#shut, no shutHave you tried turning it off and on again?

Jinja2 Switch Templating with FreeZTP

Preamble

About a year ago /u/packetsar shared FreeZTP on reddit, just in time for a project that required upgrade/configuration of 400+ IOS-XE switches (3650/3850, several stacks). Over the following months, he was extremely receptive and accommodating with feature updates and tweaks; so kudos, pal.

This is a sanitized example of a switch template that I built out with a strong focus on keeping the process as simple and unbreakable as possible for the intended end-users, at the cost of a self-imposed excessively large learning curve. My last three blog posts were a direct result of achieving this goal; something that a lot of docs, labbing, and scouring of community forums contributed to.

A Few Disclosures

  • I do not have a background in development, this was my first venture into any kind of programming/templating. This was largely an exercise in figuring out what I could accomplish in the template, without having to manually intervene, whether it be via python, console, or otherwise. There are probably some development best-practices that I unwittingly spat in the face of, or more optimal ways to accomplish some of these functions.
  • Smart-install is deprecated as of IOS-XE 16.3.7+ (still works in 16.3.6). This does not impact AutoInstall.
  • /u/packetsar has done an excellent job detailing all facets of FreeZTP, so questions/concerns regarding its inner-workings are better answered by the project’s GitHub readme.md.

FreeZTP config

I configured FreeZTP to use external keystore and template files. This kept the code and other sensitive template information somewhat concealed, for lack of a better term. This also kept ztp show config outputs concise and easier to read when validating FreeZTP settings.

ztp set external-keystore SBS type csv && \
ztp set external-keystore SBS file '/srv/ztp/keystore/ks_asw.csv' && \
ztp set external-template SBS file '/srv/ztp/template/tmpl_asw.j2'

CSV

The CSV file has minimal headings; keystore_id (hostname), association (template), and idarray_1idarray_4 for the switch serial numbers (our defined stack limitation for this project).

keystore_id,association,idarray_1,idarray_2,idarray_3,idarray_4
ASW-TR04-02,ASW,FOC11111111,FOC22222222,FOC33333333,FOC44444444

Template

  • First section provides guidelines and outputs the variables that ZTP passed into the template.
  • Second section defines static variables that I didn’t want to store in the CSV; e.g. protocol secrets/keys, syslog server addresses, and other things that the template will use.
  • Third section assigns dynamic values to variables.
Expand for Dynamic Variable Example

gi_ints is a list of GigabitEthernet interfaces, which scales with the number of switches in the stack.

Switch Count gi_ints
1 gi1/0/1-36
2 gi1/0/1-36,gi2/0/1-36
3 gi1/0/1-36,gi2/0/1-36,gi3/0/1-36
4 gi1/0/1-36,gi2/0/1-36,gi3/0/1-36,gi4/0/1-36

{%-set tmpl={"file":"tmpl_test.j2",
             "rev":"8"}-%}
{%-set indent="\n!"~" "*23-%}
!-- --------------------------------------------------------------------------- --!
!--                          ***IMPORTANT (Example)***                          --!
!--          Hostname (keystore_id in CSV) has strict formatting rules.         --!
!--                                                                             --!
!--  * TR and switch/stack numbers must each be two digits (use leading '0').   --!
!--                           * TRs are numbered 1-9.                           --!
!--     * Any TR can only accommodate up to 9 switches/stacks; i.e. 01-09.      --!
!--      * Any stack is only intended to have 4 switches; i.e. idarray_1-4.     --!
!--                                                                             --!
!--                     Example for TR-4, switch/stack 1...                     --!
!--                                                                             --!
!--      Access Switch      |       TR Number        |   Switch/Stack Number    --!
!--   ----------------------|------------------------|----------------------    --!
!--           ASW           |          TR04          |            02            --!
!--                                                                             --!
!--                        Example hostname: ASW-TR04-02                        --!
!-- --------------------------------------------------------------------------- --!
!
!-- Variables (keys) parsed from CSV keystore.
!
!---- KEYSTORE_ID     > {{keystore_id|default("N/A")}}{# Used to associate the switch to a template (serial number).#}
!---- ASSOCIATION     > {{association|default("N/A")}}{# Switch template associated with KEYSTORE_ID.#}
!---- IDARRAY_1       > {{idarray_1|default("N/A")}}{#   Switch 1 serial number.#}
!---- IDARRAY_2       > {{idarray_2|default("N/A")}}{#   Switch 2 serial number.#}
!---- IDARRAY_3       > {{idarray_3|default("N/A")}}{#   Switch 3 serial number.#}
!---- IDARRAY_4       > {{idarray_4|default("N/A")}}{#   Switch 4 serial number.#}
!---- IDARRAY         > {{idarray|default("N/A")}}{#     All switch serial numbers.#}
!
!---------------------------------------------------------------- VARIABLES: STATIC
!
!-- Variables (keys) statically defined within the template.
!-- Variables with multiple values are JSON formatted.
!{#   VARIABLE        > {%set VARIABLE="VALUE"%}                    <<< set | print >>>          {{VARIABLE}}   #}
!---- TFTP_ADDR       > {%set tftp_addr="172.17.251.251"%}{#                                   #}{{tftp_addr}}
!---- DOMAIN          > {%set domain="exmaple.local"%}{#                                       #}{{domain}}
!---- STP_PRIORITY    > {%set stp_priority="28672"%}{#                                         #}{{stp_priority}}
!---- ENABLE_SEC      > {%set enable_sec="enable-secret"%}{#                                   #}{{enable_sec}}
!---- TACACS_KEY      > {%set tacacs_key="tacacs-secret"%}{#                                   #}{{tacacs_key}}
!---- RADIUS_KEY      > {%set radius_key="radius-secret"%}{#                                   #}{{radius_key}}
!---- NTP_KEY         > {%set ntp_key="ntp-secret"%}{#                                         #}{{ntp_key}}
!---- SYSLOG_ADDR     > {%set syslog_addr="10.255.1.1"%}{#                                     #}{{syslog_addr}}
!---- [IMAGE]         > {%set image={"bin":"cat3k_caa-universalk9.16.03.07.SPA.bin",
                                     "ver":"16.3.7"}%}{#                                       #}{{image|dictsort(false)|join(indent)}}
!---- [CREDS]         > {%set creds={"admin":"admin-secret",
                                     "eem_svc":"eem-secret"}%}{#                               #}{{creds|dictsort(false)|join(indent)}}
!---- [NTP_ADDR]      > {%set ntp_addr={"pri":{"addr":"10.255.1.11","pref":"prefer"},
                                        "sec":{"addr":"10.255.1.12","pref":""}}%}{#            #}{{ntp_addr|dictsort(false)|join(indent)}}
!---- [ISE_ADDR]      > {%set ise_addr={"01":"10.255.1.21",
                                        "02":"10.255.1.22",
                                        "03":"10.255.1.23"}%}{#                                #}{{ise_addr|dictsort(false)|join(indent)}}
!---- [SNMPV3]        > {%set snmpv3={"grp":"SNMP_ASW",
                                      "user":"snmp_asw",
                                      "auth":"snmp-auth",
                                      "priv":"smp-priv"}%}{#                                   #}{{snmpv3|dictsort(false)|join(indent)}}
!---- [VLAN]          > {%set vlan={"native":{"id":"999","name":"NATIVE"},
                                    "global":{"id":"998","name":"GLOBAL"}}%}{#                 #}{{vlan|dictsort(false,"value")|join(indent)}}
!
!---------------------------------------------------------------- VARIABLES: DYNAMIC
!
!-- Variables (keys) with dynamic values based on variables paresed from the CSV keystore.
!
!-- Copy HOSTNAME from KEYSTORE_ID, get SW_COUNT and SERIALS from IDARRAY.
!---- HOSTNAME        > {%set hostname=keystore_id%}{#                                         #}{{hostname}}
!---- SW_COUNT        > {%set sw_count=idarray|count%}{#                                       #}{{sw_count}}
!---- SERIALS         > {%set serials=idarray%}{#                                              #}{{serials}}
!
!-- Create range lists for all access interfaces and all provisioning interfaces based on IDARRAY.
{%set gi_ints,te_ints,prov_ints=[],[],[]-%}
{%for sw in idarray-%}
{%  set i=loop.index-%}
{%  set gi_ints,te_ints,prov_ints=
        gi_ints.append("Gi%s/0/1-36"|format(i)),
        te_ints.append("Te%s/0/37-47"|format(i)),
        prov_ints.append("Te%s/0/48"|format(i))-%}
{%endfor-%}
!---- GI_INTS         > {%set gi_ints=gi_ints|join(",")%}{#                                    #}{{gi_ints}}
!---- TE_INTS         > {%set te_ints=te_ints|join(",")%}{#                                    #}{{te_ints}}
!---- PROV_INTS       > {%set prov_ints=prov_ints|join(",")%}{#                                #}{{prov_ints}}
!
!-- Split hostname to get TR (numeric only) and SW.
!---- TR              > {%set tr=(hostname.split("-")[1])[2:]%}{#                              #}{{tr}}
!---- TRN             > {%set trn=tr[1:]%}{#                                                   #}{{trn}}
!---- SW              > {%set sw=(hostname.split("-")[2])%}{#                                  #}{{sw}}
!
!-- Determine PO_NUM from TR (second digit) and (int of) SW; also used as last octet of MGMT IP.
!---- PO_NUM          > {%set po_num="1%s%s"|format(tr[1:],sw|int)%}{#                         #}{{po_num}}
!
!-- Determine MGMT subnet; IP from subnet and PO_NUM; append a name for the default route.
{%set mgmt={"net":"10.254.%s"|format(trn)}-%}
{%set x=mgmt.update({"mask":"255.255.255.0"})-%}
{%set x=mgmt.update({"ip":"%s.%s"|format(mgmt.net,po_num)})-%}
{%set x=mgmt.update({"rt_name":"Default>MGMT:DIST-01"})-%}
!---- [MGMT]          > {#                                                                     #}{{mgmt|dictsort(false,"value")|join(indent)}}
!
!-- Determine TR_VLS from TR, append them to the (static) [VLAN] dictionary.
{%set tr_vls={"grt_thin":{"id":"1%s01"|format(trn),"name":"GRT:TR%s/THIN-CLIENTS"|format(tr)},
              "grt_thick":{"id":"1%s02"|format(trn),"name":"GRT:TR%s/THICK-CLIENTS"|format(tr)},
              "grt_voice":{"id":"1%s03"|format(trn),"name":"GRT:TR%s/VOICE"|format(tr)},
              "grt_crit":{"id":"1%s99"|format(trn),"name":"GRT:TR%s/CRIT-AUTH"|format(tr)},
              "mgmt_sw":{"id":"2%s01"|format(trn),"name":"MGMT:TR%s/SW-WLC"|format(tr)},
              "mgmt_ap":{"id":"2%s02"|format(trn),"name":"MGMT:TR%s/CAPWAP"|format(tr)}}-%}
!---- [TR_VLS]        > {%set x=vlan.update(tr_vls)-%}{#                                       #}{{tr_vls|dictsort(false)|join(indent)}}
!
!-- Create VLAN_LIST from [VLAN].
{%set vlan_list=[]-%}
{%for k,v in vlan|dictsort(false,"value")-%}
{%  set vlan_list=vlan_list.append(v.id) -%}
{%endfor-%}
!---- VLAN_LIST       > {%set vlan_list=vlan_list|join(",")%}{#                                #}{{vlan_list}}
!
...
Expand for Full Template Example
{%-set tmpl={"file":"tmpl_test.j2",
             "rev":"8"}-%}
{%-set indent="\n!"~" "*23-%}
!-- --------------------------------------------------------------------------- --!
!--                          ***IMPORTANT (Example)***                          --!
!--          Hostname (keystore_id in CSV) has strict formatting rules.         --!
!--                                                                             --!
!--  * TR and switch/stack numbers must each be two digits (use leading '0').   --!
!--                           * TRs are numbered 1-9.                           --!
!--     * Any TR can only accommodate up to 9 switches/stacks; i.e. 01-09.      --!
!--      * Any stack is only intended to have 4 switches; i.e. idarray_1-4.     --!
!--                                                                             --!
!--                     Example for TR-4, switch/stack 2...                     --!
!--                                                                             --!
!--      Access Switch      |       TR Number        |   Switch/Stack Number    --!
!--   ----------------------|------------------------|----------------------    --!
!--           ASW           |          TR04          |            02            --!
!--                                                                             --!
!--                        Example hostname: ASW-TR04-02                        --!
!-- --------------------------------------------------------------------------- --!
!
!-- Variables (keys) parsed from CSV keystore.
!
!---- KEYSTORE_ID     > {{keystore_id|default("N/A")}}{# Used to associate the switch to a template (serial number).#}
!---- ASSOCIATION     > {{association|default("N/A")}}{# Switch template associated with KEYSTORE_ID.#}
!---- IDARRAY_1       > {{idarray_1|default("N/A")}}{#   Switch 1 serial number.#}
!---- IDARRAY_2       > {{idarray_2|default("N/A")}}{#   Switch 2 serial number.#}
!---- IDARRAY_3       > {{idarray_3|default("N/A")}}{#   Switch 3 serial number.#}
!---- IDARRAY_4       > {{idarray_4|default("N/A")}}{#   Switch 4 serial number.#}
!---- IDARRAY         > {{idarray|default("N/A")}}{#     All switch serial numbers.#}
!
!---------------------------------------------------------------- VARIABLES: STATIC
!
!-- Variables (keys) statically defined within the template.
!-- Variables with multiple values are JSON formatted.
!{#   VARIABLE        > {%set VARIABLE="VALUE"%}                    <<< set | print >>>          {{VARIABLE}}   #}
!---- TFTP_ADDR       > {%set tftp_addr="172.17.251.251"%}{#                                   #}{{tftp_addr}}
!---- DOMAIN          > {%set domain="exmaple.local"%}{#                                       #}{{domain}}
!---- STP_PRIORITY    > {%set stp_priority="28672"%}{#                                         #}{{stp_priority}}
!---- ENABLE_SEC      > {%set enable_sec="enable-secret"%}{#                                   #}{{enable_sec}}
!---- TACACS_KEY      > {%set tacacs_key="tacacs-secret"%}{#                                   #}{{tacacs_key}}
!---- RADIUS_KEY      > {%set radius_key="radius-secret"%}{#                                   #}{{radius_key}}
!---- NTP_KEY         > {%set ntp_key="ntp-secret"%}{#                                         #}{{ntp_key}}
!---- SYSLOG_ADDR     > {%set syslog_addr="10.255.1.1"%}{#                                     #}{{syslog_addr}}
!---- [IMAGE]         > {%set image={"bin":"cat3k_caa-universalk9.16.03.07.SPA.bin",
                                     "ver":"16.3.7"}%}{#                                       #}{{image|dictsort(false)|join(indent)}}
!---- [CREDS]         > {%set creds={"admin":"admin-secret",
                                     "eem_svc":"eem-secret"}%}{#                               #}{{creds|dictsort(false)|join(indent)}}
!---- [NTP_ADDR]      > {%set ntp_addr={"pri":{"addr":"10.255.1.11","pref":"prefer"},
                                        "sec":{"addr":"10.255.1.12","pref":""}}%}{#            #}{{ntp_addr|dictsort(false)|join(indent)}}
!---- [ISE_ADDR]      > {%set ise_addr={"01":"10.255.1.21",
                                        "02":"10.255.1.22",
                                        "03":"10.255.1.23"}%}{#                                #}{{ise_addr|dictsort(false)|join(indent)}}
!---- [SNMPV3]        > {%set snmpv3={"grp":"SNMP_ASW",
                                      "user":"snmp_asw",
                                      "auth":"snmp-auth",
                                      "priv":"smp-priv"}%}{#                                   #}{{snmpv3|dictsort(false)|join(indent)}}
!---- [VLAN]          > {%set vlan={"native":{"id":"999","name":"NATIVE"},
                                    "global":{"id":"998","name":"GLOBAL"}}%}{#                 #}{{vlan|dictsort(false,"value")|join(indent)}}
!
!---------------------------------------------------------------- VARIABLES: DYNAMIC
!
!-- Variables (keys) with dynamic values based on variables paresed from the CSV keystore.
!
!-- Copy HOSTNAME from KEYSTORE_ID, get SW_COUNT and SERIALS from IDARRAY.
!---- HOSTNAME        > {%set hostname=keystore_id%}{#                                         #}{{hostname}}
!---- SW_COUNT        > {%set sw_count=idarray|count%}{#                                       #}{{sw_count}}
!---- SERIALS         > {%set serials=idarray%}{#                                              #}{{serials}}
!
!-- Create range lists for all access interfaces and all provisioning interfaces based on IDARRAY.
{%set gi_ints,te_ints,prov_ints=[],[],[]-%}
{%for sw in idarray-%}
{%  set i=loop.index-%}
{%  set gi_ints,te_ints,prov_ints=
        gi_ints.append("Gi%s/0/1-36"|format(i)),
        te_ints.append("Te%s/0/37-47"|format(i)),
        prov_ints.append("Te%s/0/48"|format(i))-%}
{%endfor-%}
!---- GI_INTS         > {%set gi_ints=gi_ints|join(",")%}{#                                    #}{{gi_ints}}
!---- TE_INTS         > {%set te_ints=te_ints|join(",")%}{#                                    #}{{te_ints}}
!---- PROV_INTS       > {%set prov_ints=prov_ints|join(",")%}{#                                #}{{prov_ints}}
!
!-- Split hostname to get TR (numeric only) and SW.
!---- TR              > {%set tr=(hostname.split("-")[1])[2:]%}{#                              #}{{tr}}
!---- TRN             > {%set trn=tr[1:]%}{#                                                   #}{{trn}}
!---- SW              > {%set sw=(hostname.split("-")[2])%}{#                                  #}{{sw}}
!
!-- Determine PO_NUM from TR (second digit) and (int of) SW; also used as last octet of MGMT IP.
!---- PO_NUM          > {%set po_num="1%s%s"|format(tr[1:],sw|int)%}{#                         #}{{po_num}}
!
!-- Determine MGMT subnet; IP from subnet and PO_NUM; append a name for the default route.
{%set mgmt={"net":"10.254.%s"|format(trn)}-%}
{%set x=mgmt.update({"mask":"255.255.255.0"})-%}
{%set x=mgmt.update({"ip":"%s.%s"|format(mgmt.net,po_num)})-%}
{%set x=mgmt.update({"rt_name":"Default>MGMT:DIST-01"})-%}
!---- [MGMT]          > {#                                                                     #}{{mgmt|dictsort(false,"value")|join(indent)}}
!
!-- Determine TR_VLS from TR, append them to the (static) [VLAN] dictionary.
{%set tr_vls={"grt_thin":{"id":"1%s01"|format(trn),"name":"GRT:TR%s/THIN-CLIENTS"|format(tr)},
              "grt_thick":{"id":"1%s02"|format(trn),"name":"GRT:TR%s/THICK-CLIENTS"|format(tr)},
              "grt_voice":{"id":"1%s03"|format(trn),"name":"GRT:TR%s/VOICE"|format(tr)},
              "grt_crit":{"id":"1%s99"|format(trn),"name":"GRT:TR%s/CRIT-AUTH"|format(tr)},
              "mgmt_sw":{"id":"2%s01"|format(trn),"name":"MGMT:TR%s/SW-WLC"|format(tr)},
              "mgmt_ap":{"id":"2%s02"|format(trn),"name":"MGMT:TR%s/CAPWAP"|format(tr)}}-%}
!---- [TR_VLS]        > {%set x=vlan.update(tr_vls)-%}{#                                         #}{{tr_vls|dictsort(false)|join(indent)}}
!
!-- Create VLAN_LIST from [VLAN].
{%set vlan_list=[]-%}
{%for k,v in vlan|dictsort(false,"value")-%}
{%  set vlan_list=vlan_list.append(v.id) -%}
{%endfor-%}
!---- VLAN_LIST       > {%set vlan_list=vlan_list|join(",")%}{#                                #}{{vlan_list}}
!
!---------------------------------------------------------------- CONFIG: BASE
!
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
!
hostname {{hostname}}
!
clock timezone PST -8 0
clock summer-time PDT recurring
!
{%for sw in idarray-%}
{%  set i=loop.index-%}
switch {{i}} provision ws-c3850-12x48u
{%endfor-%}
!
no ip domain lookup
ip domain-name {{domain}}
!
logging buffered 409600 debugging
logging console debug
!
!ip ssh logging events
ip ssh version 2
!
spanning-tree mode rapid-pvst
spanning-tree vlan 1-4094 priority {{stp_priority}}
!
vtp mode transparent
!
file prompt quiet
!
ip dhcp snooping vlan 1-4094
no ip dhcp snooping information option
ip dhcp snooping
!
udld aggressive
!
macro name int-auth
 switchport
 switchport mode access
 switchport nonegotiate
 switchport voice vlan {{vlan.grt_voice.id}}
 device-tracking attach-policy IPDT
 authentication event server dead action reinitialize vlan {{vlan.grt_crit.id}}
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize
 authentication host-mode multi-auth
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 7
 dot1x max-reauth-req 3
 spanning-tree portfast
 ip dhcp snooping limit rate 25
 no shutdown
 no downshift
 no macro description
 @
!
macro name int-noauth
 # Unauthenticated interface macro, variables not mandatory.
 # > Assign appropriate access vlan using $VL
 #
 # Example config for a thin client in VL-1201;
 # (config)# interface gi#/#/#
 # (config-if)# macro apply int-noauth $VL 1201
 #
 switchport
 switchport access vlan $VL
 switchport mode access
 switchport nonegotiate
 device-tracking attach-policy IPDT
 spanning-tree portfast
 ip dhcp snooping limit rate 25
 no shutdown
 no downshift
 no macro description
 @
!
banner login @
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
You must have explicit, authorized permission to access or configure this device.
Unauthorized attempts and actions to access or use this system may result in civil and/or
criminal penalties.
All activities performed on this device are logged and monitored.
-----------------------------------------------------------------------------------------
@
!
alias exec intstat show int status
alias exec ipint show ip int br | e una
alias exec ver show ver | i Soft|file
alias exec vlbr show vlan br | i active
alias exec rundiff show arch config diff
alias exec auth show auth sess int gi
alias exec radstat sh aaa server | i RADIUS|Platform State
alias exec int-auth event man run int-auth
alias exec int-noauth event man run int-noauth
!
!---------------------------------------------------------------- CONFIG: AUTH
!
enable secret 0 {{enable_sec}}
!
{%for k,v in creds|dictsort(false)-%}
username {{k}} privilege 15 secret 0 {{v}}
{%endfor-%}
!
aaa new-model
!
!-- TACACS servers and group config.
!
{%-for k,v in ise_addr|dictsort(false)%}
tacacs server ISE{{k}}-T
 address ipv4 {{v}}
 key 0 {{tacacs_key}}
 single-connection
{%endfor-%}
!
aaa group server tacacs+ ISE-T
{%-for k,v in ise_addr|dictsort(false)%}
 server name ISE{{k}}-T
{%-endfor%}
 ip tacacs source-interface Vlan{{vlan.mgmt_sw.id}}
!
!-- RADIUS servers and group config.
!
{%-for k,v in ise_addr|dictsort(false)%}
radius server ISE{{k}}-R
 address ipv4 {{v}} auth-port 1812 acct-port 1813
 automate-tester username test-user ignore-acct-port probe-on
 key 0 {{radius_key}}
{%endfor-%}
!
aaa group server radius ISE-R
{%-for k,v in ise_addr|dictsort(false)%}
 server name ISE{{k}}-R
{%-endfor%}
 ip radius source-interface Vlan{{vlan.mgmt_sw.id}}
 load-balance method least-outstanding batch-size 5
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3
radius-server deadtime 5
!
aaa server radius dynamic-author
{%-for k,v in ise_addr|dictsort(false)%}
 client {{v}} server-key 0 {{radius_key}}
{%-endfor%}
!
!-- Default authentication method list to use TACACS, fallback to local (ssh).
 aaa authentication login default group ISE-T local
!
!-- Authentication method list to use local creds only (console).
 aaa authentication login CONSOLE local
!
!-- Required to authorize console to exec mode (console).
 aaa authorization console
!
!-- Default authorization exec and commands 15 method lists to use local or TACACS (console, ssh).
!-- 'local' must be defined here first for console authorization to work.
 aaa authorization exec default local group ISE-T if-authenticated 
 aaa authorization commands 15 default local group ISE-T if-authenticated
!
!-- Accounting commands to send all exec start-stop, and priv 15 commands to TACACS (console, ssh).
 aaa accounting exec default start-stop group ISE-T
 aaa accounting commands 15 default start-stop group ISE-T
!
!-- AAA commands for dot1x/mab.
aaa authentication dot1x default group ISE-R
aaa authorization network default group ISE-R
aaa accounting dot1x default start-stop group ISE-R
aaa accounting update newinfo periodic 2880
!
!---------------------------------------------------------------- CONFIG: DOT1X/ISE-MISC
!
dot1x system-auth-control
dot1x critical eapol
!
authentication mac-move permit
!
device-sensor filter-list dhcp list DHCP-ISE
 option name host-name
 option name requested-address
 option name parameter-request-list
 option name class-identifier
 option name client-identifier
!
device-sensor filter-list cdp list CDP-ISE
 tlv name device-name
 tlv name address-type
 tlv name capabilities-type
 tlv name version-type
 tlv name platform-type
!
device-sensor filter-spec dhcp include list DHCP-ISE
device-sensor filter-spec cdp include list CDP-ISE
device-sensor accounting
device-sensor notify all-changes
!
!---------------------------------------------------------------- CONFIG: VLANS
!
{%-for k,v in vlan|dictsort(false,"value")%}
vlan {{v.id}}
 name {{v.name}}
{%endfor-%}
!
!---------------------------------------------------------------- CONFIG: INTERFACES
!
interface GigabitEthernet0/0
 shutdown
!
!-- Configure misc interfaces for all stack members.
!
interface range {{prov_ints}}
 description TMP//PROVISION
 switchport
 switchport mode access
 switchport nonegotiate
 switchport access vlan 1
 spanning-tree portfast
 ip dhcp snooping trust
 no shutdown
!
{%-for sw in idarray%}
{%-set i=loop.index%}
interface range Gi{{i}}/1/1-2
 shutdown
!
interface range Te{{i}}/1/3-4
 channel-group 1 mode active
 no shutdown
!
interface range Gi{{i}}/1/3-4,Te{{i}}/1/1-2,Te{{i}}/1/5-8,Fo{{i}}/1/1-2
 description ***NULL//DoNotConfigure
 shutdown
{%endfor-%}
!
interface Port-channel1
 description DIST-01:Po{{po_num}}
 switchport trunk native vlan 999
 switchport trunk allowed vlan {{vlan_list}}
 switchport mode trunk
 switchport nonegotiate
 ip dhcp snooping trust
 no shutdown
!
!---------------------------------------------------------------- CONFIG: IP/SOURCE/NMS
!
interface Vlan1
 desc TMP//PROVISION
 ip address dhcp
 no shutdown
!
interface Vlan{{vlan.mgmt_sw.id}}
 description {{vlan.mgmt_sw.name}}
 no ip redirects
 no ip proxy-arp
 ip address {{mgmt.ip}} {{mgmt.mask}}
 no shutdown
!
ip tftp source-interface Vlan{{vlan.mgmt_sw.id}}
ip tftp blocksize 8192
!
ip route 0.0.0.0 0.0.0.0 {{mgmt.net}}.1 name {{mgmt.rt_name}}
!
logging source-interface Vlan{{vlan.mgmt_sw.id}}
logging host {{syslog_addr}}
!
ntp authentication-key 1 md5 {{ntp_key}}
ntp authenticate
ntp trusted-key 1
{%-for k,v in ntp_addr|dictsort(false)%}
ntp server {{v.addr}} key 1 {{v.pref}} source vlan{{vlan.mgmt_sw.id}}
{%-endfor%}
!
snmp-server group {{snmpv3.grp}} v3 priv
snmp-server user {{snmpv3.user}} {{snmpv3.grp}} v3 auth sha {{snmpv3.auth}} priv aes 256 {{snmpv3.priv}}
snmp-server location Provisioned with switch template: {{"%s (rev: %s)"|format(tmpl.file,tmpl.rev)}}
snmp-server contact Provisioned hostname ({{hostname}}) and stack members: {{serials|join("-")}}
!
line console 0
 login authentication CONSOLE
 logging synchronous
 exec-timeout 15 0
line vty 0 15
 logging synchronous
 exec-timeout 30 0
 transport input ssh
!
!---------------------------------------------------------------- CONFIG: EEM
!
event manager session cli username {{creds.keys().1}}
!
event manager applet int-auth
 event none maxrun 60
 action 00.00 puts "## Enter interface to configure with authentication; e.g. gi1/0/1, te1/0/37"
 action 00.01 gets intf
 action 00.02 cli command "enable"
 action 00.03 cli command "show int $intf status"
 action 00.04 regexp "Invalid" "$_cli_result"
 action 00.05 if $_regexp_result eq "1"
 action 00.06  puts "## Invalid interface ($intf), verify prefix; i.e. 'gi' or 'te'."
 action 00.07  exit
 action 00.08 end
 action 00.10 regexp "connected\ +([0-9]+)" "$_cli_result" match currvl
 action 00.11 if $_regexp_result eq "1"
 action 00.12  puts "## Interface $intf has a device connected in VLAN $currvl, continue (y|n)..."
 action 00.13  gets cont
 action 00.14  if $cont ne "y"
 action 00.15   exit
 action 00.16  end
 action 00.17 end
 action 01.00 cli command "conf t"
 action 01.01 cli command "default int $intf"
 action 01.02 cli command "int $intf"
 action 01.03 cli command "macro apply int-auth"
 action 01.04 cli command "end"
 action 01.05 cli command "write mem" pattern "confirm|#"
 action 01.06 cli command ""
 action 01.10 puts "## Interface $intf configured with authentication."
!
event manager applet int-noauth
 event none maxrun 60
 action 00.00 puts "## Enter interface to configure without authentication; e.g. gi1/0/1, te1/0/37"
 action 00.01 gets intf
 action 00.02 cli command "enable"
 action 00.03 cli command "show int $intf status"
 action 00.04 regexp "Invalid" "$_cli_result"
 action 00.05 if $_regexp_result eq "1"
 action 00.06  puts "## Invalid interface ($intf), verify prefix; i.e. 'gi' or 'te'."
 action 00.07  exit
 action 00.08 end
 action 00.10 regexp "connected\ +([0-9]+)" "$_cli_result" match currvl
 action 00.11 if $_regexp_result eq "1"
 action 00.12  puts "## Interface $intf has a device connected in VLAN $currvl, continue (y|n)..."
 action 00.13  gets cont
 action 00.14  if $cont ne "y"
 action 00.15   exit
 action 00.16  end
 action 00.17 end
 action 00.20 puts "## Enter access VLAN ID; e.g. 800"
 action 00.21 gets vl
 action 00.22 cli command "show vlan id $vl"
 action 00.23 regexp "not found" "$_cli_result"
 action 00.24 if $_regexp_result eq "1"
 action 00.25  puts "## VLAN $vl is not configured on this switch."
 action 00.26  exit
 action 00.27 end
 action 01.00 cli command "conf t"
 action 01.01 cli command "default int $intf"
 action 01.02 cli command "int $intf"
 action 01.03 cli command "macro apply int-noauth \$VL $vl"
 action 01.04 cli command "end"
 action 01.05 cli command "write mem" pattern "confirm|#"
 action 01.06 cli command ""
 action 01.10 puts "## Interface $intf configured without authentication in VL-$vl, please describe accordingly."
!
!---------------------------------------------------------------- CONFIG: EEM-TEMP
!
event manager environment q "
!
event manager applet post_ztp_1
!-- Renumber/prioritize switches in stack, write mem, and then download->upgrade/reload (if needed).
 event syslog occurs 1 pattern "Configured from tftp://{{tftp_addr}}" maxrun 960
 action 00.00 syslog msg "  ## Configuration received via TFTP, run 'post_ztp_1' EEM applet in 120s."
 action 00.01 wait 120
 action 00.03 cli command "enable"
 action 00.05 cli command "show mod | i ^.[1-9]"
 action 00.06 set stack "$_cli_result"
 action 00.07 syslog msg "  ## Checking all switches' version and stack membership, adjusting where necessary.\n  ## Current order;\n$stack"
 action 00.08 set error_list ""
 action 00.09 set change_list ""
 action 00.10 set upgrade_list ""
 {%for sw in idarray%}
 {%-  set i=loop.index%}
 action 0{{i}}.00 set sw_num "{{i}}"
 action 0{{i}}.01 set pri "16"
 action 0{{i}}.02 decrement pri {{i}}
 action 0{{i}}.03 regexp "{{sw}}" "$stack"
 action 0{{i}}.04 if $_regexp_result ne "1"
 action 0{{i}}.05  syslog msg "\n  ## {{sw}} (Sw-{{i}} serial) not found in the stack, check 'show mod' output."
 action 0{{i}}.06  append error_list "\n  ##  {{sw}} is allocated (idarray_{{i}}) but was not found in the stack."
 action 0{{i}}.07 else
 action 0{{i}}.08  set i "0"
 action 0{{i}}.09  foreach line "$stack" "\n"
 action 0{{i}}.10   increment i
 action 0{{i}}.11   if $i le "{{sw_count}}"
 action 0{{i}}.12    string trim "$line"
 action 0{{i}}.13    set line "$_string_result"
 action 0{{i}}.14    regexp "{{sw}}" "$line"
 action 0{{i}}.15    if $_regexp_result eq "1"
 action 0{{i}}.16     regexp "([0-9\.A-Z]+$)" "$line" curr_ver
 action 0{{i}}.17     if $curr_ver ne "{{image.ver}}"
 action 0{{i}}.18      append upgrade_list "{{i}}"
 action 0{{i}}.19     end
 action 0{{i}}.20     cli command "switch $i priority $pri" pattern "continue|#"
 action 0{{i}}.21     cli command "y"
 action 0{{i}}.22     if $i eq $sw_num
 action 0{{i}}.23      append change_list "\n  ##  {{sw}} (Priority: $pri // Numbered:       $sw_num  // Version: $curr_ver)"
 action 0{{i}}.24     else
 action 0{{i}}.25      cli command "switch $i renumber $sw_num" pattern "continue|#"
 action 0{{i}}.26      cli command "y"
 action 0{{i}}.27      append change_list "\n  ##  {{sw}} (Priority: $pri // Renumbered: $i > $sw_num* // Version: $curr_ver)"
 action 0{{i}}.28     end
 action 0{{i}}.29     break
 action 0{{i}}.30    end
 action 0{{i}}.31   end
 action 0{{i}}.32  end
 action 0{{i}}.33 end
 {%endfor%}
 action 10.00 wait 5
 action 10.01 if $error_list ne ""
 action 10.02  syslog msg "\n  ## The following errors occurred; $error_list"
 action 10.03 end
 action 10.04 syslog msg "\n  ## Switches below have been assigned a priority and renumbered* as needed; $change_list"
 action 13.00 cli command "conf t"
 action 13.01 cli command "no event man app post_ztp_1"
 action 14.00 if $upgrade_list eq ""
 action 14.01  syslog msg "  ## All switches are running version {{image.ver}}, skipping download->upgrade/reload; finalizing config in 20s."
 action 14.02  cli command "no event man env q"
 action 14.03  cli command "event man env ztp_upgraded no"
 action 14.04  cli command " event man app post_ztp_2"
 action 14.05  cli command " event timer countdown time 20 maxrun 480"
 action 14.06  cli command " no action 00.00"
 action 14.07  cli command " no action 00.01"
 action 14.08  cli command " end"
 action 14.09  cli command "write mem" pattern "confirm|#"
 action 14.10  cli command ""
 action 14.11 else
 action 14.12  syslog msg "  ## One or more switches require an upgrade to version {{image.ver}} ($upgrade_list); proceeding with download->upgrade/reload."
 action 14.13  cli command "event man env ztp_upgraded yes"
 action 14.14  cli command "event man app post_ztp_2"
 action 14.15  cli command " event syslog occurs 1 pattern $q%IOSXE_REDUNDANCY-6-PEER$q maxrun 630"
 action 14.16  cli command " no event man env q"
 action 14.17  cli command "end"
 action 14.18  cli command "write mem" pattern "confirm|#"
 action 14.19  cli command ""
 action 14.20  syslog msg "  ## (Standby) Downloading image..."
 action 14.21  cli command "copy tftp://{{tftp_addr}}/{{image.bin}} flash:"
 action 14.22  syslog msg "  ## (Standby) Image downloaded, upgrading..."
 action 14.23  cli command "software install file flash:{{image.bin}} new force" pattern "proceed|#"
 action 14.24  syslog msg "  ## Upgrade complete, rebooting."
 action 14.25  cli command "y"
 action 14.26 end
!
event manager applet post_ztp_2
!-- Apply final configs, push running config via TFTP, clean up VL-1 and Te#/0/48 configs, write mem, and then perform package clean.
 event none
 action 00.00 syslog msg "  ## Switch reloaded on new image, running 'post_ztp_2' EEM applet in 150s."
 action 00.01 wait 150
 action 00.02 syslog msg "  ## (Standby) Applying global configs ignored by smart-install and generating crypto key..."
 action 00.03 cli command "enable"
 action 00.04 set upgr "$ztp_upgraded"
 action 01.00 cli command "conf t"
 action 01.01 cli command "no event man env ztp_upgraded"
 action 01.02 cli command "no event man app post_ztp_2"
 action 01.04 cli command "no vstack"
 action 01.05 cli command "no ip http ser"
 action 01.06 cli command "no ip http secure-s"
 action 01.07 cli command "no ip http authen"
 action 01.08 cli command "no coap http enable"
 action 01.09 cli command "device-tracking policy IPDT"
 action 01.10 cli command " no protocol udp"
 action 01.11 cli command " tracking enable"
 action 01.12 cli command "cry key gen rsa mod 2048"
 action 02.00 syslog msg "  ## (Standby) Applying `int-auth` macro config to ports 1-48 on all stack members..."
 action 02.01 cli command "int range {{gi_ints}}"
 action 02.02 cli command " macro apply int-auth"
 action 02.03 cli command " no macro desc"
 action 02.04 cli command "int range {{te_ints}}"
 action 02.05 cli command " macro apply int-auth"
 action 02.06 cli command " no macro desc"
 action 03.00 syslog msg "  ## Pushing config to the following location: tftp://{{tftp_addr}}/provisioned/CAS/{{cfg_file}}"
 action 03.01 cli command "do copy run tftp://{{tftp_addr}}/provisioned/CAS/{{cfg_file}}"
 action 04.00 syslog msg "  ## Disabling VL-1 SVI, updating Te#/0/48 configs, and writing startup config."
 action 04.01 cli command "int vl 1"
 action 04.02 cli command " no desc"
 action 04.03 cli command " no ip addr"
 action 04.04 cli command " shut"
 action 04.05 cli command "default int range {{prov_ints}}"
 action 04.06 cli command "int range {{prov_ints}}"
 action 04.07 cli command " macro apply int-auth"
 action 04.08 cli command " no macro desc"
 action 04.09 cli command "end"
 action 04.10 cli command "write mem" pattern "confirm|#"
 action 04.11 cli command ""
 action 05.00 if $upgr eq "yes"
 action 05.01  syslog msg "  ## (Standby) ZTP upgrade detected, performing software package clean..."
 action 05.02  cli command "req plat soft pack clean sw all" pattern "proceed|#"
 action 05.03  cli command "y"
 action 05.04  syslog msg "  ## Unused .bin or .pkg files from previous version(s) have been deleted."
 action 05.05 else
 action 05.06  syslog msg "  ## ZTP upgrade not detected, skipping software package clean."
 action 05.07 end
 action 05.08 syslog msg "  ## Start-up config written, ({{hostname}}) is ready for deployment, OK to power off."
!
end

Merged Config

##############################
!-- --------------------------------------------------------------------------- --!
!--                          ***IMPORTANT (Example)***                          --!
!--          Hostname (keystore_id in CSV) has strict formatting rules.         --!
!--                                                                             --!
!--  * TR and switch/stack numbers must each be two digits (use leading '0').   --!
!--                           * TRs are numbered 1-9.                           --!
!--     * Any TR can only accommodate up to 9 switches/stacks; i.e. 01-09.      --!
!--      * Any stack is only intended to have 4 switches; i.e. idarray_1-4.     --!
!--                                                                             --!
!--                     Example for TR-4, switch/stack 2...                     --!
!--                                                                             --!
!--      Access Switch      |       TR Number        |   Switch/Stack Number    --!
!--   ----------------------|------------------------|----------------------    --!
!--           ASW           |          TR04          |            02            --!
!--                                                                             --!
!--                        Example hostname: ASW-TR04-02                        --!
!-- --------------------------------------------------------------------------- --!
!
!-- Variables (keys) parsed from CSV keystore.
!
!---- KEYSTORE_ID     > ASW-TR04-02
!---- ASSOCIATION     > ASW
!---- IDARRAY_1       > FOC11111111
!---- IDARRAY_2       > FOC22222222
!---- IDARRAY_3       > FOC33333333
!---- IDARRAY_4       > FOC44444444
!---- IDARRAY         > ['FOC11111111', 'FOC22222222', 'FOC33333333', 'FOC44444444']
!
!---------------------------------------------------------------- VARIABLES: STATIC
!
!-- Variables (keys) statically defined within the template.
!-- Variables with multiple values are JSON formatted.
!
!---- TFTP_ADDR       > 172.17.251.251
!---- DOMAIN          > exmaple.local
!---- STP_PRIORITY    > 28672
!---- ENABLE_SEC      > enable-secret
!---- TACACS_KEY      > tacacs-secret
!---- RADIUS_KEY      > radius-secret
!---- NTP_KEY         > ntp-secret
!---- SYSLOG_ADDR     > 10.255.1.1
!---- [IMAGE]         > ('bin', 'cat3k_caa-universalk9.16.03.07.SPA.bin')
!                       ('ver', '16.3.7')
!---- [CREDS]         > ('admin', 'admin-secret')
!                       ('eem_svc', 'eem-secret')
!---- [NTP_ADDR]      > ('pri', {'pref': 'prefer', 'addr': '10.255.1.11'})
!                       ('sec', {'pref': '', 'addr': '10.255.1.12'})
!---- [ISE_ADDR]      > ('01', '10.255.1.21')
!                       ('02', '10.255.1.22')
!                       ('03', '10.255.1.23')
!---- [SNMPV3]        > ('auth', 'snmp-auth')
!                       ('grp', 'SNMP_ASW')
!                       ('priv', 'smp-priv')
!                       ('user', 'snmp_asw')
!---- [VLAN]          > ('global', {'id': '998', 'name': 'GLOBAL'})
!                       ('native', {'id': '999', 'name': 'NATIVE'})
!
!---------------------------------------------------------------- VARIABLES: DYNAMIC
!
!-- Variables (keys) with dynamic values based on variables paresed from the CSV keystore.
!
!-- Copy HOSTNAME from KEYSTORE_ID, get SW_COUNT and SERIALS from IDARRAY.
!---- HOSTNAME        > ASW-TR04-02
!---- SW_COUNT        > 4
!---- SERIALS         > ['FOC11111111', 'FOC22222222', 'FOC33333333', 'FOC44444444']
!
!-- Join HOSTNAME and SERIALS to make CFG_FILE; used by EEM applet for TFTP config push
!---- CFG_FILE        > ASW-TR04-02_FOC11111111-FOC22222222-FOC33333333-FOC44444444.cfg
!
!-- Create range lists for all access interfaces and all provisioning interfaces based on IDARRAY.
!---- GI_INTS         > Gi1/0/1-36,Gi2/0/1-36,Gi3/0/1-36,Gi4/0/1-36
!---- TE_INTS         > Te1/0/37-47,Te2/0/37-47,Te3/0/37-47,Te4/0/37-47
!---- PROV_INTS       > Te1/0/48,Te2/0/48,Te3/0/48,Te4/0/48
!
!-- Split hostname to get TR (numeric only) and SW.
!---- TR              > 04
!---- TRN             > 4
!---- SW              > 02
!
!-- Determine PO_NUM from TR (second digit) and (int of) SW; also used as last octet of MGMT IP.
!---- PO_NUM          > 142
!
!-- Determine MGMT subnet; IP from subnet and PO_NUM; append a name for the default route.
!---- [MGMT]          > ('net', u'10.254.4')
!                       ('ip', u'10.254.4.142')
!                       ('mask', '255.255.255.0')
!                       ('rt_name', 'Default>MGMT:DIST-01')
!
!-- Determine TR_VLS from TR, append them to the (static) [VLAN] dictionary.
!---- [TR_VLS]        > ('grt_crit', {'id': u'1499', 'name': u'GRT:TR04/CRIT-AUTH'})
!                       ('grt_thick', {'id': u'1402', 'name': u'GRT:TR04/THICK-CLIENTS'})
!                       ('grt_thin', {'id': u'1401', 'name': u'GRT:TR04/THIN-CLIENTS'})
!                       ('grt_voice', {'id': u'1403', 'name': u'GRT:TR04/VOICE'})
!                       ('mgmt_ap', {'id': u'2402', 'name': u'MGMT:TR04/CAPWAP'})
!                       ('mgmt_sw', {'id': u'2401', 'name': u'MGMT:TR04/SW-WLC'})
!
!-- Create VLAN_LIST from [VLAN].
!---- VLAN_LIST       > 1401,1402,1403,1499,2401,2402,998,999
!
...
Expand for Full Merged Config Example
Expand for Merge Request & Resulting Logs
# ztp request merge-test ASW-TR04-02 
2019-03-07 23:49:00:   cfact.get_keystore_id: Checking Keystores and IDArrays for (ASW-TR04-02)

2019-03-07 23:49:00:   cfact.get_keystore_id: ID (ASW-TR04-02) resolved directly to an external-keystore

2019-03-07 23:49:00:   cfact.get_template: Looking up association for identity (ASW-TR04-02)

2019-03-07 23:49:00:   cfact.get_template: Found associated template (ASW) in an external keystore

2019-03-07 23:49:00:   cfact.get_template: Template (ASW) exists as an external-template. Returning

2019-03-07 23:49:00:   cfact.pull_keystore_values: Inserting IDArray keys

2019-03-07 23:49:00:   cfact.merge_final_config: Merging with values:
{
    "idarray_1": "FOC11111111", 
    "idarray_4": "FOC44444444", 
    "idarray_2": "FOC22222222", 
    "idarray_3": "FOC33333333", 
    "keystore_id": "ASW-TR04-02", 
    "idarray": [
        "FOC11111111", 
        "FOC22222222", 
        "FOC33333333", 
        "FOC44444444"
    ], 
    "association": "ASW"
}
##############################
!-- --------------------------------------------------------------------------- --!
!--                          ***IMPORTANT (Example)***                          --!
!--          Hostname (keystore_id in CSV) has strict formatting rules.         --!
!--                                                                             --!
!--  * TR and switch/stack numbers must each be two digits (use leading '0').   --!
!--                           * TRs are numbered 1-9.                           --!
!--     * Any TR can only accommodate up to 9 switches/stacks; i.e. 01-09.      --!
!--      * Any stack is only intended to have 4 switches; i.e. idarray_1-4.     --!
!--                                                                             --!
!--                     Example for TR-4, switch/stack 2...                     --!
!--                                                                             --!
!--      Access Switch      |       TR Number        |   Switch/Stack Number    --!
!--   ----------------------|------------------------|----------------------    --!
!--           ASW           |          TR04          |            02            --!
!--                                                                             --!
!--                        Example hostname: ASW-TR04-02                        --!
!-- --------------------------------------------------------------------------- --!
!
!-- Variables (keys) parsed from CSV keystore.
!
!---- KEYSTORE_ID     > ASW-TR04-02
!---- ASSOCIATION     > ASW
!---- IDARRAY_1       > FOC11111111
!---- IDARRAY_2       > FOC22222222
!---- IDARRAY_3       > FOC33333333
!---- IDARRAY_4       > FOC44444444
!---- IDARRAY         > ['FOC11111111', 'FOC22222222', 'FOC33333333', 'FOC44444444']
!
!---------------------------------------------------------------- VARIABLES: STATIC
!
!-- Variables (keys) statically defined within the template.
!-- Variables with multiple values are JSON formatted.
!
!---- TFTP_ADDR       > 172.17.251.251
!---- DOMAIN          > exmaple.local
!---- STP_PRIORITY    > 28672
!---- ENABLE_SEC      > enable-secret
!---- TACACS_KEY      > tacacs-secret
!---- RADIUS_KEY      > radius-secret
!---- NTP_KEY         > ntp-secret
!---- SYSLOG_ADDR     > 10.255.1.1
!---- [IMAGE]         > ('bin', 'cat3k_caa-universalk9.16.03.07.SPA.bin')
!                       ('ver', '16.3.7')
!---- [CREDS]         > ('admin', 'admin-secret')
!                       ('eem_svc', 'eem-secret')
!---- [NTP_ADDR]      > ('pri', {'pref': 'prefer', 'addr': '10.255.1.11'})
!                       ('sec', {'pref': '', 'addr': '10.255.1.12'})
!---- [ISE_ADDR]      > ('01', '10.255.1.21')
!                       ('02', '10.255.1.22')
!                       ('03', '10.255.1.23')
!---- [SNMPV3]        > ('auth', 'snmp-auth')
!                       ('grp', 'SNMP_ASW')
!                       ('priv', 'smp-priv')
!                       ('user', 'snmp_asw')
!---- [VLAN]          > ('global', {'id': '998', 'name': 'GLOBAL'})
!                       ('native', {'id': '999', 'name': 'NATIVE'})
!
!---------------------------------------------------------------- VARIABLES: DYNAMIC
!
!-- Variables (keys) with dynamic values based on variables paresed from the CSV keystore.
!
!-- Copy HOSTNAME from KEYSTORE_ID, get SW_COUNT and SERIALS from IDARRAY.
!---- HOSTNAME        > ASW-TR04-02
!---- SW_COUNT        > 4
!---- SERIALS         > ['FOC11111111', 'FOC22222222', 'FOC33333333', 'FOC44444444']
!
!-- Join HOSTNAME and SERIALS to make CFG_FILE; used by EEM applet for TFTP config push
!---- CFG_FILE        > ASW-TR04-02_FOC11111111-FOC22222222-FOC33333333-FOC44444444.cfg
!
!-- Create range lists for all access interfaces and all provisioning interfaces based on IDARRAY.
!---- GI_INTS         > Gi1/0/1-36,Gi2/0/1-36,Gi3/0/1-36,Gi4/0/1-36
!---- TE_INTS         > Te1/0/37-47,Te2/0/37-47,Te3/0/37-47,Te4/0/37-47
!---- PROV_INTS       > Te1/0/48,Te2/0/48,Te3/0/48,Te4/0/48
!
!-- Split hostname to get TR (numeric only) and SW.
!---- TR              > 04
!---- TRN             > 4
!---- SW              > 02
!
!-- Determine PO_NUM from TR (second digit) and (int of) SW; also used as last octet of MGMT IP.
!---- PO_NUM          > 142
!
!-- Determine MGMT subnet; IP from subnet and PO_NUM; append a name for the default route.
!---- [MGMT]          > ('net', u'10.254.4')
!                       ('ip', u'10.254.4.142')
!                       ('mask', '255.255.255.0')
!                       ('rt_name', 'Default>MGMT:DIST-01')
!
!-- Determine TR_VLS from TR, append them to the (static) [VLAN] dictionary.
!---- [TR_VLS]        > ('grt_crit', {'id': u'1499', 'name': u'GRT:TR04/CRIT-AUTH'})
!                       ('grt_thick', {'id': u'1402', 'name': u'GRT:TR04/THICK-CLIENTS'})
!                       ('grt_thin', {'id': u'1401', 'name': u'GRT:TR04/THIN-CLIENTS'})
!                       ('grt_voice', {'id': u'1403', 'name': u'GRT:TR04/VOICE'})
!                       ('mgmt_ap', {'id': u'2402', 'name': u'MGMT:TR04/CAPWAP'})
!                       ('mgmt_sw', {'id': u'2401', 'name': u'MGMT:TR04/SW-WLC'})
!
!-- Create VLAN_LIST from [VLAN].
!---- VLAN_LIST       > 1401,1402,1403,1499,2401,2402,998,999
!
!---------------------------------------------------------------- CONFIG: BASE
!
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
!
hostname ASW-TR04-02
!
clock timezone PST -8 0
clock summer-time PDT recurring
!
switch 1 provision ws-c3850-12x48u
switch 2 provision ws-c3850-12x48u
switch 3 provision ws-c3850-12x48u
switch 4 provision ws-c3850-12x48u
!
no ip domain lookup
ip domain-name exmaple.local
!
logging buffered 409600 debugging
logging console debug
!
!ip ssh logging events
ip ssh version 2
!
spanning-tree mode rapid-pvst
spanning-tree vlan 1-4094 priority 28672
!
vtp mode transparent
!
file prompt quiet
!
ip dhcp snooping vlan 1-4094
no ip dhcp snooping information option
ip dhcp snooping
!
udld aggressive
!
macro name int-auth
 switchport
 switchport mode access
 switchport nonegotiate
 switchport voice vlan 1403
 device-tracking attach-policy IPDT
 authentication event server dead action reinitialize vlan 1499
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize
 authentication host-mode multi-auth
 authentication order mab dot1x
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 7
 dot1x max-reauth-req 3
 spanning-tree portfast
 ip dhcp snooping limit rate 25
 no shutdown
 no downshift
 no macro description
 @
!
macro name int-noauth
 # Unauthenticated interface macro, variables not mandatory.
 # > Assign appropriate access vlan using $VL
 #
 # Example config for a thin client in VL-1201;
 # (config)# interface gi#/#/#
 # (config-if)# macro apply int-noauth $VL 1201
 #
 switchport
 switchport access vlan $VL
 switchport mode access
 switchport nonegotiate
 device-tracking attach-policy IPDT
 spanning-tree portfast
 ip dhcp snooping limit rate 25
 no shutdown
 no downshift
 no macro description
 @
!
banner login @
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
You must have explicit, authorized permission to access or configure this device.
Unauthorized attempts and actions to access or use this system may result in civil and/or
criminal penalties.
All activities performed on this device are logged and monitored.
-----------------------------------------------------------------------------------------
@
!
alias exec intstat show int status
alias exec ipint show ip int br | e una
alias exec ver show ver | i Soft|file
alias exec vlbr show vlan br | i active
alias exec rundiff show arch config diff
alias exec auth show auth sess int gi
alias exec radstat sh aaa server | i RADIUS|Platform State
alias exec int-auth event man run int-auth
alias exec int-noauth event man run int-noauth
!
!---------------------------------------------------------------- CONFIG: AUTH
!
enable secret 0 enable-secret
!
username admin privilege 15 secret 0 admin-secret
username eem_svc privilege 15 secret 0 eem-secret
!
aaa new-model
!
!-- TACACS servers and group config.
!
tacacs server ISE01-T
 address ipv4 10.255.1.21
 key 0 tacacs-secret
 single-connection

tacacs server ISE02-T
 address ipv4 10.255.1.22
 key 0 tacacs-secret
 single-connection

tacacs server ISE03-T
 address ipv4 10.255.1.23
 key 0 tacacs-secret
 single-connection
!
aaa group server tacacs+ ISE-T
 server name ISE01-T
 server name ISE02-T
 server name ISE03-T
 ip tacacs source-interface Vlan2401
!
!-- RADIUS servers and group config.
!
radius server ISE01-R
 address ipv4 10.255.1.21 auth-port 1812 acct-port 1813
 automate-tester username test-user ignore-acct-port probe-on
 key 0 radius-secret

radius server ISE02-R
 address ipv4 10.255.1.22 auth-port 1812 acct-port 1813
 automate-tester username test-user ignore-acct-port probe-on
 key 0 radius-secret

radius server ISE03-R
 address ipv4 10.255.1.23 auth-port 1812 acct-port 1813
 automate-tester username test-user ignore-acct-port probe-on
 key 0 radius-secret
!
aaa group server radius ISE-R
 server name ISE01-R
 server name ISE02-R
 server name ISE03-R
 ip radius source-interface Vlan2401
 load-balance method least-outstanding batch-size 5
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 10 tries 3
radius-server deadtime 5
!
aaa server radius dynamic-author
 client 10.255.1.21 server-key 0 radius-secret
 client 10.255.1.22 server-key 0 radius-secret
 client 10.255.1.23 server-key 0 radius-secret
!
!-- Default authentication method list to use TACACS, fallback to local (ssh).
 aaa authentication login default group ISE-T local
!
!-- Authentication method list to use local creds only (console).
 aaa authentication login CONSOLE local
!
!-- Required to authorize console to exec mode (console).
 aaa authorization console
!
!-- Default authorization exec and commands 15 method lists to use local or TACACS (console, ssh).
!-- 'local' must be defined here first for console authorization to work.
 aaa authorization exec default local group ISE-T if-authenticated 
 aaa authorization commands 15 default local group ISE-T if-authenticated
!
!-- Accounting commands to send all exec start-stop, and priv 15 commands to TACACS (console, ssh).
 aaa accounting exec default start-stop group ISE-T
 aaa accounting commands 15 default start-stop group ISE-T
!
!-- AAA commands for dot1x/mab.
aaa authentication dot1x default group ISE-R
aaa authorization network default group ISE-R
aaa accounting dot1x default start-stop group ISE-R
aaa accounting update newinfo periodic 2880
!
!---------------------------------------------------------------- CONFIG: DOT1X/ISE-MISC
!
dot1x system-auth-control
dot1x critical eapol
!
authentication mac-move permit
!
device-sensor filter-list dhcp list DHCP-ISE
 option name host-name
 option name requested-address
 option name parameter-request-list
 option name class-identifier
 option name client-identifier
!
device-sensor filter-list cdp list CDP-ISE
 tlv name device-name
 tlv name address-type
 tlv name capabilities-type
 tlv name version-type
 tlv name platform-type
!
device-sensor filter-spec dhcp include list DHCP-ISE
device-sensor filter-spec cdp include list CDP-ISE
device-sensor accounting
device-sensor notify all-changes
!
!---------------------------------------------------------------- CONFIG: VLANS
!
vlan 1401
 name GRT:TR04/THIN-CLIENTS

vlan 1402
 name GRT:TR04/THICK-CLIENTS

vlan 1403
 name GRT:TR04/VOICE

vlan 1499
 name GRT:TR04/CRIT-AUTH

vlan 2401
 name MGMT:TR04/SW-WLC

vlan 2402
 name MGMT:TR04/CAPWAP

vlan 998
 name GLOBAL

vlan 999
 name NATIVE
!
!---------------------------------------------------------------- CONFIG: INTERFACES
!
interface GigabitEthernet0/0
 shutdown
!
!-- Configure misc interfaces for all stack members.
!
interface range Te1/0/48,Te2/0/48,Te3/0/48,Te4/0/48
 description TMP//PROVISION
 switchport
 switchport mode access
 switchport nonegotiate
 switchport access vlan 1
 spanning-tree portfast
 ip dhcp snooping trust
 no shutdown
!
interface range Gi1/1/1-2
 shutdown
!
interface range Te1/1/3-4
 channel-group 1 mode active
 no shutdown
!
interface range Gi1/1/3-4,Te1/1/1-2,Te1/1/5-8,Fo1/1/1-2
 description ***NULL//DoNotConfigure
 shutdown

interface range Gi2/1/1-2
 shutdown
!
interface range Te2/1/3-4
 channel-group 1 mode active
 no shutdown
!
interface range Gi2/1/3-4,Te2/1/1-2,Te2/1/5-8,Fo2/1/1-2
 description ***NULL//DoNotConfigure
 shutdown

interface range Gi3/1/1-2
 shutdown
!
interface range Te3/1/3-4
 channel-group 1 mode active
 no shutdown
!
interface range Gi3/1/3-4,Te3/1/1-2,Te3/1/5-8,Fo3/1/1-2
 description ***NULL//DoNotConfigure
 shutdown

interface range Gi4/1/1-2
 shutdown
!
interface range Te4/1/3-4
 channel-group 1 mode active
 no shutdown
!
interface range Gi4/1/3-4,Te4/1/1-2,Te4/1/5-8,Fo4/1/1-2
 description ***NULL//DoNotConfigure
 shutdown
!
interface Port-channel1
 description DIST-01:Po142
 switchport trunk native vlan 999
 switchport trunk allowed vlan 1401,1402,1403,1499,2401,2402,998,999
 switchport mode trunk
 switchport nonegotiate
 ip dhcp snooping trust
 no shutdown
!
!---------------------------------------------------------------- CONFIG: IP/SOURCE/NMS
!
interface Vlan1
 desc TMP//PROVISION
 ip address dhcp
 no shutdown
!
interface Vlan2401
 description MGMT:TR04/SW-WLC
 no ip redirects
 no ip proxy-arp
 ip address 10.254.4.142 255.255.255.0
 no shutdown
!
ip tftp source-interface Vlan2401
ip tftp blocksize 8192
!
ip route 0.0.0.0 0.0.0.0 10.254.4.1 name Default>MGMT:DIST-01
!
logging source-interface Vlan2401
logging host 10.255.1.1
!
ntp authentication-key 1 md5 ntp-secret
ntp authenticate
ntp trusted-key 1
ntp server 10.255.1.11 key 1 prefer source vlan2401
ntp server 10.255.1.12 key 1  source vlan2401
!
snmp-server group SNMP_ASW v3 priv
snmp-server user snmp_asw SNMP_ASW v3 auth sha snmp-auth priv aes 256 smp-priv
snmp-server location Provisioned with switch template: tmpl_test.j2 (rev: 8)
snmp-server contact Provisioned hostname (ASW-TR04-02) and stack members: FOC11111111-FOC22222222-FOC33333333-FOC44444444
!
line console 0
 login authentication CONSOLE
 logging synchronous
 exec-timeout 15 0
line vty 0 15
 logging synchronous
 exec-timeout 30 0
 transport input ssh
!
!---------------------------------------------------------------- CONFIG: EEM
!
event manager session cli username eem_svc
!
event manager applet int-auth
 event none maxrun 60
 action 00.00 puts "## Enter interface to configure with authentication; e.g. gi1/0/1, te1/0/37"
 action 00.01 gets intf
 action 00.02 cli command "enable"
 action 00.03 cli command "show int $intf status"
 action 00.04 regexp "Invalid" "$_cli_result"
 action 00.05 if $_regexp_result eq "1"
 action 00.06  puts "## Invalid interface ($intf), verify prefix; i.e. 'gi' or 'te'."
 action 00.07  exit
 action 00.08 end
 action 00.10 regexp "connected\ +([0-9]+)" "$_cli_result" match currvl
 action 00.11 if $_regexp_result eq "1"
 action 00.12  puts "## Interface $intf has a device connected in VLAN $currvl, continue (y|n)..."
 action 00.13  gets cont
 action 00.14  if $cont ne "y"
 action 00.15   exit
 action 00.16  end
 action 00.17 end
 action 01.00 cli command "conf t"
 action 01.01 cli command "default int $intf"
 action 01.02 cli command "int $intf"
 action 01.03 cli command "macro apply int-auth"
 action 01.04 cli command "end"
 action 01.05 cli command "write mem" pattern "confirm|#"
 action 01.06 cli command ""
 action 01.10 puts "## Interface $intf configured with authentication."
!
event manager applet int-noauth
 event none maxrun 60
 action 00.00 puts "## Enter interface to configure without authentication; e.g. gi1/0/1, te1/0/37"
 action 00.01 gets intf
 action 00.02 cli command "enable"
 action 00.03 cli command "show int $intf status"
 action 00.04 regexp "Invalid" "$_cli_result"
 action 00.05 if $_regexp_result eq "1"
 action 00.06  puts "## Invalid interface ($intf), verify prefix; i.e. 'gi' or 'te'."
 action 00.07  exit
 action 00.08 end
 action 00.10 regexp "connected\ +([0-9]+)" "$_cli_result" match currvl
 action 00.11 if $_regexp_result eq "1"
 action 00.12  puts "## Interface $intf has a device connected in VLAN $currvl, continue (y|n)..."
 action 00.13  gets cont
 action 00.14  if $cont ne "y"
 action 00.15   exit
 action 00.16  end
 action 00.17 end
 action 00.20 puts "## Enter access VLAN ID; e.g. 800"
 action 00.21 gets vl
 action 00.22 cli command "show vlan id $vl"
 action 00.23 regexp "not found" "$_cli_result"
 action 00.24 if $_regexp_result eq "1"
 action 00.25  puts "## VLAN $vl is not configured on this switch."
 action 00.26  exit
 action 00.27 end
 action 01.00 cli command "conf t"
 action 01.01 cli command "default int $intf"
 action 01.02 cli command "int $intf"
 action 01.03 cli command "macro apply int-noauth \$VL $vl"
 action 01.04 cli command "end"
 action 01.05 cli command "write mem" pattern "confirm|#"
 action 01.06 cli command ""
 action 01.10 puts "## Interface $intf configured without authentication in VL-$vl, please describe accordingly."
!
!---------------------------------------------------------------- CONFIG: EEM-TEMP
!
event manager environment q "
!
event manager applet post_ztp_1
!-- Renumber/prioritize switches in stack, write mem, and then download->upgrade/reload (if needed).
 event syslog occurs 1 pattern "Configured from tftp://172.17.251.251" maxrun 960
 action 00.00 syslog msg "  ## Configuration received via TFTP, run 'post_ztp_1' EEM applet in 120s."
 action 00.01 wait 120
 action 00.03 cli command "enable"
 action 00.05 cli command "show mod | i ^.[1-9]"
 action 00.06 set stack "$_cli_result"
 action 00.07 syslog msg "  ## Checking all switches' version and stack membership, adjusting where necessary.\n  ## Current order;\n$stack"
 action 00.08 set error_list ""
 action 00.09 set change_list ""
 action 00.10 set upgrade_list ""
 
 action 01.00 set sw_num "1"
 action 01.01 set pri "16"
 action 01.02 decrement pri 1
 action 01.03 regexp "FOC11111111" "$stack"
 action 01.04 if $_regexp_result ne "1"
 action 01.05  syslog msg "\n  ## FOC11111111 (Sw-1 serial) not found in the stack, check 'show mod' output."
 action 01.06  append error_list "\n  ##  FOC11111111 is allocated (idarray_1) but was not found in the stack."
 action 01.07 else
 action 01.08  set i "0"
 action 01.09  foreach line "$stack" "\n"
 action 01.10   increment i
 action 01.11   if $i le "4"
 action 01.12    string trim "$line"
 action 01.13    set line "$_string_result"
 action 01.14    regexp "FOC11111111" "$line"
 action 01.15    if $_regexp_result eq "1"
 action 01.16     regexp "([0-9\.A-Z]+$)" "$line" curr_ver
 action 01.17     if $curr_ver ne "16.3.7"
 action 01.18      append upgrade_list "1"
 action 01.19     end
 action 01.20     cli command "switch $i priority $pri" pattern "continue|#"
 action 01.21     cli command "y"
 action 01.22     if $i eq $sw_num
 action 01.23      append change_list "\n  ##  FOC11111111 (Priority: $pri // Numbered:       $sw_num  // Version: $curr_ver)"
 action 01.24     else
 action 01.25      cli command "switch $i renumber $sw_num" pattern "continue|#"
 action 01.26      cli command "y"
 action 01.27      append change_list "\n  ##  FOC11111111 (Priority: $pri // Renumbered: $i > $sw_num* // Version: $curr_ver)"
 action 01.28     end
 action 01.29     break
 action 01.30    end
 action 01.31   end
 action 01.32  end
 action 01.33 end
 
 action 02.00 set sw_num "2"
 action 02.01 set pri "16"
 action 02.02 decrement pri 2
 action 02.03 regexp "FOC22222222" "$stack"
 action 02.04 if $_regexp_result ne "1"
 action 02.05  syslog msg "\n  ## FOC22222222 (Sw-2 serial) not found in the stack, check 'show mod' output."
 action 02.06  append error_list "\n  ##  FOC22222222 is allocated (idarray_2) but was not found in the stack."
 action 02.07 else
 action 02.08  set i "0"
 action 02.09  foreach line "$stack" "\n"
 action 02.10   increment i
 action 02.11   if $i le "4"
 action 02.12    string trim "$line"
 action 02.13    set line "$_string_result"
 action 02.14    regexp "FOC22222222" "$line"
 action 02.15    if $_regexp_result eq "1"
 action 02.16     regexp "([0-9\.A-Z]+$)" "$line" curr_ver
 action 02.17     if $curr_ver ne "16.3.7"
 action 02.18      append upgrade_list "2"
 action 02.19     end
 action 02.20     cli command "switch $i priority $pri" pattern "continue|#"
 action 02.21     cli command "y"
 action 02.22     if $i eq $sw_num
 action 02.23      append change_list "\n  ##  FOC22222222 (Priority: $pri // Numbered:       $sw_num  // Version: $curr_ver)"
 action 02.24     else
 action 02.25      cli command "switch $i renumber $sw_num" pattern "continue|#"
 action 02.26      cli command "y"
 action 02.27      append change_list "\n  ##  FOC22222222 (Priority: $pri // Renumbered: $i > $sw_num* // Version: $curr_ver)"
 action 02.28     end
 action 02.29     break
 action 02.30    end
 action 02.31   end
 action 02.32  end
 action 02.33 end
 
 action 03.00 set sw_num "3"
 action 03.01 set pri "16"
 action 03.02 decrement pri 3
 action 03.03 regexp "FOC33333333" "$stack"
 action 03.04 if $_regexp_result ne "1"
 action 03.05  syslog msg "\n  ## FOC33333333 (Sw-3 serial) not found in the stack, check 'show mod' output."
 action 03.06  append error_list "\n  ##  FOC33333333 is allocated (idarray_3) but was not found in the stack."
 action 03.07 else
 action 03.08  set i "0"
 action 03.09  foreach line "$stack" "\n"
 action 03.10   increment i
 action 03.11   if $i le "4"
 action 03.12    string trim "$line"
 action 03.13    set line "$_string_result"
 action 03.14    regexp "FOC33333333" "$line"
 action 03.15    if $_regexp_result eq "1"
 action 03.16     regexp "([0-9\.A-Z]+$)" "$line" curr_ver
 action 03.17     if $curr_ver ne "16.3.7"
 action 03.18      append upgrade_list "3"
 action 03.19     end
 action 03.20     cli command "switch $i priority $pri" pattern "continue|#"
 action 03.21     cli command "y"
 action 03.22     if $i eq $sw_num
 action 03.23      append change_list "\n  ##  FOC33333333 (Priority: $pri // Numbered:       $sw_num  // Version: $curr_ver)"
 action 03.24     else
 action 03.25      cli command "switch $i renumber $sw_num" pattern "continue|#"
 action 03.26      cli command "y"
 action 03.27      append change_list "\n  ##  FOC33333333 (Priority: $pri // Renumbered: $i > $sw_num* // Version: $curr_ver)"
 action 03.28     end
 action 03.29     break
 action 03.30    end
 action 03.31   end
 action 03.32  end
 action 03.33 end
 
 action 04.00 set sw_num "4"
 action 04.01 set pri "16"
 action 04.02 decrement pri 4
 action 04.03 regexp "FOC44444444" "$stack"
 action 04.04 if $_regexp_result ne "1"
 action 04.05  syslog msg "\n  ## FOC44444444 (Sw-4 serial) not found in the stack, check 'show mod' output."
 action 04.06  append error_list "\n  ##  FOC44444444 is allocated (idarray_4) but was not found in the stack."
 action 04.07 else
 action 04.08  set i "0"
 action 04.09  foreach line "$stack" "\n"
 action 04.10   increment i
 action 04.11   if $i le "4"
 action 04.12    string trim "$line"
 action 04.13    set line "$_string_result"
 action 04.14    regexp "FOC44444444" "$line"
 action 04.15    if $_regexp_result eq "1"
 action 04.16     regexp "([0-9\.A-Z]+$)" "$line" curr_ver
 action 04.17     if $curr_ver ne "16.3.7"
 action 04.18      append upgrade_list "4"
 action 04.19     end
 action 04.20     cli command "switch $i priority $pri" pattern "continue|#"
 action 04.21     cli command "y"
 action 04.22     if $i eq $sw_num
 action 04.23      append change_list "\n  ##  FOC44444444 (Priority: $pri // Numbered:       $sw_num  // Version: $curr_ver)"
 action 04.24     else
 action 04.25      cli command "switch $i renumber $sw_num" pattern "continue|#"
 action 04.26      cli command "y"
 action 04.27      append change_list "\n  ##  FOC44444444 (Priority: $pri // Renumbered: $i > $sw_num* // Version: $curr_ver)"
 action 04.28     end
 action 04.29     break
 action 04.30    end
 action 04.31   end
 action 04.32  end
 action 04.33 end
 
 action 10.00 wait 5
 action 10.01 if $error_list ne ""
 action 10.02  syslog msg "\n  ## The following errors occurred; $error_list"
 action 10.03 end
 action 10.04 syslog msg "\n  ## Switches below have been assigned a priority and renumbered* as needed; $change_list"
 action 13.00 cli command "conf t"
 action 13.01 cli command "no event man app post_ztp_1"
 action 14.00 if $upgrade_list eq ""
 action 14.01  syslog msg "  ## All switches are running version 16.3.7, skipping download->upgrade/reload; finalizing config in 20s."
 action 14.02  cli command "no event man env q"
 action 14.03  cli command "event man env ztp_upgraded no"
 action 14.04  cli command " event man app post_ztp_2"
 action 14.05  cli command " event timer countdown time 20 maxrun 480"
 action 14.06  cli command " no action 00.00"
 action 14.07  cli command " no action 00.01"
 action 14.08  cli command " end"
 action 14.09  cli command "write mem" pattern "confirm|#"
 action 14.10  cli command ""
 action 14.11 else
 action 14.12  syslog msg "  ## One or more switches require an upgrade to version 16.3.7 ($upgrade_list); proceeding with download->upgrade/reload."
 action 14.13  cli command "event man env ztp_upgraded yes"
 action 14.14  cli command "event man app post_ztp_2"
 action 14.15  cli command " event syslog occurs 1 pattern $q%IOSXE_REDUNDANCY-6-PEER$q maxrun 630"
 action 14.16  cli command " no event man env q"
 action 14.17  cli command "end"
 action 14.18  cli command "write mem" pattern "confirm|#"
 action 14.19  cli command ""
 action 14.20  syslog msg "  ## (Standby) Downloading image..."
 action 14.21  cli command "copy tftp://172.17.251.251/cat3k_caa-universalk9.16.03.07.SPA.bin flash:"
 action 14.22  syslog msg "  ## (Standby) Image downloaded, upgrading..."
 action 14.23  cli command "software install file flash:cat3k_caa-universalk9.16.03.07.SPA.bin new force" pattern "proceed|#"
 action 14.24  syslog msg "  ## Upgrade complete, rebooting."
 action 14.25  cli command "y"
 action 14.26 end
!
event manager applet post_ztp_2
!-- Apply final configs, push running config via TFTP, clean up VL-1 and Te#/0/48 configs, write mem, and then perform package clean.
 event none
 action 00.00 syslog msg "  ## Switch reloaded on new image, running 'post_ztp_2' EEM applet in 150s."
 action 00.01 wait 150
 action 00.02 syslog msg "  ## (Standby) Applying global configs ignored by smart-install and generating crypto key..."
 action 00.03 cli command "enable"
 action 00.04 set upgr "$ztp_upgraded"
 action 01.00 cli command "conf t"
 action 01.01 cli command "no event man env ztp_upgraded"
 action 01.02 cli command "no event man app post_ztp_2"
 action 01.04 cli command "no vstack"
 action 01.05 cli command "no ip http ser"
 action 01.06 cli command "no ip http secure-s"
 action 01.07 cli command "no ip http authen"
 action 01.08 cli command "no coap http enable"
 action 01.09 cli command "device-tracking policy IPDT"
 action 01.10 cli command " no protocol udp"
 action 01.11 cli command " tracking enable"
 action 01.12 cli command "cry key gen rsa mod 2048"
 action 02.00 syslog msg "  ## (Standby) Applying `int-auth` macro config to ports 1-48 on all stack members..."
 action 02.01 cli command "int range Gi1/0/1-36,Gi2/0/1-36,Gi3/0/1-36,Gi4/0/1-36"
 action 02.02 cli command " macro apply int-auth"
 action 02.03 cli command " no macro desc"
 action 02.04 cli command "int range Te1/0/37-47,Te2/0/37-47,Te3/0/37-47,Te4/0/37-47"
 action 02.05 cli command " macro apply int-auth"
 action 02.06 cli command " no macro desc"
 action 03.00 syslog msg "  ## Pushing config to the following location: tftp://172.17.251.251/provisioned/CAS/ASW-TR04-02_FOC11111111-FOC22222222-FOC33333333-FOC44444444.cfg"
 action 03.01 cli command "do copy run tftp://172.17.251.251/provisioned/CAS/ASW-TR04-02_FOC11111111-FOC22222222-FOC33333333-FOC44444444.cfg"
 action 04.00 syslog msg "  ## Disabling VL-1 SVI, updating Te#/0/48 configs, and writing startup config."
 action 04.01 cli command "int vl 1"
 action 04.02 cli command " no desc"
 action 04.03 cli command " no ip addr"
 action 04.04 cli command " shut"
 action 04.05 cli command "default int range Te1/0/48,Te2/0/48,Te3/0/48,Te4/0/48"
 action 04.06 cli command "int range Te1/0/48,Te2/0/48,Te3/0/48,Te4/0/48"
 action 04.07 cli command " macro apply int-auth"
 action 04.08 cli command " no macro desc"
 action 04.09 cli command "end"
 action 04.10 cli command "write mem" pattern "confirm|#"
 action 04.11 cli command ""
 action 05.00 if $upgr eq "yes"
 action 05.01  syslog msg "  ## (Standby) ZTP upgrade detected, performing software package clean..."
 action 05.02  cli command "req plat soft pack clean sw all" pattern "proceed|#"
 action 05.03  cli command "y"
 action 05.04  syslog msg "  ## Unused .bin or .pkg files from previous version(s) have been deleted."
 action 05.05 else
 action 05.06  syslog msg "  ## ZTP upgrade not detected, skipping software package clean."
 action 05.07 end
 action 05.08 syslog msg "  ## Start-up config written, (ASW-TR04-02) is ready for deployment, OK to power off."
!
end
##############################

Tags: , , , , , , ,

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.