medusa/the_information_nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add tech_docs/networking/iac_github_project.md

Browse Source
This commit is contained in:
medusa
2025-08-02 13:35:33 -05:00
parent deabd0d296
commit 9bed5d163c
1 changed files with 319 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

319
tech_docs/networking/iac_github_project.md Normal file
View File

@@ -0,0 +1,319 @@
Below is the **sanitized, pseudocode-style** view of every functional knob an ASR-1002 DMVPN head-end needs—**no literals, no opinionated values**.
Each bullet is a **config option** you can turn on/off or fill-in later.
Think of it as a checklist you hand to an engineer who will decide the actual values.
--------------------------------------------------------
GLOBAL / SYSTEM
--------------------------------------------------------
- set hostname → string
- set boot system flash image → filename
- set config-register → hex
- set enable secret hash → encrypted-secret
- set clock timezone / summer-time → zone offset [summer-rules]
- set ip domain-name → fqdn
- set ip name-servers → list<ip>
- set logging buffered size → bytes
- set logging console | monitor → level
- set logging hosts → list<ip> [transport udp/tcp port]
--------------------------------------------------------
AAA
--------------------------------------------------------
- aaa new-model
- aaa group server tacacs+
- server-private ip key
- aaa authentication login default → [local | group tacacs | line]
- aaa authorization commands 15 → [local | group tacacs]
- aaa accounting commands 15 → [start-stop | none] group tacacs
- local username / privilege / secret
--------------------------------------------------------
VRFs
--------------------------------------------------------
- vrf definition <name>
- rd <rd>
- address-family [ipv4 | ipv6]
--------------------------------------------------------
CRYPTO
--------------------------------------------------------
- crypto keyring <name> vrf <vrf>
- pre-shared-key address ip key
- crypto isakmp policy <id>
- encr [3des | aes]
- auth [pre-share | rsa-sig]
- group [2 | 5 | 14]
- crypto ipsec transform-set <name>
- [esp-3des | esp-aes] [esp-md5 | esp-sha-hmac]
- mode [tunnel | transport]
- crypto ipsec profile <name>
- set transform-set <name>
- set pfs | idle-time | lifetime
--------------------------------------------------------
TUNNEL / DMVPN
--------------------------------------------------------
- interface Tunnel<id>
- ip address / mask
- tunnel source [interface | ip]
- tunnel mode gre multipoint
- tunnel key <int>
- tunnel vrf <vrf>
- tunnel protection ipsec profile <name>
- ip nhrp network-id <int>
- ip nhrp authentication <string>
- ip nhrp map multicast dynamic
- ip nhrp server-only | nhs | redirect | shortcut
- ip tcp adjust-mss <int>
- qos pre-classify
- service-policy output <policy>
--------------------------------------------------------
ROUTING OSPF
--------------------------------------------------------
- router ospf <pid> [vrf <vrf>]
- router-id <ip>
- auto-cost reference-bandwidth <mbps>
- passive-interface default
- network <prefix> <wildcard> area <area>
- area <area> authentication message-digest
- interface ip ospf message-digest-key <key-id> md5 <key>
--------------------------------------------------------
ROUTING BGP
--------------------------------------------------------
- router bgp <asn>
- bgp router-id <ip>
- bgp log-neighbor-changes
- neighbor <ip | peer-group> remote-as <asn>
- neighbor <ip> description <text>
- neighbor <ip> ebgp-multihop <ttl>
- neighbor <ip> update-source <interface>
- neighbor <ip> password <string>
- bgp listen range <prefix> peer-group <pg>
- address-family ipv4
- neighbor <ip> activate
- neighbor <ip> route-reflector-client
- neighbor <ip> next-hop-self [all]
- neighbor <ip> default-originate
- neighbor <ip> soft-reconfiguration inbound
- neighbor <ip> route-map <in|out> <name>
- network <prefix> mask <mask>
--------------------------------------------------------
QOS
--------------------------------------------------------
- class-map <match-any | match-all> <name>
- match [access-group | dscp | protocol | …]
- policy-map <name>
- class <name>
- priority percent <int>
- bandwidth remaining percent <int>
- shape average <bps>
- queue-limit <packets>
- random-detect dscp-based
- service-policy [input | output] <policy>
--------------------------------------------------------
ACL / PREFIX / COMMUNITY LISTS
--------------------------------------------------------
- access-list <num|name> [standard | extended] [permit | deny] <rule>
- ip prefix-list <name> seq <num> permit/deny <prefix> [ge | le]
- ip community-list [standard | expanded] <name> [permit | deny] <regex>
--------------------------------------------------------
SNMP
--------------------------------------------------------
- snmp-server community <name> [ro | rw] [acl]
- snmp-server group <name> v3 [auth | priv] [read | write] <view>
- snmp-server user <user> <group> v3 auth sha <key> priv aes 128 <key>
- snmp-server host <ip> traps version 3 …
- snmp-server location <text>
- snmp-server contact <text>
- snmp-server enable traps … (list of trap types)
--------------------------------------------------------
INTERFACES (GENERIC)
--------------------------------------------------------
- interface <type num>
- description <text>
- ip address <ip> <mask> [secondary]
- vrf forwarding <vrf>
- mtu <bytes>
- ip flow [ingress | egress]
- service-policy [input | output] <policy>
- ip ospf cost | hello-interval | dead-interval
- channel-group <num> mode [active | passive | on]
- speed / duplex / negotiation
- shutdown | no shutdown
--------------------------------------------------------
MISCELLANEOUS
--------------------------------------------------------
- ip route [vrf <vrf>] <dest> <mask> <next-hop>
- ip sla <num> [icmp-echo | tcp-connect | udp-jitter] …
- ip sla schedule <num> life forever start-time now
- control-plane service-policy input <policy>
- line con 0 / line vty 0 15
- password <string>
- exec-timeout <min> <sec>
- transport input [ssh | telnet | none]
Keep this checklist handy—fill in the blanks with real values only when you build the YAML for a specific box.
---
Below is a **minimal, reusable skeleton** that drops straight into
`config_components/` and cleanly separates **policy** from **data**,
while leaving every literal as a variable.
You can copy-paste these empty “placeholders” into the filenames shown;
they already contain **only the functional knobs** (pseudocode).
--------------------------------------------------------
core_settings/00_licensing.j2
```
{# License boot level or Smart-Call-Home declarations #}
license boot level {{ license_level | default('network-advantage') }}
```
core_settings/10_system_settings.j2
```
hostname {{ hostname }}
service password-encryption
service timestamps debug datetime msec
service timestamps log datetime msec
ip domain-name {{ domain_name }}
{% for ns in name_servers %}
ip name-server {{ ns }}
{% endfor %}
clock timezone {{ tz_name }} {{ tz_offset }}
```
core_settings/20_aaa.j2
```
aaa new-model
!
aaa group server tacacs+ {{ tacacs_group }}
{% for srv in tacacs_servers %}
server-private {{ srv.host }} key {{ srv.key }}
{% endfor %}
!
aaa authentication login default group {{ tacacs_group }} local
aaa authorization exec default group {{ tacacs_group }} local
aaa accounting commands 15 default start-stop group {{ tacacs_group }}
```
--------------------------------------------------------
network_services/30_vlans.j2
```
{% for vlan in vlans %}
vlan {{ vlan.id }}
name {{ vlan.name }}
{% endfor %}
```
network_services/40_routing.j2
```
{% for instance in routing.ospf %}
router ospf {{ instance.pid }}{% if instance.vrf %} vrf {{ instance.vrf }}{% endif %}
router-id {{ instance.rid }}
{% for net in instance.networks %}
network {{ net.prefix }} {{ net.wc }} area {{ net.area }}
{% endfor %}
{% endfor %}
{% if routing.bgp %}
router bgp {{ routing.bgp.as }}
bgp router-id {{ routing.bgp.rid }}
{% for neigh in routing.bgp.neighbors %}
neighbor {{ neigh.ip }} remote-as {{ neigh.as }}
neighbor {{ neigh.ip }} description {{ neigh.desc }}
{% endfor %}
address-family ipv4
{% for net in routing.bgp.networks %}
network {{ net.prefix }} mask {{ net.mask }}
{% endfor %}
{% for neigh in routing.bgp.neighbors %}
neighbor {{ neigh.ip }} activate
{% endfor %}
exit-address-family
{% endif %}
```
--------------------------------------------------------
interfaces/50_port_profiles/access_port.j2
```
interface {{ port.name }}
description {{ port.desc | default('Access port') }}
switchport mode access
switchport access vlan {{ port.access_vlan }}
switchport nonegotiate
spanning-tree portfast
{% if port.shutdown is defined and port.shutdown %}shutdown{% else %}no shutdown{% endif %}
```
interfaces/50_port_profiles/trunk_port.j2
```
interface {{ port.name }}
description {{ port.desc | default('Trunk port') }}
switchport mode trunk
switchport trunk native vlan {{ port.native_vlan }}
switchport trunk allowed vlan {{ port.allowed_vlans | join(',') }}
switchport nonegotiate
{% if port.shutdown is defined and port.shutdown %}shutdown{% else %}no shutdown{% endif %}
```
interfaces/60_interface_assignments.j2
```
{% for port in interfaces %}
{% set template = port.profile ~ '.j2' %}
{% include 'interfaces/50_port_profiles/' + template %}
{% endfor %}
```
--------------------------------------------------------
policies/70_qos.j2
```
{% for cmap in qos.class_maps %}
class-map {{ cmap.match_type }} {{ cmap.name }}
{% for rule in cmap.rules %}
match {{ rule.type }} {{ rule.value }}
{% endfor %}
{% endfor %}
!
{% for pmap in qos.policy_maps %}
policy-map {{ pmap.name }}
{% for cls in pmap.classes %}
class {{ cls.name }}
{% for action in cls.actions %}
{{ action.cmd }} {{ action.value | default('') }}
{% endfor %}
{% endfor %}
{% endfor %}
```
policies/80_access_lists.j2
```
{% for acl in acls %}
{% if acl.type == 'extended' %}
ip access-list extended {{ acl.name }}
{% else %}
ip access-list standard {{ acl.name }}
{% endif %}
{% for rule in acl.rules %}
{{ rule.action }} {{ rule.text }}
{% endfor %}
{% endfor %}
```
--------------------------------------------------------
USAGE (single command)
--------------------------------------------------------
```
find config_components -name "*.j2" | sort | xargs cat \
| jinja2 -d site.yaml > final.cfg
```
- Each `.j2` file contains **only pseudocode variables**—no literals.
- Drop **real values** into `site.yaml` (or per-device YAML) and render.