! ═══════════════════════════════════════════════════════════════════ ! ARUBA CENTRAL -- AUTO-GENERATED CONFIGURATION ! ═════════════════��════════════════════════���═══════════���════════════ ! Config Selection: ! SWITCH_ROLE = %SWITCH_ROLE% ! MEMBER_COUNT = %MEMBER_COUNT% ! ! Template Assigned: ! %if SWITCH_ROLE == agg% ! Template: CX-Agg-%if MEMBER_COUNT > 1%Stack%endif%%if MEMBER_COUNT == 1%Standalone%endif%.tmpl ! %endif% ! %if SWITCH_ROLE == data% ! Template: CX-Data-%if MEMBER_COUNT > 1%Stack%endif%%if MEMBER_COUNT == 1%Standalone%endif%.tmpl ! %endif% ! %if SWITCH_ROLE == MDT% ! Template: CX-MDT-%if MEMBER_COUNT > 1%Stack%endif%%if MEMBER_COUNT == 1%Standalone%endif%.tmpl ! %endif% ! %if SWITCH_ROLE == AP_switch% ! Template: CX-APSwitch-%if MEMBER_COUNT > 1%Stack%endif%%if MEMBER_COUNT == 1%Standalone%endif%.tmpl ! %endif% ! %if SWITCH_ROLE == garage_switch% ! Template: CX-Garage-%if MEMBER_COUNT > 1%Stack%endif%%if MEMBER_COUNT == 1%Standalone%endif%.tmpl ! %endif% ! ! Active Sections: ! [x] Universal (DNS, NTP, SNMP, syslog, TACACS+, STP) ! %if MEMBER_COUNT > 1%[x]%endif%%if MEMBER_COUNT == 1%[ ]%endif% VSF Stack Config ! [x] Uplink LAG ! %if SWITCH_ROLE == data%[x]%endif%%if SWITCH_ROLE != data%[ ]%endif% Access Ports ! %if SWITCH_ROLE == AP_switch%[x]%endif%%if SWITCH_ROLE != AP_switch%[ ]%endif% PoE AP Port Profiles ! %if SWITCH_ROLE == agg%[x]%endif%%if SWITCH_ROLE == MDT%[x]%endif%%if SWITCH_ROLE != agg%%if SWITCH_ROLE != MDT%[ ]%endif%%endif% Trunk Port Groups ! %if SWITCH_ROLE == garage_switch%[x]%endif%%if SWITCH_ROLE != garage_switch%[ ]%endif% Hardened Access Ports ! %if SWITCH_ROLE == AP_switch%[x]%endif%%if SWITCH_ROLE == garage_switch%[x]%endif%%if SWITCH_ROLE != AP_switch%%if SWITCH_ROLE != garage_switch%[ ]%endif%%endif% PoE Configuration ! ! Device Identity: ! Hostname: %HOSTNAME% ! Site: %SITE_NAME% ! Location: %FLOOR% ! ! ── Member Serial Validation ────────────────────────────────────── ! Central checks CSV serial against physical hardware serial during ! ZTP. If a mismatch is detected the member will NOT join the stack. ! ! CSV Serial Member# Match Status ! ───────────── ─────── ──────────── ! %MEMBER1_SERIAL% 1 (commander) [checked at ZTP call-home] %if MEMBER_COUNT >= 2% ! %MEMBER2_SERIAL% 2 (standby) [checked at VSF join] %endif% %if MEMBER_COUNT >= 3% ! %MEMBER3_SERIAL% 3 (member) [checked at VSF join] %endif% %if MEMBER_COUNT >= 4% ! %MEMBER4_SERIAL% 4 (member) [checked at VSF join] %endif% ! ! Validation Flow: ! 1. Commander (%MEMBER1_SERIAL%) calls home to Central via DHCP/DNS ! 2. Central matches commander serial to CSV row, pushes config ! 3. Config includes vsf member N serial-number %MEMBERn_SERIAL% ! 4. When member N boots and attempts VSF join, commander validates: ! - Physical serial == CSV %MEMBERn_SERIAL% ! - If MISMATCH: member is REJECTED, log entry generated, ! Central shows "serial-mismatch" in device health ! 5. Only serial-matched members form the VSF ring ! ! IMPORTANT: Verify serials on box labels / packing slips / Activate ! BEFORE populating the CSV. A wrong serial means the member will ! power on but never join the stack -- requiring manual intervention. ! ! ═══════════════════════════════════════════════════════════════════ hostname %HOSTNAME% ! ── VLAN DEFINITIONS (all roles) ────────────────────── vlan 10 name Management vlan 20 name Employee-Data vlan 30 name Employee-Voice vlan 40 name Wireless-Corp vlan 50 name Wireless-Guest vlan 60 name IoT vlan 99 name Native-VLAN ! ── MANAGEMENT SVI (all roles) ──────────────────────── interface vlan 99 description Management-SVI ip address %MGMT_VLAN_IP% %MGMT_VLAN_MASK% active ! ── L3 SVIs (agg role only -- downstream roles are L2) ── %if SWITCH_ROLE == agg% interface vlan 20 description Employee-Data-SVI ip address %DATA_VLAN_IP% %DATA_VLAN_MASK% ip helper-address %DATA_VLAN_HELPER% active interface vlan 30 description Employee-Voice-SVI ip address %VOICE_VLAN_IP% %VOICE_VLAN_MASK% ip helper-address %VOICE_VLAN_HELPER% active interface vlan 40 description Wireless-Corp-SVI ip address %WCORP_VLAN_IP% %WCORP_VLAN_MASK% ip helper-address %WCORP_VLAN_HELPER% active interface vlan 50 description Wireless-Guest-SVI ip address %GUEST_VLAN_IP% %GUEST_VLAN_MASK% active interface vlan 60 description IoT-SVI ip address %IOT_VLAN_IP% %IOT_VLAN_MASK% active %endif% ! ── UNIVERSAL CONFIG (all roles, all switches) ───────── ! DNS ip dns server-address %DNS_SERVER_1% ip dns server-address %DNS_SERVER_2% ip dns domain-name %DNS_DOMAIN% ! NTP ntp server %NTP_SERVER_1% ntp server %NTP_SERVER_2% ntp enable ! Syslog logging %SYSLOG_SERVER% logging severity info logging facility local6 ! SNMP snmp-server community %SNMP_COMMUNITY% unrestricted snmp-server host %SNMP_TRAP_HOST% community %SNMP_COMMUNITY% trap version v2c snmp-server system-location %SITE_NAME%-%FLOOR% snmp-server system-contact noc@corp.acme.com ! Banner banner motd %BANNER_MOTD% ! TACACS+ (management access) tacacs-server host %TACACS_SERVER_1% key plaintext %TACACS_KEY% tacacs-server host %TACACS_SERVER_2% key plaintext %TACACS_KEY% aaa authentication login default group tacacs+ local aaa authorization commands default group tacacs+ local aaa accounting all-mgmt default start-stop group tacacs+ ! Spanning Tree spanning-tree mode rpvst spanning-tree priority %STP_PRIORITY% ! ── VSF STACK CONFIG (only if MEMBER_COUNT > 1) ──────── ! Serial validation: each "vsf member N" includes serial-number ! so the commander verifies the physical switch matches the CSV ! before allowing the member to join the VSF topology. ! %if MEMBER_COUNT > 1% vsf member 1 serial-number %MEMBER1_SERIAL% priority %MEMBER1_PRIORITY% link 1 %VSF_LINK_1_2% %if MEMBER_COUNT >= 2% vsf member 2 serial-number %MEMBER2_SERIAL% priority %MEMBER2_PRIORITY% link 1 %VSF_LINK_1_2% %if MEMBER_COUNT >= 3% link 2 %VSF_LINK_2_3% %endif% %endif% %if MEMBER_COUNT >= 3% vsf member 3 serial-number %MEMBER3_SERIAL% priority %MEMBER3_PRIORITY% link 1 %VSF_LINK_2_3% %if MEMBER_COUNT >= 4% link 2 %VSF_LINK_3_4% %endif% %endif% %if MEMBER_COUNT >= 4% vsf member 4 serial-number %MEMBER4_SERIAL% priority %MEMBER4_PRIORITY% link 1 %VSF_LINK_3_4% %endif% ! ! ── VSF SERIAL MISMATCH LOGGING ── ! If a physical member presents a serial not matching the CSV, ! the commander rejects the join and generates this log event: ! Event: STACK_SERIAL_MISMATCH ! Expected: %MEMBERn_SERIAL% (from CSV) ! Received: ! Action: Member blocked, Central alert generated ! %endif% ! ── UPLINK LAG (all roles) ───────────────────────────── interface lag %LAG_UPLINK_ID% no shutdown description UPLINK-LAG-to-AGG no routing vlan trunk native 99 vlan trunk allowed 10,20,30,40,50,60,99 lacp mode active interface %LAG_UPLINK_PORTS% lag %LAG_UPLINK_ID% no shutdown ! ── ROLE-SPECIFIC PORT CONFIGS ───────────────────────── ! ── AGG: Trunk ports to downstream switches ── %if SWITCH_ROLE == agg% interface %TRUNK_PORTS% no shutdown no routing vlan trunk native 99 vlan trunk allowed 10,20,30,40,50,60,99 %endif% ! ── DATA: Access ports ── %if SWITCH_ROLE == data% interface %ACCESS_PORTS% no shutdown no routing vlan access 20 spanning-tree bpdu-guard enable spanning-tree port-type admin-edge loop-protect %endif% ! ── MDT: Trunk ports for building systems ── %if SWITCH_ROLE == MDT% interface %TRUNK_PORTS% no shutdown no routing vlan trunk native 99 vlan trunk allowed 60,99 %endif% ! ── AP_switch: PoE AP ports (trunk) ── %if SWITCH_ROLE == AP_switch% interface %AP_PORTS% no shutdown no routing vlan trunk native 99 vlan trunk allowed 40,50,60,99 spanning-tree bpdu-guard enable spanning-tree port-type admin-edge lldp tlv-select dot3-tlv power-via-mdi power-over-ethernet allocate-by usage %endif% ! ── GARAGE: Hardened access ports (extended PoE) ── %if SWITCH_ROLE == garage_switch% interface %ACCESS_PORTS% no shutdown no routing vlan access 60 spanning-tree bpdu-guard enable spanning-tree port-type admin-edge loop-protect power-over-ethernet allocate-by usage %endif% ! ── LOOP PROTECTION (access roles only) ──────────────── %if SWITCH_ROLE == data% %if LOOP_PROTECT_PORTS != --% loop-protect transmit-interval 5 re-enable-timer 60 %endif% %endif% %if SWITCH_ROLE == garage_switch% %if LOOP_PROTECT_PORTS != --% loop-protect transmit-interval 5 re-enable-timer 60 %endif% %endif%