Implements Task 7. Deliberate lockout-safe ordering (vlan-filtering LAST) with
:if [find] guards that adopt the existing defconf bridge/ports rather than
recreating them. Membership Jinja: trunk ports tagged per tagged_vlans, access
ports untagged per pvid, bridge/CPU tagged only on the mgmt VLAN; else={set} makes
membership declarative. Jinja render validated offline against the placeholder
topology. Device run DEFERRED to an on-site session with a recovery channel
(remote bench has no serial/WinBox-MAC fallback). Topology stays placeholder.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
45 lines
2.2 KiB
YAML
45 lines
2.2 KiB
YAML
---
|
|
# Device facts (recorded on-site 2026-06-08):
|
|
# model: CRS310-8G+2S+IN
|
|
# serial: HM40B8TDNDD
|
|
# base MAC (ether1): D0:EA:11:24:F4:AA
|
|
# RouterOS: 7.19.6 stable (bootloader already current) -> pinned target below
|
|
#
|
|
# Bootstrap status (2026-06-08): identity set; user `sjat` (full) created with the
|
|
# operator ed25519 key imported + a vaulted password (vault_switch_admin_password in
|
|
# group_vars/mikrotik.vault.yml). Key login verified. Default `admin` still enabled
|
|
# (not yet hardened). Switch currently on the bench at 192.168.88.1 (defconf, not yet
|
|
# reset/VLAN-configured). Real mgmt addressing below is the FUTURE production plan.
|
|
# Day-2 connection: key auth as the named admin user (overrides the bootstrap
|
|
# default ansible_user=admin in group_vars/mikrotik.yml).
|
|
ansible_user: sjat
|
|
|
|
switch_identity_name: "crs310-maker"
|
|
switch_mgmt_vlan_id: 99
|
|
switch_mgmt_address: "10.0.99.2/24" # EDIT: real mgmt IP
|
|
switch_mgmt_gateway: "10.0.99.1" # EDIT: real gateway
|
|
switch_dns_servers: "10.0.99.1"
|
|
switch_ntp_servers: "10.0.99.1"
|
|
|
|
switch_admin_user: "sjat"
|
|
|
|
# PLACEHOLDER VLAN/port topology — vlans.yml is correct mechanism, but these IDs
|
|
# and the per-port map are NOT the real makerspace plan. Replace with the real
|
|
# VLAN ids + full ether1-8/sfp map before any on-site VLAN run. Notes:
|
|
# - mode: access -> untagged member of `pvid`; mode: trunk -> tagged member of
|
|
# each id in `tagged_vlans`, with `pvid` as the native (untagged) VLAN.
|
|
# - trunk pvid: 1 means untagged frames on the uplink land in VLAN 1 (unused in a
|
|
# hardened design). Decide deliberately whether the uplink should carry any
|
|
# untagged traffic; set pvid to an intended native VLAN or leave 1 as a dead end.
|
|
# - the bridge (CPU) is tagged ONLY on switch_mgmt_vlan_id (see vlans.yml).
|
|
switch_vlans:
|
|
- {id: 99, name: "mgmt"}
|
|
- {id: 10, name: "members"}
|
|
switch_bridge_ports:
|
|
- {interface: "ether1", pvid: 10, mode: access}
|
|
- {interface: "ether2", pvid: 10, mode: access}
|
|
- {interface: "sfp-sfpplus1", pvid: 1, mode: trunk, tagged_vlans: [99, 10]}
|
|
|
|
# Firmware: pinned at the version already installed (no upgrade planned now).
|
|
switch_firmware_target: "7.19.6"
|
|
# switch_firmware_enabled: true # opt-in only when you actually want to upgrade
|