gizmoguy/faucet.yaml

## faucet.yaml
---
dps:
    atx930:
        description: allied telesis
        dp_id: 0x0000eccd6def54fe
        hardware: "Allied-Telesis"
        interfaces:
            openli_server:
                number: 1
                native_vlan: lan
                acl_in: protect_from_access
            wired_port:
                number: 2
                native_vlan: lan
                acl_in: protect_from_access
            openli_mirror:
                number: 3
                mirror: 5
            unifi_switch_1:
                description: "upstairs"
                number: 4
                native_vlan: wifi_mgmt
                tagged_vlans:
                  - lan
                acl_in: protect_from_access
            unifi_switch_2:
                description: "openli tutorial room"
                number: 5
                native_vlan: wifi_mgmt
                tagged_vlans:
                  - lan
                acl_in: protect_from_access
            unifi_switch_3:
                description: "upstairs"
                number: 6
                native_vlan: wifi_mgmt
                tagged_vlans:
                  - lan
                acl_in: protect_from_access
            conference_uplink:
                number: 24
                native_vlan: wifi_mgmt
                tagged_vlans:
                  - lan
vlans:
    wifi_mgmt:
        description: Wifi management network
        vid: 2043
    lan:
        description: Conference access network
        vid: 100
acls:
    protect_from_access:
        # Faucet antispoof protection
        - rule:
            dl_src: 0e:00:00:00:00:00/ff:ff:ff:00:00:00
            actions:
                allow: 0     # drop
        # Drop STP
        - rule:
            dl_dst: 01:80:c2:00:00:00
            actions:
                allow: 0     # drop
        # Drop dhcp server traffic
        - rule:
            dl_type: 0x800   # ipv4
            nw_proto: 17     # udp
            udp_src: 67      # bootps
            udp_dst: 68      # bootpc
            actions:
                allow: 0     # drop
        # Drop dhcpv6 server traffic
        - rule:
            dl_type: 0x86dd  # ipv6
            nw_proto: 17     # udp
            udp_src: 547     # dhcpv6-server
            udp_dst: 546     # dhcpv6-client
            actions:
                allow: 0     # drop
        # Drop icmpv6 router advertisements
        - rule:
            dl_type: 0x86dd  # ipv6
            nw_proto: 58     # icmpv6
            icmpv6_type: 134 # router advertisement
            actions:
                allow: 0     # drop
        # Allow the rest
        - rule:
            actions:
              allow: 1
...
	---
	dps:
	atx930:
	description: allied telesis
	dp_id: 0x0000eccd6def54fe
	hardware: "Allied-Telesis"
	interfaces:
	openli_server:
	number: 1
	native_vlan: lan
	acl_in: protect_from_access
	wired_port:
	number: 2
	native_vlan: lan
	acl_in: protect_from_access
	openli_mirror:
	number: 3
	mirror: 5
	unifi_switch_1:
	description: "upstairs"
	number: 4
	native_vlan: wifi_mgmt
	tagged_vlans:
	- lan
	acl_in: protect_from_access
	unifi_switch_2:
	description: "openli tutorial room"
	number: 5
	native_vlan: wifi_mgmt
	tagged_vlans:
	- lan
	acl_in: protect_from_access
	unifi_switch_3:
	description: "upstairs"
	number: 6
	native_vlan: wifi_mgmt
	tagged_vlans:
	- lan
	acl_in: protect_from_access
	conference_uplink:
	number: 24
	native_vlan: wifi_mgmt
	tagged_vlans:
	- lan
	vlans:
	wifi_mgmt:
	description: Wifi management network
	vid: 2043
	lan:
	description: Conference access network
	vid: 100
	acls:
	protect_from_access:
	# Faucet antispoof protection
	- rule:
	dl_src: 0e:00:00:00:00:00/ff:ff:ff:00:00:00
	actions:
	allow: 0 # drop
	# Drop STP
	- rule:
	dl_dst: 01:80:c2:00:00:00
	actions:
	allow: 0 # drop
	# Drop dhcp server traffic
	- rule:
	dl_type: 0x800 # ipv4
	nw_proto: 17 # udp
	udp_src: 67 # bootps
	udp_dst: 68 # bootpc
	actions:
	allow: 0 # drop
	# Drop dhcpv6 server traffic
	- rule:
	dl_type: 0x86dd # ipv6
	nw_proto: 17 # udp
	udp_src: 547 # dhcpv6-server
	udp_dst: 546 # dhcpv6-client
	actions:
	allow: 0 # drop
	# Drop icmpv6 router advertisements
	- rule:
	dl_type: 0x86dd # ipv6
	nw_proto: 58 # icmpv6
	icmpv6_type: 134 # router advertisement
	actions:
	allow: 0 # drop
	# Allow the rest
	- rule:
	actions:
	allow: 1
	...