches (3650/3850, several stacks). Over the following months, he was extremely receptive and accommodating with feature updates and tweaks; so kudos, pal.

This is a sanitized example of a switch template that I built out with a strong focus on keeping the process as simple and unbreakable as possible for the intended end-users, at the cost of a self-imposed excessively large learning curve. My last three blog posts were a direct result of achieving this goal; something that a lot of docs, labbing, and scouring of community forums contributed to.

A Few Disclosures

  • I do not have a background in development, this was my first venture into any kind of programming/templating. This was largely an exercise in figuring out what I could accomplish in the template, without having to manually intervene, whether it be via python, console, or otherwise. There are probably some development best-practices that I unwittingly spat in the face of, or more optimal ways to accomplish some of these functions.
  • Smart-install is deprecated as of IOS-XE 16.3.7+ (still works in 16.3.6). This does not impact AutoInstall.
  • /u/packetsar has done an excellent job detailing all facets of FreeZTP, so questions/concerns regarding its inner-workings are better answered by the project's GitHub

FreeZTP config

I configured FreeZTP to use external keystore and template files. This kept the code and other sensitive template information somewhat concealed, for lack of a better term. This also kept ztp show config outputs concise and easier to read when validating FreeZTP settings.

$ ztp set external-keystore SBS type csv && \
~ztp set external-keystore SBS file '/srv/ztp/keystore/ks_asw.csv' && \
~ztp set external-template SBS file '/srv/ztp/template/tmpl_asw.j2'


The CSV file has minimal headings; keystore_id (hostname), association (template), and idarray_1 - idarray_4 for the switch serial numbers (our defined stack limitation for this project).



  • First section provides guidelines and outputs the variables that ZTP passed into the template.
  • Second section defines static variables that I didn't want to store in the CSV; e.g. protocol secrets/keys, syslog server addresses, and other things that the template will use.
  • Third section assigns dynamic values to variables.

    gi_ints is a list of GigabitEthernet interfaces, which scales with the number of switches in the stack.

    Switch Count gi_ints
    1 gi1/0/1-36
    2 gi1/0/1-36,gi2/0/1-36
    3 gi1/0/1-36,gi2/0/1-36,gi3/0/1-36
    4 gi1/0/1-36,gi2/0/1-36,gi3/0/1-36,gi4/0/1-36
{%-set tmpl={"file":"tmpl_test.j2",
{%-set indent="\n!"~" "*23-%}
!-- --------------------------------------------------------------------------- --!
!--                          ***IMPORTANT (Example)***                          --!
!--          Hostname (keystore_id in CSV) has strict formatting rules.         --!
!--                                                                             --!
!--  * TR and switch/stack numbers must each be two digits (use leading '0').   --!
!--                           * TRs are numbered 1-9.                           --!
!--     * Any TR can only accommodate up to 9 switches/stacks; i.e. 01-09.      --!
!--      * Any stack is only intended to have 4 switches; i.e. idarray_1-4.     --!
!--                                                                             --!
!--                     Example for TR-4, switch/stack 1...                     --!
!--                                                                             --!
!--      Access Switch      |       TR Number        |   Switch/Stack Number    --!
!--   ----------------------|------------------------|----------------------    --!
!--           ASW           |          TR04          |            02            --!
!--                                                                             --!
!--                        Example hostname: ASW-TR04-02                        --!
!-- --------------------------------------------------------------------------- --!
!-- Variables (keys) parsed from CSV keystore.
!---- KEYSTORE_ID     > {{keystore_id|default("N/A")}}{# Used to associate the switch to a template (serial number).#}
!---- ASSOCIATION     > {{association|default("N/A")}}{# Switch template associated with KEYSTORE_ID.#}
!---- IDARRAY_1       > {{idarray_1|default("N/A")}}{#   Switch 1 serial number.#}
!---- IDARRAY_2       > {{idarray_2|default("N/A")}}{#   Switch 2 serial number.#}
!---- IDARRAY_3       > {{idarray_3|default("N/A")}}{#   Switch 3 serial number.#}
!---- IDARRAY_4       > {{idarray_4|default("N/A")}}{#   Switch 4 serial number.#}
!---- IDARRAY         > {{idarray|default("N/A")}}{#     All switch serial numbers.#}
!---------------------------------------------------------------- VARIABLES: STATIC
!-- Variables (keys) statically defined within the template.
!-- Variables with multiple values are JSON formatted.
!{#   VARIABLE        > {%set VARIABLE="VALUE"%}                    <<< set | print >>>          {{VARIABLE}}   #}
!---- TFTP_ADDR       > {%set tftp_addr=""%}{#                                   #}{{tftp_addr}}
!---- DOMAIN          > {%set domain="exmaple.local"%}{#                                       #}{{domain}}
!---- STP_PRIORITY    > {%set stp_priority="28672"%}{#                                         #}{{stp_priority}}
!---- ENABLE_SEC      > {%set enable_sec="enable-secret"%}{#                                   #}{{enable_sec}}
!---- TACACS_KEY      > {%set tacacs_key="tacacs-secret"%}{#                                   #}{{tacacs_key}}
!---- RADIUS_KEY      > {%set radius_key="radius-secret"%}{#                                   #}{{radius_key}}
!---- NTP_KEY         > {%set ntp_key="ntp-secret"%}{#                                         #}{{ntp_key}}
!---- SYSLOG_ADDR     > {%set syslog_addr=""%}{#                                     #}{{syslog_addr}}
!---- [IMAGE]         > {%set image={"bin":"cat3k_caa-universalk9.16.03.07.SPA.bin",
                                     "ver":"16.3.7"}%}{#                                       #}{{image|dictsort(false)|join(indent)}}
!---- [CREDS]         > {%set creds={"admin":"admin-secret",
                                     "eem_svc":"eem-secret"}%}{#                               #}{{creds|dictsort(false)|join(indent)}}
!---- [NTP_ADDR]      > {%set ntp_addr={"pri":{"addr":"","pref":"prefer"},
                                        "sec":{"addr":"","pref":""}}%}{#            #}{{ntp_addr|dictsort(false)|join(indent)}}
!---- [ISE_ADDR]      > {%set ise_addr={"01":"",
                                        "03":""}%}{#                                #}{{ise_addr|dictsort(false)|join(indent)}}
!---- [SNMPV3]        > {%set snmpv3={"grp":"SNMP_ASW",
                                      "priv":"smp-priv"}%}{#                                   #}{{snmpv3|dictsort(false)|join(indent)}}
!---- [VLAN]          > {%set vlan={"native":{"id":"999","name":"NATIVE"},
                                    "global":{"id":"998","name":"GLOBAL"}}%}{#                 #}{{vlan|dictsort(false,"value")|join(indent)}}
!---------------------------------------------------------------- VARIABLES: DYNAMIC
!-- Variables (keys) with dynamic values based on variables paresed from the CSV keystore.
!---- HOSTNAME        > {%set hostname=keystore_id%}{#                                         #}{{hostname}}
!---- SW_COUNT        > {%set sw_count=idarray|count%}{#                                       #}{{sw_count}}
!---- SERIALS         > {%set serials=idarray%}{#                                              #}{{serials}}
!-- Create range lists for all access interfaces and all provisioning interfaces based on IDARRAY.
{%set gi_ints,te_ints,prov_ints=[],[],[]-%}
{%for sw in idarray-%}
{%  set i=loop.index-%}
{%  set gi_ints,te_ints,prov_ints=
!---- GI_INTS         > {%set gi_ints=gi_ints|join(",")%}{#                                    #}{{gi_ints}}
!---- TE_INTS         > {%set te_ints=te_ints|join(",")%}{#                                    #}{{te_ints}}
!---- PROV_INTS       > {%set prov_ints=prov_ints|join(",")%}{#                                #}{{prov_ints}}
!-- Split hostname to get TR (numeric only) and SW.
!---- TR              > {%set tr=(hostname.split("-")[1])[2:]%}{#                              #}{{tr}}
!---- TRN             > {%set trn=tr[1:]%}{#                                                   #}{{trn}}
!---- SW              > {%set sw=(hostname.split("-")[2])%}{#                                  #}{{sw}}
!-- Determine PO_NUM from TR (second digit) and (int of) SW; also used as last octet of MGMT IP.
!---- PO_NUM          > {%set po_num="1%s%s"|format(tr[1:],sw|int)%}{#                         #}{{po_num}}
!-- Determine MGMT subnet; IP from subnet and PO_NUM; append a name for the default route.
{%set mgmt={"net":"10.254.%s"|format(trn)}-%}
{%set x=mgmt.update({"mask":""})-%}
{%set x=mgmt.update({"ip":"%s.%s"|format(,po_num)})-%}
{%set x=mgmt.update({"rt_name":"Default>MGMT:DIST-01"})-%}
!---- [MGMT]          > {#                                                                     #}{{mgmt|dictsort(false,"value")|join(indent)}}
!-- Determine TR_VLS from TR, append them to the (static) [VLAN] dictionary.
{%set tr_vls={"grt_thin":{"id":"1%s01"|format(trn),"name":"GRT:TR%s/THIN-CLIENTS"|format(tr)},
!---- [TR_VLS]        > {%set x=vlan.update(tr_vls)-%}{#                                       #}{{tr_vls|dictsort(false)|join(indent)}}
!-- Create VLAN_LIST from [VLAN].
{%set vlan_list=[]-%}
{%for k,v in vlan|dictsort(false,"value")-%}
{%  set vlan_list=vlan_list.append( -%}
!---- VLAN_LIST       > {%set vlan_list=vlan_list|join(",")%}{#                                #}{{vlan_list}}
{%-set tmpl={"file":"tmpl_test.j2",
{%-set indent="\n!"~" "*23-%}
!-- --------------------------------------------------------------------------- --!
!--                          ***IMPORTANT (Example)***                          --!
!--          Hostname (keystore_id in CSV) has strict formatting rules.         --!
!--                                                                             --!
!--  * TR and switch/stack numbers must each be two digits (use leading '0').   --!
!--                           * TRs are numbered 1-9.                           --!
!--     * Any TR can only accommodate up to 9 switches/stacks; i.e. 01-09.      --!
!--      * Any stack is only intended to have 4 switches; i.e. idarray_1-4.     --!
!--                                                                             --!
!--                     Example for TR-4, switch/stack 2...                     --!
!--                                                                             --!
!--      Access Switch      |       TR Number        |   Switch/Stack Number    --!
!--   ----------------------|------------------------|----------------------    --!
!--           ASW           |          TR04          |            02            --!
!--                                                                             --!
!--                        Example hostname: ASW-TR04-02                        --!
!-- --------------------------------------------------------------------------- --!
!-- Variables (keys) parsed from CSV keystore.
!---- KEYSTORE_ID     > {{keystore_id|default("N/A")}}{# Used to associate the switch to a template (serial number).#}
!---- ASSOCIATION     > {{association|default("N/A")}}{# Switch template associated with KEYSTORE_ID.#}
!---- IDARRAY_1       > {{idarray_1|default("N/A")}}{#   Switch 1 serial number.#}
!---- IDARRAY_2       > {{idarray_2|default("N/A")}}{#   Switch 2 serial number.#}
!---- IDARRAY_3       > {{idarray_3|default("N/A")}}{#   Switch 3 serial number.#}
!---- IDARRAY_4       > {{idarray_4|default("N/A")}}{#   Switch 4 serial number.#}
!---- IDARRAY         > {{idarray|default("N/A")}}{#     All switch serial numbers.#}
!---------------------------------------------------------------- VARIABLES: STATIC
!-- Variables (keys) statically defined within the template.
!-- Variables with multiple values are JSON formatted.
!{#   VARIABLE        > {%set VARIABLE="VALUE"%}                    <<< set | print >>>          {{VARIABLE}}   #}
!---- TFTP_ADDR       > {%set tftp_addr=""%}{#                                   #}{{tftp_addr}}
!---- DOMAIN          > {%set domain="exmaple.local"%}{#                                       #}{{domain}}
!---- STP_PRIORITY    > {%set stp_priority="28672"%}{#                                         #}{{stp_priority}}
!---- ENABLE_SEC      > {%set enable_sec="enable-secret"%}{#                                   #}{{enable_sec}}
!---- TACACS_KEY      > {%set tacacs_key="tacacs-secret"%}{#                                   #}{{tacacs_key}}
!---- RADIUS_KEY      > {%set radius_key="radius-secret"%}{#                                   #}{{radius_key}}
!---- NTP_KEY         > {%set ntp_key="ntp-secret"%}{#                                         #}{{ntp_key}}
!---- SYSLOG_ADDR     > {%set syslog_addr=""%}{#                                     #}{{syslog_addr}}
!---- [IMAGE]         > {%set image={"bin":"cat3k_caa-universalk9.16.03.07.SPA.bin",
                                    "ver":"16.3.7"}%}{#                                       #}{{image|dictsort(false)|join(indent)}}
!---- [CREDS]         > {%set creds={"admin":"admin-secret",
                                    "eem_svc":"eem-secret"}%}{#                               #}{{creds|dictsort(false)|join(indent)}}
!---- [NTP_ADDR]      > {%set ntp_addr={"pri":{"addr":"","pref":"prefer"},
                                        "sec":{"addr":"","pref":""}}%}{#            #}{{ntp_addr|dictsort(false)|join(indent)}}
!---- [ISE_ADDR]      > {%set ise_addr={"01":"",
                                        "03":""}%}{#                                #}{{ise_addr|dictsort(false)|join(indent)}}
!---- [SNMPV3]        > {%set snmpv3={"grp":"SNMP_ASW",
                                      "priv":"smp-priv"}%}{#                                   #}{{snmpv3|dictsort(false)|join(indent)}}
!---- [VLAN]          > {%set vlan={"native":{"id":"999","name":"NATIVE"},
                                    "global":{"id":"998","name":"GLOBAL"}}%}{#                 #}{{vlan|dictsort(false,"value")|join(indent)}}
!---------------------------------------------------------------- VARIABLES: DYNAMIC
!-- Variables (keys) with dynamic values based on variables paresed from the CSV keystore.
!---- HOSTNAME        > {%set hostname=keystore_id%}{#                                         #}{{hostname}}
!---- SW_COUNT        > {%set sw_count=idarray|count%}{#                                       #}{{sw_count}}
!---- SERIALS         > {%set serials=idarray%}{#                                              #}{{serials}}
!-- Create range lists for all access interfaces and all provisioning interfaces based on IDARRAY.
{%set gi_ints,te_ints,prov_ints=[],[],[]-%}
{%for sw in idarray-%}
{%  set i=loop.index-%}
{%  set gi_ints,te_ints,prov_ints=
!---- GI_INTS         > {%set gi_ints=gi_ints|join(",")%}{#                                    #}{{gi_ints}}
!---- TE_INTS         > {%set te_ints=te_ints|join(",")%}{#                                    #}{{te_ints}}
!---- PROV_INTS       > {%set prov_ints=prov_ints|join(",")%}{#                                #}{{prov_ints}}
!-- Split hostname to get TR (numeric only) and SW.
!---- TR              > {%set tr=(hostname.split("-")[1])[2:]%}{#                              #}{{tr}}
!---- TRN             > {%set trn=tr[1:]%}{#                                                   #}{{trn}}
!---- SW              > {%set sw=(hostname.split("-")[2])%}{#                                  #}{{sw}}
!-- Determine PO_NUM from TR (second digit) and (int of) SW; also used as last octet of MGMT IP.
!---- PO_NUM          > {%set po_num="1%s%s"|format(tr[1:],sw|int)%}{#                         #}{{po_num}}
!-- Determine MGMT subnet; IP from subnet and PO_NUM; append a name for the default route.
{%set mgmt={"net":"10.254.%s"|format(trn)}-%}
{%set x=mgmt.update({"mask":""})-%}
{%set x=mgmt.update({"ip":"%s.%s"|format(,po_num)})-%}
{%set x=mgmt.update({"rt_name":"Default>MGMT:DIST-01"})-%}
!---- [MGMT]          > {#                                                                     #}{{mgmt|dictsort(false,"value")|join(indent)}}
!-- Determine TR_VLS from TR, append them to the (static) [VLAN] dictionary.
{%set tr_vls={"grt_thin":{"id":"1%s01"|format(trn),"name":"GRT:TR%s/THIN-CLIENTS"|format(tr)},
!---- [TR_VLS]        > {%set x=vlan.update(tr_vls)-%}{#                                         #}{{tr_vls|dictsort(false)|join(indent)}}
!-- Create VLAN_LIST from [VLAN].
{%set vlan_list=[]-%}
{%for k,v in vlan|dictsort(false,"value")-%}
{%  set vlan_list=vlan_list.append( -%}
!---- VLAN_LIST       > {%set vlan_list=vlan_list|join(",")%}{#                                #}{{vlan_list}}
!---------------------------------------------------------------- CONFIG: BASE
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
hostname {{hostname}}
clock timezone PST -8 0
clock summer-time PDT recurring
{%for sw in idarray-%}
{%  set i=loop.index-%}
switch {{i}} provision ws-c3850-12x48u
no ip domain lookup
ip domain-name {{domain}}
logging buffered 409600 debugging
logging console debug
!ip ssh logging events
ip ssh version 2
spanning-tree mode rapid-pvst
spanning-tree vlan 1-4094 priority {{stp_priority}}
vtp mode transparent
file prompt quiet
ip dhcp snooping vlan 1-4094
no ip dhcp snooping information option
ip dhcp snooping
udld aggressive
macro name int-auth
switchport mode access
switchport nonegotiate
switchport voice vlan {{}}
device-tracking attach-policy IPDT
authentication event server dead action reinitialize vlan {{}}
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
spanning-tree portfast
ip dhcp snooping limit rate 25
no shutdown
no downshift
no macro description
macro name int-noauth
# Unauthenticated interface macro, variables not mandatory.
# > Assign appropriate access vlan using $VL
# Example config for a thin client in VL-1201;
# (config)# interface gi#/#/#
# (config-if)# macro apply int-noauth $VL 1201
switchport access vlan $VL
switchport mode access
switchport nonegotiate
device-tracking attach-policy IPDT
spanning-tree portfast
ip dhcp snooping limit rate 25
no shutdown
no downshift
no macro description
banner login @
You must have explicit, authorized permission to access or configure this device.
Unauthorized attempts and actions to access or use this system may result in civil and/or
criminal penalties.
All activities performed on this device are logged and monitored.
alias exec intstat show int status
alias exec ipint show ip int br | e una
alias exec ver show ver | i Soft|file
alias exec vlbr show vlan br | i active
alias exec rundiff show arch config diff
alias exec auth show auth sess int gi
alias exec radstat sh aaa server | i RADIUS|Platform State
alias exec int-auth event man run int-auth
alias exec int-noauth event man run int-noauth
!---------------------------------------------------------------- CONFIG: AUTH
enable secret 0 {{enable_sec}}
{%for k,v in creds|dictsort(false)-%}
username {{k}} privilege 15 secret 0 {{v}}
aaa new-model
!-- TACACS servers and group config.
{%-for k,v in ise_addr|dictsort(false)%}
tacacs server ISE{{k}}-T
address ipv4 {{v}}
key 0 {{tacacs_key}}
aaa group server tacacs+ ISE-T
{%-for k,v in ise_addr|dictsort(false)%}
server name ISE{{k}}-T
ip tacacs source-interface Vlan{{}}
!-- RADIUS servers and group config.
{%-for k,v in ise_addr|dictsort(false)%}
radius server ISE{{k}}-R
address ipv4 {{v}} auth-port 1812 acct-port 1813
automate-tester username test-user ignore-acct-port probe-on
key 0 {{radius_key}}
aaa group server radius ISE-R
{%-for k,v in ise_addr|dictsort(false)%}
server name ISE{{k}}-R
ip radius source-interface Vlan{{}}
load-balance method least-outstanding batch-size 5
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3
radius-server deadtime 5
aaa server radius dynamic-author
{%-for k,v in ise_addr|dictsort(false)%}
client {{v}} server-key 0 {{radius_key}}
!-- Default authentication method list to use TACACS, fallback to local (ssh).
aaa authentication login default group ISE-T local
!-- Authentication method list to use local creds only (console).
aaa authentication login CONSOLE local
!-- Required to authorize console to exec mode (console).
aaa authorization console
!-- Default authorization exec and commands 15 method lists to use local or TACACS (console, ssh).
!-- 'local' must be defined here first for console authorization to work.
aaa authorization exec default local group ISE-T if-authenticated 
aaa authorization commands 15 default local group ISE-T if-authenticated
!-- Accounting commands to send all exec start-stop, and priv 15 commands to TACACS (console, ssh).
aaa accounting exec default start-stop group ISE-T
aaa accounting commands 15 default start-stop group ISE-T
!-- AAA commands for dot1x/mab.
aaa authentication dot1x default group ISE-R
aaa authorization network default group ISE-R
aaa accounting dot1x default start-stop group ISE-R
aaa accounting update newinfo periodic 2880
!---------------------------------------------------------------- CONFIG: DOT1X/ISE-MISC
dot1x system-auth-control
dot1x critical eapol
authentication mac-move permit
device-sensor filter-list dhcp list DHCP-ISE
option name host-name
option name requested-address
option name parameter-request-list
option name class-identifier
option name client-identifier
device-sensor filter-list cdp list CDP-ISE
tlv name device-name
tlv name address-type
tlv name capabilities-type
tlv name version-type
tlv name platform-type
device-sensor filter-spec dhcp include list DHCP-ISE
device-sensor filter-spec cdp include list CDP-ISE
device-sensor accounting
device-sensor notify all-changes
!---------------------------------------------------------------- CONFIG: VLANS
{%-for k,v in vlan|dictsort(false,"value")%}
vlan {{}}
name {{}}
!---------------------------------------------------------------- CONFIG: INTERFACES
interface GigabitEthernet0/0
!-- Configure misc interfaces for all stack members.
interface range {{prov_ints}}
description TMP//PROVISION
switchport mode access
switchport nonegotiate
switchport access vlan 1
spanning-tree portfast
ip dhcp snooping trust
no shutdown
{%-for sw in idarray%}
{%-set i=loop.index%}
interface range Gi{{i}}/1/1-2
interface range Te{{i}}/1/3-4
channel-group 1 mode active
no shutdown
interface range Gi{{i}}/1/3-4,Te{{i}}/1/1-2,Te{{i}}/1/5-8,Fo{{i}}/1/1-2
description ***NULL//DoNotConfigure
interface Port-channel1
description DIST-01:Po{{po_num}}
switchport trunk native vlan 999
switchport trunk allowed vlan {{vlan_list}}
switchport mode trunk
switchport nonegotiate
ip dhcp snooping trust
no shutdown
!---------------------------------------------------------------- CONFIG: IP/SOURCE/NMS
interface Vlan1
ip address dhcp
no shutdown
interface Vlan{{}}
description {{}}
no ip redirects
no ip proxy-arp
ip address {{mgmt.ip}} {{mgmt.mask}}
no shutdown
ip tftp source-interface Vlan{{}}
ip tftp blocksize 8192
ip route {{}}.1 name {{mgmt.rt_name}}
logging source-interface Vlan{{}}
logging host {{syslog_addr}}
ntp authentication-key 1 md5 {{ntp_key}}
ntp authenticate
ntp trusted-key 1
{%-for k,v in ntp_addr|dictsort(false)%}
ntp server {{v.addr}} key 1 {{v.pref}} source vlan{{}}
snmp-server group {{snmpv3.grp}} v3 priv
snmp-server user {{snmpv3.user}} {{snmpv3.grp}} v3 auth sha {{snmpv3.auth}} priv aes 256 {{snmpv3.priv}}
snmp-server location Provisioned with switch template: {{"%s (rev: %s)"|format(tmpl.file,tmpl.rev)}}
snmp-server contact Provisioned hostname ({{hostname}}) and stack members: {{serials|join("-")}}
line console 0
login authentication CONSOLE
logging synchronous
exec-timeout 15 0
line vty 0 15
logging synchronous
exec-timeout 30 0
transport input ssh
!---------------------------------------------------------------- CONFIG: EEM
event manager session cli username {{creds.keys().1}}
event manager applet int-auth
event none maxrun 60
action 00.00 puts "## Enter interface to configure with authentication; e.g. gi1/0/1, te1/0/37"
action 00.01 gets intf
action 00.02 cli command "enable"
action 00.03 cli command "show int $intf status"
action 00.04 regexp "Invalid" "$_cli_result"
action 00.05 if $_regexp_result eq "1"
action 00.06  puts "## Invalid interface ($intf), verify prefix; i.e. 'gi' or 'te'."
action 00.07  exit
action 00.08 end
action 00.10 regexp "connected\ +([0-9]+)" "$_cli_result" match currvl
action 00.11 if $_regexp_result eq "1"
action 00.12  puts "## Interface $intf has a device connected in VLAN $currvl, continue (y|n)..."
action 00.13  gets cont
action 00.14  if $cont ne "y"
action 00.15   exit
action 00.16  end
action 00.17 end
action 01.00 cli command "conf t"
action 01.01 cli command "default int $intf"
action 01.02 cli command "int $intf"
action 01.03 cli command "macro apply int-auth"
action 01.04 cli command "end"
action 01.05 cli command "write mem" pattern "confirm|#"
action 01.06 cli command ""
action 01.10 puts "## Interface $intf configured with authentication."
event manager applet int-noauth
event none maxrun 60
action 00.00 puts "## Enter interface to configure without authentication; e.g. gi1/0/1, te1/0/37"
action 00.01 gets intf
action 00.02 cli command "enable"
action 00.03 cli command "show int $intf status"
action 00.04 regexp "Invalid" "$_cli_result"
action 00.05 if $_regexp_result eq "1"
action 00.06  puts "## Invalid interface ($intf), verify prefix; i.e. 'gi' or 'te'."
action 00.07  exit
action 00.08 end
action 00.10 regexp "connected\ +([0-9]+)" "$_cli_result" match currvl
action 00.11 if $_regexp_result eq "1"
action 00.12  puts "## Interface $intf has a device connected in VLAN $currvl, continue (y|n)..."
action 00.13  gets cont
action 00.14  if $cont ne "y"
action 00.15   exit
action 00.16  end
action 00.17 end
action 00.20 puts "## Enter access VLAN ID; e.g. 800"
action 00.21 gets vl
action 00.22 cli command "show vlan id $vl"
action 00.23 regexp "not found" "$_cli_result"
action 00.24 if $_regexp_result eq "1"
action 00.25  puts "## VLAN $vl is not configured on this switch."
action 00.26  exit
action 00.27 end
action 01.00 cli command "conf t"
action 01.01 cli command "default int $intf"
action 01.02 cli command "int $intf"
action 01.03 cli command "macro apply int-noauth \$VL $vl"
action 01.04 cli command "end"
action 01.05 cli command "write mem" pattern "confirm|#"
action 01.06 cli command ""
action 01.10 puts "## Interface $intf configured without authentication in VL-$vl, please describe accordingly."
!---------------------------------------------------------------- CONFIG: EEM-TEMP
event manager environment q "
event manager applet post_ztp_1
!-- Renumber/prioritize switches in stack, write mem, and then download->upgrade/reload (if needed).
event syslog occurs 1 pattern "Configured from tftp://{{tftp_addr}}" maxrun 960
action 00.00 syslog msg "  ## Configuration received via TFTP, run 'post_ztp_1' EEM applet in 120s."
action 00.01 wait 120
action 00.03 cli command "enable"
action 00.05 cli command "show mod | i ^.[1-9]"
action 00.06 set stack "$_cli_result"
action 00.07 syslog msg "  ## Checking all switches' version and stack membership, adjusting where necessary.\n  ## Current order;\n$stack"
action 00.08 set error_list ""
action 00.09 set change_list ""
action 00.10 set upgrade_list ""
{%for sw in idarray%}
{%-  set i=loop.index%}
action 0{{i}}.00 set sw_num "{{i}}"
action 0{{i}}.01 set pri "16"
action 0{{i}}.02 decrement pri {{i}}
action 0{{i}}.03 regexp "{{sw}}" "$stack"
action 0{{i}}.04 if $_regexp_result ne "1"
action 0{{i}}.05  syslog msg "\n  ## {{sw}} (Sw-{{i}} serial) not found in the stack, check 'show mod' output."
action 0{{i}}.06  append error_list "\n  ##  {{sw}} is allocated (idarray_{{i}}) but was not found in the stack."
action 0{{i}}.07 else
action 0{{i}}.08  set i "0"
action 0{{i}}.09  foreach line "$stack" "\n"
action 0{{i}}.10   increment i
action 0{{i}}.11   if $i le "{{sw_count}}"
action 0{{i}}.12    string trim "$line"
action 0{{i}}.13    set line "$_string_result"
action 0{{i}}.14    regexp "{{sw}}" "$line"
action 0{{i}}.15    if $_regexp_result eq "1"
action 0{{i}}.16     regexp "([0-9\.A-Z]+$)" "$line" curr_ver
action 0{{i}}.17     if $curr_ver ne "{{image.ver}}"
action 0{{i}}.18      append upgrade_list "{{i}}"
action 0{{i}}.19     end
action 0{{i}}.20     cli command "switch $i priority $pri" pattern "continue|#"
action 0{{i}}.21     cli command "y"
action 0{{i}}.22     if $i eq $sw_num
action 0{{i}}.23      append change_list "\n  ##  {{sw}} (Priority: $pri // Numbered:       $sw_num  // Version: $curr_ver)"
action 0{{i}}.24     else
action 0{{i}}.25      cli command "switch $i renumber $sw_num" pattern "continue|#"
action 0{{i}}.26      cli command "y"
action 0{{i}}.27      append change_list "\n  ##  {{sw}} (Priority: $pri // Renumbered: $i > $sw_num* // Version: $curr_ver)"
action 0{{i}}.28     end
action 0{{i}}.29     break
action 0{{i}}.30    end
action 0{{i}}.31   end
action 0{{i}}.32  end
action 0{{i}}.33 end
action 10.00 wait 5
action 10.01 if $error_list ne ""
action 10.02  syslog msg "\n  ## The following errors occurred; $error_list"
action 10.03 end
action 10.04 syslog msg "\n  ## Switches below have been assigned a priority and renumbered* as needed; $change_list"
action 13.00 cli command "conf t"
action 13.01 cli command "no event man app post_ztp_1"
action 14.00 if $upgrade_list eq ""
action 14.01  syslog msg "  ## All switches are running version {{image.ver}}, skipping download->upgrade/reload; finalizing config in 20s."
action 14.02  cli command "no event man env q"
action 14.03  cli command "event man env ztp_upgraded no"
action 14.04  cli command " event man app post_ztp_2"
action 14.05  cli command " event timer countdown time 20 maxrun 480"
action 14.06  cli command " no action 00.00"
action 14.07  cli command " no action 00.01"
action 14.08  cli command " end"
action 14.09  cli command "write mem" pattern "confirm|#"
action 14.10  cli command ""
action 14.11 else
action 14.12  syslog msg "  ## One or more switches require an upgrade to version {{image.ver}} ($upgrade_list); proceeding with download->upgrade/reload."
action 14.13  cli command "event man env ztp_upgraded yes"
action 14.14  cli command "event man app post_ztp_2"
action 14.15  cli command " event syslog occurs 1 pattern $q%IOSXE_REDUNDANCY-6-PEER$q maxrun 630"
action 14.16  cli command " no event man env q"
action 14.17  cli command "end"
action 14.18  cli command "write mem" pattern "confirm|#"
action 14.19  cli command ""
action 14.20  syslog msg "  ## (Standby) Downloading image..."
action 14.21  cli command "copy tftp://{{tftp_addr}}/{{image.bin}} flash:"
action 14.22  syslog msg "  ## (Standby) Image downloaded, upgrading..."
action 14.23  cli command "software install file flash:{{image.bin}} new force" pattern "proceed|#"
action 14.24  syslog msg "  ## Upgrade complete, rebooting."
action 14.25  cli command "y"
action 14.26 end
event manager applet post_ztp_2
!-- Apply final configs, push running config via TFTP, clean up VL-1 and Te#/0/48 configs, write mem, and then perform package clean.
event none
action 00.00 syslog msg "  ## Switch reloaded on new image, running 'post_ztp_2' EEM applet in 150s."
action 00.01 wait 150
action 00.02 syslog msg "  ## (Standby) Applying global configs ignored by smart-install and generating crypto key..."
action 00.03 cli command "enable"
action 00.04 set upgr "$ztp_upgraded"
action 01.00 cli command "conf t"
action 01.01 cli command "no event man env ztp_upgraded"
action 01.02 cli command "no event man app post_ztp_2"
action 01.04 cli command "no vstack"
action 01.05 cli command "no ip http ser"
action 01.06 cli command "no ip http secure-s"
action 01.07 cli command "no ip http authen"
action 01.08 cli command "no coap http enable"
action 01.09 cli command "device-tracking policy IPDT"
action 01.10 cli command " no protocol udp"
action 01.11 cli command " tracking enable"
action 01.12 cli command "cry key gen rsa mod 2048"
action 02.00 syslog msg "  ## (Standby) Applying `int-auth` macro config to ports 1-48 on all stack members..."
action 02.01 cli command "int range {{gi_ints}}"
action 02.02 cli command " macro apply int-auth"
action 02.03 cli command " no macro desc"
action 02.04 cli command "int range {{te_ints}}"
action 02.05 cli command " macro apply int-auth"
action 02.06 cli command " no macro desc"
action 03.00 syslog msg "  ## Pushing config to the following location: tftp://{{tftp_addr}}/provisioned/CAS/{{cfg_file}}"
action 03.01 cli command "do copy run tftp://{{tftp_addr}}/provisioned/CAS/{{cfg_file}}"
action 04.00 syslog msg "  ## Disabling VL-1 SVI, updating Te#/0/48 configs, and writing startup config."
action 04.01 cli command "int vl 1"
action 04.02 cli command " no desc"
action 04.03 cli command " no ip addr"
action 04.04 cli command " shut"
action 04.05 cli command "default int range {{prov_ints}}"
action 04.06 cli command "int range {{prov_ints}}"
action 04.07 cli command " macro apply int-auth"
action 04.08 cli command " no macro desc"
action 04.09 cli command "end"
action 04.10 cli command "write mem" pattern "confirm|#"
action 04.11 cli command ""
action 05.00 if $upgr eq "yes"
action 05.01  syslog msg "  ## (Standby) ZTP upgrade detected, performing software package clean..."
action 05.02  cli command "req plat soft pack clean sw all" pattern "proceed|#"
action 05.03  cli command "y"
action 05.04  syslog msg "  ## Unused .bin or .pkg files from previous version(s) have been deleted."
action 05.05 else
action 05.06  syslog msg "  ## ZTP upgrade not detected, skipping software package clean."
action 05.07 end
action 05.08 syslog msg "  ## Start-up config written, ({{hostname}}) is ready for deployment, OK to power off."

!-- --------------------------------------------------------------------------- --!
!--                          ***IMPORTANT (Example)***                          --!
!--          Hostname (keystore_id in CSV) has strict formatting rules.         --!
!--                                                                             --!
!--  * TR and switch/stack numbers must each be two digits (use leading '0').   --!
!--                           * TRs are numbered 1-9.                           --!
!--     * Any TR can only accommodate up to 9 switches/stacks; i.e. 01-09.      --!
!--      * Any stack is only intended to have 4 switches; i.e. idarray_1-4.     --!
!--                                                                             --!
!--                     Example for TR-4, switch/stack 2...                     --!
!--                                                                             --!
!--      Access Switch      |       TR Number        |   Switch/Stack Number    --!
!--   ----------------------|------------------------|----------------------    --!
!--           ASW           |          TR04          |            02            --!
!--                                                                             --!
!--                        Example hostname: ASW-TR04-02                        --!
!-- --------------------------------------------------------------------------- --!
!-- Variables (keys) parsed from CSV keystore.
!---- KEYSTORE_ID     > ASW-TR04-02
!---- IDARRAY_1       > FOC11111111
!---- IDARRAY_2       > FOC22222222
!---- IDARRAY_3       > FOC33333333
!---- IDARRAY_4       > FOC44444444
!---- IDARRAY         > ['FOC11111111', 'FOC22222222', 'FOC33333333', 'FOC44444444']
!---------------------------------------------------------------- VARIABLES: STATIC
!-- Variables (keys) statically defined within the template.
!-- Variables with multiple values are JSON formatted.
!---- TFTP_ADDR       >
!---- DOMAIN          > exmaple.local
!---- STP_PRIORITY    > 28672
!---- ENABLE_SEC      > enable-secret
!---- TACACS_KEY      > tacacs-secret
!---- RADIUS_KEY      > radius-secret
!---- NTP_KEY         > ntp-secret
!---- SYSLOG_ADDR     >
!---- [IMAGE]         > ('bin', 'cat3k_caa-universalk9.16.03.07.SPA.bin')
!                       ('ver', '16.3.7')
!---- [CREDS]         > ('admin', 'admin-secret')
!                       ('eem_svc', 'eem-secret')
!---- [NTP_ADDR]      > ('pri', {'pref': 'prefer', 'addr': ''})
!                       ('sec', {'pref': '', 'addr': ''})
!---- [ISE_ADDR]      > ('01', '')
!                       ('02', '')
!                       ('03', '')
!---- [SNMPV3]        > ('auth', 'snmp-auth')
!                       ('grp', 'SNMP_ASW')
!                       ('priv', 'smp-priv')
!                       ('user', 'snmp_asw')
!---- [VLAN]          > ('global', {'id': '998', 'name': 'GLOBAL'})
!                       ('native', {'id': '999', 'name': 'NATIVE'})
!---------------------------------------------------------------- VARIABLES: DYNAMIC
!-- Variables (keys) with dynamic values based on variables paresed from the CSV keystore.
!---- HOSTNAME        > ASW-TR04-02
!---- SW_COUNT        > 4
!---- SERIALS         > ['FOC11111111', 'FOC22222222', 'FOC33333333', 'FOC44444444']
!-- Join HOSTNAME and SERIALS to make CFG_FILE; used by EEM applet for TFTP config push
!---- CFG_FILE        > ASW-TR04-02_FOC11111111-FOC22222222-FOC33333333-FOC44444444.cfg
!-- Create range lists for all access interfaces and all provisioning interfaces based on IDARRAY.
!---- GI_INTS         > Gi1/0/1-36,Gi2/0/1-36,Gi3/0/1-36,Gi4/0/1-36
!---- TE_INTS         > Te1/0/37-47,Te2/0/37-47,Te3/0/37-47,Te4/0/37-47
!---- PROV_INTS       > Te1/0/48,Te2/0/48,Te3/0/48,Te4/0/48
!-- Split hostname to get TR (numeric only) and SW.
!---- TR              > 04
!---- TRN             > 4
!---- SW              > 02
!-- Determine PO_NUM from TR (second digit) and (int of) SW; also used as last octet of MGMT IP.
!---- PO_NUM          > 142
!-- Determine MGMT subnet; IP from subnet and PO_NUM; append a name for the default route.
!---- [MGMT]          > ('net', u'10.254.4')
!                       ('ip', u'')
!                       ('mask', '')
!                       ('rt_name', 'Default>MGMT:DIST-01')
!-- Determine TR_VLS from TR, append them to the (static) [VLAN] dictionary.
!---- [TR_VLS]        > ('grt_crit', {'id': u'1499', 'name': u'GRT:TR04/CRIT-AUTH'})
!                       ('grt_thick', {'id': u'1402', 'name': u'GRT:TR04/THICK-CLIENTS'})
!                       ('grt_thin', {'id': u'1401', 'name': u'GRT:TR04/THIN-CLIENTS'})
!                       ('grt_voice', {'id': u'1403', 'name': u'GRT:TR04/VOICE'})
!                       ('mgmt_ap', {'id': u'2402', 'name': u'MGMT:TR04/CAPWAP'})
!                       ('mgmt_sw', {'id': u'2401', 'name': u'MGMT:TR04/SW-WLC'})
!-- Create VLAN_LIST from [VLAN].
!---- VLAN_LIST       > 1401,1402,1403,1499,2401,2402,998,999
$ ztp request merge-test ASW-TR04-02 
2019-03-07 23:49:00:   cfact.get_keystore_id: Checking Keystores and IDArrays for (ASW-TR04-02)

2019-03-07 23:49:00:   cfact.get_keystore_id: ID (ASW-TR04-02) resolved directly to an external-keystore

2019-03-07 23:49:00:   cfact.get_template: Looking up association for identity (ASW-TR04-02)

2019-03-07 23:49:00:   cfact.get_template: Found associated template (ASW) in an external keystore

2019-03-07 23:49:00:   cfact.get_template: Template (ASW) exists as an external-template. Returning

2019-03-07 23:49:00:   cfact.pull_keystore_values: Inserting IDArray keys

2019-03-07 23:49:00:   cfact.merge_final_config: Merging with values:
    "idarray_1": "FOC11111111", 
    "idarray_4": "FOC44444444", 
    "idarray_2": "FOC22222222", 
    "idarray_3": "FOC33333333", 
    "keystore_id": "ASW-TR04-02", 
    "idarray": [
    "association": "ASW"
!-- --------------------------------------------------------------------------- --!
!--                          ***IMPORTANT (Example)***                          --!
!--          Hostname (keystore_id in CSV) has strict formatting rules.         --!
!--                                                                             --!
!--  * TR and switch/stack numbers must each be two digits (use leading '0').   --!
!--                           * TRs are numbered 1-9.                           --!
!--     * Any TR can only accommodate up to 9 switches/stacks; i.e. 01-09.      --!
!--      * Any stack is only intended to have 4 switches; i.e. idarray_1-4.     --!
!--                                                                             --!
!--                     Example for TR-4, switch/stack 2...                     --!
!--                                                                             --!
!--      Access Switch      |       TR Number        |   Switch/Stack Number    --!
!--   ----------------------|------------------------|----------------------    --!
!--           ASW           |          TR04          |            02            --!
!--                                                                             --!
!--                        Example hostname: ASW-TR04-02                        --!
!-- --------------------------------------------------------------------------- --!
!-- Variables (keys) parsed from CSV keystore.
!---- KEYSTORE_ID     > ASW-TR04-02
!---- IDARRAY_1       > FOC11111111
!---- IDARRAY_2       > FOC22222222
!---- IDARRAY_3       > FOC33333333
!---- IDARRAY_4       > FOC44444444
!---- IDARRAY         > ['FOC11111111', 'FOC22222222', 'FOC33333333', 'FOC44444444']
!---------------------------------------------------------------- VARIABLES: STATIC
!-- Variables (keys) statically defined within the template.
!-- Variables with multiple values are JSON formatted.
!---- TFTP_ADDR       >
!---- DOMAIN          > exmaple.local
!---- STP_PRIORITY    > 28672
!---- ENABLE_SEC      > enable-secret
!---- TACACS_KEY      > tacacs-secret
!---- RADIUS_KEY      > radius-secret
!---- NTP_KEY         > ntp-secret
!---- SYSLOG_ADDR     >
!---- [IMAGE]         > ('bin', 'cat3k_caa-universalk9.16.03.07.SPA.bin')
!                       ('ver', '16.3.7')
!---- [CREDS]         > ('admin', 'admin-secret')
!                       ('eem_svc', 'eem-secret')
!---- [NTP_ADDR]      > ('pri', {'pref': 'prefer', 'addr': ''})
!                       ('sec', {'pref': '', 'addr': ''})
!---- [ISE_ADDR]      > ('01', '')
!                       ('02', '')
!                       ('03', '')
!---- [SNMPV3]        > ('auth', 'snmp-auth')
!                       ('grp', 'SNMP_ASW')
!                       ('priv', 'smp-priv')
!                       ('user', 'snmp_asw')
!---- [VLAN]          > ('global', {'id': '998', 'name': 'GLOBAL'})
!                       ('native', {'id': '999', 'name': 'NATIVE'})
!---------------------------------------------------------------- VARIABLES: DYNAMIC
!-- Variables (keys) with dynamic values based on variables paresed from the CSV keystore.
!---- HOSTNAME        > ASW-TR04-02
!---- SW_COUNT        > 4
!---- SERIALS         > ['FOC11111111', 'FOC22222222', 'FOC33333333', 'FOC44444444']
!-- Join HOSTNAME and SERIALS to make CFG_FILE; used by EEM applet for TFTP config push
!---- CFG_FILE        > ASW-TR04-02_FOC11111111-FOC22222222-FOC33333333-FOC44444444.cfg
!-- Create range lists for all access interfaces and all provisioning interfaces based on IDARRAY.
!---- GI_INTS         > Gi1/0/1-36,Gi2/0/1-36,Gi3/0/1-36,Gi4/0/1-36
!---- TE_INTS         > Te1/0/37-47,Te2/0/37-47,Te3/0/37-47,Te4/0/37-47
!---- PROV_INTS       > Te1/0/48,Te2/0/48,Te3/0/48,Te4/0/48
!-- Split hostname to get TR (numeric only) and SW.
!---- TR              > 04
!---- TRN             > 4
!---- SW              > 02
!-- Determine PO_NUM from TR (second digit) and (int of) SW; also used as last octet of MGMT IP.
!---- PO_NUM          > 142
!-- Determine MGMT subnet; IP from subnet and PO_NUM; append a name for the default route.
!---- [MGMT]          > ('net', u'10.254.4')
!                       ('ip', u'')
!                       ('mask', '')
!                       ('rt_name', 'Default>MGMT:DIST-01')
!-- Determine TR_VLS from TR, append them to the (static) [VLAN] dictionary.
!---- [TR_VLS]        > ('grt_crit', {'id': u'1499', 'name': u'GRT:TR04/CRIT-AUTH'})
!                       ('grt_thick', {'id': u'1402', 'name': u'GRT:TR04/THICK-CLIENTS'})
!                       ('grt_thin', {'id': u'1401', 'name': u'GRT:TR04/THIN-CLIENTS'})
!                       ('grt_voice', {'id': u'1403', 'name': u'GRT:TR04/VOICE'})
!                       ('mgmt_ap', {'id': u'2402', 'name': u'MGMT:TR04/CAPWAP'})
!                       ('mgmt_sw', {'id': u'2401', 'name': u'MGMT:TR04/SW-WLC'})
!-- Create VLAN_LIST from [VLAN].
!---- VLAN_LIST       > 1401,1402,1403,1499,2401,2402,998,999
!---------------------------------------------------------------- CONFIG: BASE
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
hostname ASW-TR04-02
clock timezone PST -8 0
clock summer-time PDT recurring
switch 1 provision ws-c3850-12x48u
switch 2 provision ws-c3850-12x48u
switch 3 provision ws-c3850-12x48u
switch 4 provision ws-c3850-12x48u
no ip domain lookup
ip domain-name exmaple.local
logging buffered 409600 debugging
logging console debug
!ip ssh logging events
ip ssh version 2
spanning-tree mode rapid-pvst
spanning-tree vlan 1-4094 priority 28672
vtp mode transparent
file prompt quiet
ip dhcp snooping vlan 1-4094
no ip dhcp snooping information option
ip dhcp snooping
udld aggressive
macro name int-auth
switchport mode access
switchport nonegotiate
switchport voice vlan 1403
device-tracking attach-policy IPDT
authentication event server dead action reinitialize vlan 1499
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
spanning-tree portfast
ip dhcp snooping limit rate 25
no shutdown
no downshift
no macro description
macro name int-noauth
# Unauthenticated interface macro, variables not mandatory.
# > Assign appropriate access vlan using $VL
# Example config for a thin client in VL-1201;
# (config)# interface gi#/#/#
# (config-if)# macro apply int-noauth $VL 1201
switchport access vlan $VL
switchport mode access
switchport nonegotiate
device-tracking attach-policy IPDT
spanning-tree portfast
ip dhcp snooping limit rate 25
no shutdown
no downshift
no macro description
banner login @
You must have explicit, authorized permission to access or configure this device.
Unauthorized attempts and actions to access or use this system may result in civil and/or
criminal penalties.
All activities performed on this device are logged and monitored.
alias exec intstat show int status
alias exec ipint show ip int br | e una
alias exec ver show ver | i Soft|file
alias exec vlbr show vlan br | i active
alias exec rundiff show arch config diff
alias exec auth show auth sess int gi
alias exec radstat sh aaa server | i RADIUS|Platform State
alias exec int-auth event man run int-auth
alias exec int-noauth event man run int-noauth
!---------------------------------------------------------------- CONFIG: AUTH
enable secret 0 enable-secret
username admin privilege 15 secret 0 admin-secret
username eem_svc privilege 15 secret 0 eem-secret
aaa new-model
!-- TACACS servers and group config.
tacacs server ISE01-T
address ipv4
key 0 tacacs-secret

tacacs server ISE02-T
address ipv4
key 0 tacacs-secret

tacacs server ISE03-T
address ipv4
key 0 tacacs-secret
aaa group server tacacs+ ISE-T
server name ISE01-T
server name ISE02-T
server name ISE03-T
ip tacacs source-interface Vlan2401
!-- RADIUS servers and group config.
radius server ISE01-R
address ipv4 auth-port 1812 acct-port 1813
automate-tester username test-user ignore-acct-port probe-on
key 0 radius-secret

radius server ISE02-R
address ipv4 auth-port 1812 acct-port 1813
automate-tester username test-user ignore-acct-port probe-on
key 0 radius-secret

radius server ISE03-R
address ipv4 auth-port 1812 acct-port 1813
automate-tester username test-user ignore-acct-port probe-on
key 0 radius-secret
aaa group server radius ISE-R
server name ISE01-R
server name ISE02-R
server name ISE03-R
ip radius source-interface Vlan2401
load-balance method least-outstanding batch-size 5
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3
radius-server deadtime 5
aaa server radius dynamic-author
client server-key 0 radius-secret
client server-key 0 radius-secret
client server-key 0 radius-secret
!-- Default authentication method list to use TACACS, fallback to local (ssh).
aaa authentication login default group ISE-T local
!-- Authentication method list to use local creds only (console).
aaa authentication login CONSOLE local
!-- Required to authorize console to exec mode (console).
aaa authorization console
!-- Default authorization exec and commands 15 method lists to use local or TACACS (console, ssh).
!-- 'local' must be defined here first for console authorization to work.
aaa authorization exec default local group ISE-T if-authenticated 
aaa authorization commands 15 default local group ISE-T if-authenticated
!-- Accounting commands to send all exec start-stop, and priv 15 commands to TACACS (console, ssh).
aaa accounting exec default start-stop group ISE-T
aaa accounting commands 15 default start-stop group ISE-T
!-- AAA commands for dot1x/mab.
aaa authentication dot1x default group ISE-R
aaa authorization network default group ISE-R
aaa accounting dot1x default start-stop group ISE-R
aaa accounting update newinfo periodic 2880
!---------------------------------------------------------------- CONFIG: DOT1X/ISE-MISC
dot1x system-auth-control
dot1x critical eapol
authentication mac-move permit
device-sensor filter-list dhcp list DHCP-ISE
option name host-name
option name requested-address
option name parameter-request-list
option name class-identifier
option name client-identifier
device-sensor filter-list cdp list CDP-ISE
tlv name device-name
tlv name address-type
tlv name capabilities-type
tlv name version-type
tlv name platform-type
device-sensor filter-spec dhcp include list DHCP-ISE
device-sensor filter-spec cdp include list CDP-ISE
device-sensor accounting
device-sensor notify all-changes
!---------------------------------------------------------------- CONFIG: VLANS
vlan 1401

vlan 1402

vlan 1403

vlan 1499

vlan 2401

vlan 2402

vlan 998

vlan 999
!---------------------------------------------------------------- CONFIG: INTERFACES
interface GigabitEthernet0/0
!-- Configure misc interfaces for all stack members.
interface range Te1/0/48,Te2/0/48,Te3/0/48,Te4/0/48
description TMP//PROVISION
switchport mode access
switchport nonegotiate
switchport access vlan 1
spanning-tree portfast
ip dhcp snooping trust
no shutdown
interface range Gi1/1/1-2
interface range Te1/1/3-4
channel-group 1 mode active
no shutdown
interface range Gi1/1/3-4,Te1/1/1-2,Te1/1/5-8,Fo1/1/1-2
description ***NULL//DoNotConfigure

interface range Gi2/1/1-2
interface range Te2/1/3-4
channel-group 1 mode active
no shutdown
interface range Gi2/1/3-4,Te2/1/1-2,Te2/1/5-8,Fo2/1/1-2
description ***NULL//DoNotConfigure

interface range Gi3/1/1-2
interface range Te3/1/3-4
channel-group 1 mode active
no shutdown
interface range Gi3/1/3-4,Te3/1/1-2,Te3/1/5-8,Fo3/1/1-2
description ***NULL//DoNotConfigure

interface range Gi4/1/1-2
interface range Te4/1/3-4
channel-group 1 mode active
no shutdown
interface range Gi4/1/3-4,Te4/1/1-2,Te4/1/5-8,Fo4/1/1-2
description ***NULL//DoNotConfigure
interface Port-channel1
description DIST-01:Po142
switchport trunk native vlan 999
switchport trunk allowed vlan 1401,1402,1403,1499,2401,2402,998,999
switchport mode trunk
switchport nonegotiate
ip dhcp snooping trust
no shutdown
!---------------------------------------------------------------- CONFIG: IP/SOURCE/NMS
interface Vlan1
ip address dhcp
no shutdown
interface Vlan2401
description MGMT:TR04/SW-WLC
no ip redirects
no ip proxy-arp
ip address
no shutdown
ip tftp source-interface Vlan2401
ip tftp blocksize 8192
ip route name Default>MGMT:DIST-01
logging source-interface Vlan2401
logging host
ntp authentication-key 1 md5 ntp-secret
ntp authenticate
ntp trusted-key 1
ntp server key 1 prefer source vlan2401
ntp server key 1  source vlan2401
snmp-server group SNMP_ASW v3 priv
snmp-server user snmp_asw SNMP_ASW v3 auth sha snmp-auth priv aes 256 smp-priv
snmp-server location Provisioned with switch template: tmpl_test.j2 (rev: 8)
snmp-server contact Provisioned hostname (ASW-TR04-02) and stack members: FOC11111111-FOC22222222-FOC33333333-FOC44444444
line console 0
login authentication CONSOLE
logging synchronous
exec-timeout 15 0
line vty 0 15
logging synchronous
exec-timeout 30 0
transport input ssh
!---------------------------------------------------------------- CONFIG: EEM
event manager session cli username eem_svc
event manager applet int-auth
event none maxrun 60
action 00.00 puts "## Enter interface to configure with authentication; e.g. gi1/0/1, te1/0/37"
action 00.01 gets intf
action 00.02 cli command "enable"
action 00.03 cli command "show int $intf status"
action 00.04 regexp "Invalid" "$_cli_result"
action 00.05 if $_regexp_result eq "1"
action 00.06  puts "## Invalid interface ($intf), verify prefix; i.e. 'gi' or 'te'."
action 00.07  exit
action 00.08 end
action 00.10 regexp "connected\ +([0-9]+)" "$_cli_result" match currvl
action 00.11 if $_regexp_result eq "1"
action 00.12  puts "## Interface $intf has a device connected in VLAN $currvl, continue (y|n)..."
action 00.13  gets cont
action 00.14  if $cont ne "y"
action 00.15   exit
action 00.16  end
action 00.17 end
action 01.00 cli command "conf t"
action 01.01 cli command "default int $intf"
action 01.02 cli command "int $intf"
action 01.03 cli command "macro apply int-auth"
action 01.04 cli command "end"
action 01.05 cli command "write mem" pattern "confirm|#"
action 01.06 cli command ""
action 01.10 puts "## Interface $intf configured with authentication."
event manager applet int-noauth
event none maxrun 60
action 00.00 puts "## Enter interface to configure without authentication; e.g. gi1/0/1, te1/0/37"
action 00.01 gets intf
action 00.02 cli command "enable"
action 00.03 cli command "show int $intf status"
action 00.04 regexp "Invalid" "$_cli_result"
action 00.05 if $_regexp_result eq "1"
action 00.06  puts "## Invalid interface ($intf), verify prefix; i.e. 'gi' or 'te'."
action 00.07  exit
action 00.08 end
action 00.10 regexp "connected\ +([0-9]+)" "$_cli_result" match currvl
action 00.11 if $_regexp_result eq "1"
action 00.12  puts "## Interface $intf has a device connected in VLAN $currvl, continue (y|n)..."
action 00.13  gets cont
action 00.14  if $cont ne "y"
action 00.15   exit
action 00.16  end
action 00.17 end
action 00.20 puts "## Enter access VLAN ID; e.g. 800"
action 00.21 gets vl
action 00.22 cli command "show vlan id $vl"
action 00.23 regexp "not found" "$_cli_result"
action 00.24 if $_regexp_result eq "1"
action 00.25  puts "## VLAN $vl is not configured on this switch."
action 00.26  exit
action 00.27 end
action 01.00 cli command "conf t"
action 01.01 cli command "default int $intf"
action 01.02 cli command "int $intf"
action 01.03 cli command "macro apply int-noauth \$VL $vl"
action 01.04 cli command "end"
action 01.05 cli command "write mem" pattern "confirm|#"
action 01.06 cli command ""
action 01.10 puts "## Interface $intf configured without authentication in VL-$vl, please describe accordingly."
!---------------------------------------------------------------- CONFIG: EEM-TEMP
event manager environment q "
event manager applet post_ztp_1
!-- Renumber/prioritize switches in stack, write mem, and then download->upgrade/reload (if needed).
event syslog occurs 1 pattern "Configured from tftp://" maxrun 960
action 00.00 syslog msg "  ## Configuration received via TFTP, run 'post_ztp_1' EEM applet in 120s."
action 00.01 wait 120
action 00.03 cli command "enable"
action 00.05 cli command "show mod | i ^.[1-9]"
action 00.06 set stack "$_cli_result"
action 00.07 syslog msg "  ## Checking all switches' version and stack membership, adjusting where necessary.\n  ## Current order;\n$stack"
action 00.08 set error_list ""
action 00.09 set change_list ""
action 00.10 set upgrade_list ""

action 01.00 set sw_num "1"
action 01.01 set pri "16"
action 01.02 decrement pri 1
action 01.03 regexp "FOC11111111" "$stack"
action 01.04 if $_regexp_result ne "1"
action 01.05  syslog msg "\n  ## FOC11111111 (Sw-1 serial) not found in the stack, check 'show mod' output."
action 01.06  append error_list "\n  ##  FOC11111111 is allocated (idarray_1) but was not found in the stack."
action 01.07 else
action 01.08  set i "0"
action 01.09  foreach line "$stack" "\n"
action 01.10   increment i
action 01.11   if $i le "4"
action 01.12    string trim "$line"
action 01.13    set line "$_string_result"
action 01.14    regexp "FOC11111111" "$line"
action 01.15    if $_regexp_result eq "1"
action 01.16     regexp "([0-9\.A-Z]+$)" "$line" curr_ver
action 01.17     if $curr_ver ne "16.3.7"
action 01.18      append upgrade_list "1"
action 01.19     end
action 01.20     cli command "switch $i priority $pri" pattern "continue|#"
action 01.21     cli command "y"
action 01.22     if $i eq $sw_num
action 01.23      append change_list "\n  ##  FOC11111111 (Priority: $pri // Numbered:       $sw_num  // Version: $curr_ver)"
action 01.24     else
action 01.25      cli command "switch $i renumber $sw_num" pattern "continue|#"
action 01.26      cli command "y"
action 01.27      append change_list "\n  ##  FOC11111111 (Priority: $pri // Renumbered: $i > $sw_num* // Version: $curr_ver)"
action 01.28     end
action 01.29     break
action 01.30    end
action 01.31   end
action 01.32  end
action 01.33 end

action 02.00 set sw_num "2"
action 02.01 set pri "16"
action 02.02 decrement pri 2
action 02.03 regexp "FOC22222222" "$stack"
action 02.04 if $_regexp_result ne "1"
action 02.05  syslog msg "\n  ## FOC22222222 (Sw-2 serial) not found in the stack, check 'show mod' output."
action 02.06  append error_list "\n  ##  FOC22222222 is allocated (idarray_2) but was not found in the stack."
action 02.07 else
action 02.08  set i "0"
action 02.09  foreach line "$stack" "\n"
action 02.10   increment i
action 02.11   if $i le "4"
action 02.12    string trim "$line"
action 02.13    set line "$_string_result"
action 02.14    regexp "FOC22222222" "$line"
action 02.15    if $_regexp_result eq "1"
action 02.16     regexp "([0-9\.A-Z]+$)" "$line" curr_ver
action 02.17     if $curr_ver ne "16.3.7"
action 02.18      append upgrade_list "2"
action 02.19     end
action 02.20     cli command "switch $i priority $pri" pattern "continue|#"
action 02.21     cli command "y"
action 02.22     if $i eq $sw_num
action 02.23      append change_list "\n  ##  FOC22222222 (Priority: $pri // Numbered:       $sw_num  // Version: $curr_ver)"
action 02.24     else
action 02.25      cli command "switch $i renumber $sw_num" pattern "continue|#"
action 02.26      cli command "y"
action 02.27      append change_list "\n  ##  FOC22222222 (Priority: $pri // Renumbered: $i > $sw_num* // Version: $curr_ver)"
action 02.28     end
action 02.29     break
action 02.30    end
action 02.31   end
action 02.32  end
action 02.33 end

action 03.00 set sw_num "3"
action 03.01 set pri "16"
action 03.02 decrement pri 3
action 03.03 regexp "FOC33333333" "$stack"
action 03.04 if $_regexp_result ne "1"
action 03.05  syslog msg "\n  ## FOC33333333 (Sw-3 serial) not found in the stack, check 'show mod' output."
action 03.06  append error_list "\n  ##  FOC33333333 is allocated (idarray_3) but was not found in the stack."
action 03.07 else
action 03.08  set i "0"
action 03.09  foreach line "$stack" "\n"
action 03.10   increment i
action 03.11   if $i le "4"
action 03.12    string trim "$line"
action 03.13    set line "$_string_result"
action 03.14    regexp "FOC33333333" "$line"
action 03.15    if $_regexp_result eq "1"
action 03.16     regexp "([0-9\.A-Z]+$)" "$line" curr_ver
action 03.17     if $curr_ver ne "16.3.7"
action 03.18      append upgrade_list "3"
action 03.19     end
action 03.20     cli command "switch $i priority $pri" pattern "continue|#"
action 03.21     cli command "y"
action 03.22     if $i eq $sw_num
action 03.23      append change_list "\n  ##  FOC33333333 (Priority: $pri // Numbered:       $sw_num  // Version: $curr_ver)"
action 03.24     else
action 03.25      cli command "switch $i renumber $sw_num" pattern "continue|#"
action 03.26      cli command "y"
action 03.27      append change_list "\n  ##  FOC33333333 (Priority: $pri // Renumbered: $i > $sw_num* // Version: $curr_ver)"
action 03.28     end
action 03.29     break
action 03.30    end
action 03.31   end
action 03.32  end
action 03.33 end

action 04.00 set sw_num "4"
action 04.01 set pri "16"
action 04.02 decrement pri 4
action 04.03 regexp "FOC44444444" "$stack"
action 04.04 if $_regexp_result ne "1"
action 04.05  syslog msg "\n  ## FOC44444444 (Sw-4 serial) not found in the stack, check 'show mod' output."
action 04.06  append error_list "\n  ##  FOC44444444 is allocated (idarray_4) but was not found in the stack."
action 04.07 else
action 04.08  set i "0"
action 04.09  foreach line "$stack" "\n"
action 04.10   increment i
action 04.11   if $i le "4"
action 04.12    string trim "$line"
action 04.13    set line "$_string_result"
action 04.14    regexp "FOC44444444" "$line"
action 04.15    if $_regexp_result eq "1"
action 04.16     regexp "([0-9\.A-Z]+$)" "$line" curr_ver
action 04.17     if $curr_ver ne "16.3.7"
action 04.18      append upgrade_list "4"
action 04.19     end
action 04.20     cli command "switch $i priority $pri" pattern "continue|#"
action 04.21     cli command "y"
action 04.22     if $i eq $sw_num
action 04.23      append change_list "\n  ##  FOC44444444 (Priority: $pri // Numbered:       $sw_num  // Version: $curr_ver)"
action 04.24     else
action 04.25      cli command "switch $i renumber $sw_num" pattern "continue|#"
action 04.26      cli command "y"
action 04.27      append change_list "\n  ##  FOC44444444 (Priority: $pri // Renumbered: $i > $sw_num* // Version: $curr_ver)"
action 04.28     end
action 04.29     break
action 04.30    end
action 04.31   end
action 04.32  end
action 04.33 end

action 10.00 wait 5
action 10.01 if $error_list ne ""
action 10.02  syslog msg "\n  ## The following errors occurred; $error_list"
action 10.03 end
action 10.04 syslog msg "\n  ## Switches below have been assigned a priority and renumbered* as needed; $change_list"
action 13.00 cli command "conf t"
action 13.01 cli command "no event man app post_ztp_1"
action 14.00 if $upgrade_list eq ""
action 14.01  syslog msg "  ## All switches are running version 16.3.7, skipping download->upgrade/reload; finalizing config in 20s."
action 14.02  cli command "no event man env q"
action 14.03  cli command "event man env ztp_upgraded no"
action 14.04  cli command " event man app post_ztp_2"
action 14.05  cli command " event timer countdown time 20 maxrun 480"
action 14.06  cli command " no action 00.00"
action 14.07  cli command " no action 00.01"
action 14.08  cli command " end"
action 14.09  cli command "write mem" pattern "confirm|#"
action 14.10  cli command ""
action 14.11 else
action 14.12  syslog msg "  ## One or more switches require an upgrade to version 16.3.7 ($upgrade_list); proceeding with download->upgrade/reload."
action 14.13  cli command "event man env ztp_upgraded yes"
action 14.14  cli command "event man app post_ztp_2"
action 14.15  cli command " event syslog occurs 1 pattern $q%IOSXE_REDUNDANCY-6-PEER$q maxrun 630"
action 14.16  cli command " no event man env q"
action 14.17  cli command "end"
action 14.18  cli command "write mem" pattern "confirm|#"
action 14.19  cli command ""
action 14.20  syslog msg "  ## (Standby) Downloading image..."
action 14.21  cli command "copy tftp:// flash:"
action 14.22  syslog msg "  ## (Standby) Image downloaded, upgrading..."
action 14.23  cli command "software install file flash:cat3k_caa-universalk9.16.03.07.SPA.bin new force" pattern "proceed|#"
action 14.24  syslog msg "  ## Upgrade complete, rebooting."
action 14.25  cli command "y"
action 14.26 end
event manager applet post_ztp_2
!-- Apply final configs, push running config via TFTP, clean up VL-1 and Te#/0/48 configs, write mem, and then perform package clean.
event none
action 00.00 syslog msg "  ## Switch reloaded on new image, running 'post_ztp_2' EEM applet in 150s."
action 00.01 wait 150
action 00.02 syslog msg "  ## (Standby) Applying global configs ignored by smart-install and generating crypto key..."
action 00.03 cli command "enable"
action 00.04 set upgr "$ztp_upgraded"
action 01.00 cli command "conf t"
action 01.01 cli command "no event man env ztp_upgraded"
action 01.02 cli command "no event man app post_ztp_2"
action 01.04 cli command "no vstack"
action 01.05 cli command "no ip http ser"
action 01.06 cli command "no ip http secure-s"
action 01.07 cli command "no ip http authen"
action 01.08 cli command "no coap http enable"
action 01.09 cli command "device-tracking policy IPDT"
action 01.10 cli command " no protocol udp"
action 01.11 cli command " tracking enable"
action 01.12 cli command "cry key gen rsa mod 2048"
action 02.00 syslog msg "  ## (Standby) Applying `int-auth` macro config to ports 1-48 on all stack members..."
action 02.01 cli command "int range Gi1/0/1-36,Gi2/0/1-36,Gi3/0/1-36,Gi4/0/1-36"
action 02.02 cli command " macro apply int-auth"
action 02.03 cli command " no macro desc"
action 02.04 cli command "int range Te1/0/37-47,Te2/0/37-47,Te3/0/37-47,Te4/0/37-47"
action 02.05 cli command " macro apply int-auth"
action 02.06 cli command " no macro desc"
action 03.00 syslog msg "  ## Pushing config to the following location: tftp://"
action 03.01 cli command "do copy run tftp://"
action 04.00 syslog msg "  ## Disabling VL-1 SVI, updating Te#/0/48 configs, and writing startup config."
action 04.01 cli command "int vl 1"
action 04.02 cli command " no desc"
action 04.03 cli command " no ip addr"
action 04.04 cli command " shut"
action 04.05 cli command "default int range Te1/0/48,Te2/0/48,Te3/0/48,Te4/0/48"
action 04.06 cli command "int range Te1/0/48,Te2/0/48,Te3/0/48,Te4/0/48"
action 04.07 cli command " macro apply int-auth"
action 04.08 cli command " no macro desc"
action 04.09 cli command "end"
action 04.10 cli command "write mem" pattern "confirm|#"
action 04.11 cli command ""
action 05.00 if $upgr eq "yes"
action 05.01  syslog msg "  ## (Standby) ZTP upgrade detected, performing software package clean..."
action 05.02  cli command "req plat soft pack clean sw all" pattern "proceed|#"
action 05.03  cli command "y"
action 05.04  syslog msg "  ## Unused .bin or .pkg files from previous version(s) have been deleted."
action 05.05 else
action 05.06  syslog msg "  ## ZTP upgrade not detected, skipping software package clean."
action 05.07 end
action 05.08 syslog msg "  ## Start-up config written, (ASW-TR04-02) is ready for deployment, OK to power off."
