diff --git a/juniper-macros.j2 b/juniper-macros.j2
index 49d3c1c..260006a 100644
--- a/juniper-macros.j2
+++ b/juniper-macros.j2
@@ -1,9 +1,23 @@
-{% macro systemsection(device,root_pw,users,syslog_servers,ntp_servers) %}
+{% macro systemsection(device,root_pw,users,syslog_servers,ntp_servers,tacacs_servers) %}
 system {
     host-name {{ device.name }};
+{% if tacacs_servers %}
+    authentication-order [ tacplus password ];
+{% endif %}
     root-authentication {
         encrypted-password "{{ root_pw }}"; ## Client Higher
     }
+{% if tacacs_servers %}
+   tacplus-server {
+{% for server, details in tacacs_servers %}
+        {{ server }} {
+            port 49;
+            secret "{{ details['secret']"; ## SECRET-DATA
+            source-address {{ device.primary_ip4.address.ip }};
+        }
+{% endfor %}
+   }
+{% endif %}
     login {
         class sysadmin {
             permissions [ admin clear configure control firewall-control interface interface-control network reset rollback routing routing-control snmp snmp-control trace-control view view-configuration ];
@@ -12,25 +26,38 @@ system {
         user {{ user }} {
             uid 200{{ loop.index }};
             class {{ details['role'] }};
+{% if details['password'] %}
             authentication {
                 encrypted-password "{{ details['password'] }}"; ## SECRET-DATA
             }
+{% endif %}
         }
 {% endfor %}
     }
     services {
+{% if device.role.name in ['Leaf','Spine'] %}
         ssh;
+{% else %}
+        ssh {
+            root-login deny;
+        }
+{% endif %}
     }
     syslog {
 {% for server in syslog_servers %}
         host {{ server }} {
             any notice;
             authorization info;
+{% if device.role.name in ['Leaf','Spine'] %}
+            match "!(.*DH_SVC_SENDMSG_FAILURE.*|.*UI_.*|.*shmlog: unable to create argtype.*|.*DEBUG: PAM_USER.*|.*DEBUG: PAM_ACTUAL_USER.*|.*SNMPD_AUTH_FAILURE.*|.*/usr/sbin/cron.*|.*jl2tpd.*|.*dfcd.*|.*l2ald.*|.*cc_mic_sfp_is_present.*|.*RMOPD_ICMP_SENDMSG_FAILURE.*|.*acx_vpls_mesh_grp_get_info.*|.*last message repeated.*|.*Refreshing mastership.*|.*hw.chassis.startup_time update.*)";
+            facility-override local6;
+{% endif %}
         }
 {% endfor %}
         file interactive-commands {
             interactive-commands any;
         }
+{% if device.role.name in ['Leaf','Spine'] %}
         file linkupdown {
             any info;
             match "LINK_DOWN|LINK_UP";
@@ -39,6 +66,7 @@ system {
             any notice;
             authorization info;
         }
+{% endif %}
     }
 {% if ntp_servers|length > 0 %}
     ntp {
@@ -53,11 +81,13 @@ system {
 
 {% macro chassissection(device,breakout_ports) %}
 chassis {
+{% if device.interfaces.all()|selectattr('type','eq','lag')|list|count > 0 %}
     aggregated-devices {
         ethernet {
             device-count {{ device.interfaces.all()|selectattr('type','eq','lag')|list|count }};
         }
     }
+{% endif %}
 {% if breakout_ports %}
 {% for fpc, fpcdata in breakout_ports.items() %}
     fpc {{ fpc }} {
@@ -73,6 +103,11 @@ chassis {
     }
 {% endfor %}
 {% endif %}
+{% if device.role.name in ['Provider Core'] %}
+    forwarding-options {
+        lpm-profile;
+    }
+{% endif %}
 }
 {%- endmacro %}
 
@@ -164,6 +199,17 @@ chassis {
 
 {% macro interfacesection(device,vlans) %}
 interfaces {
+{% if device.role.name in ['Provider Core'] %}
+    interface-range core-mpls {
+{% for interface in device.interfaces.filter(tags__name='vpls-core') %}
+        member {{ interface }};
+{% endfor %}
+        unit 0 {
+            family inet;
+            family mpls;
+        }
+    }
+{% endif %}
 {# Physical interfaces should be sorted by FPC/PIC/Port value - that's a challenge to do in Jinja so we cheat for now by putting the xe- interfaces first. This won't work for all devices! #}
 {% for interface in device.interfaces.filter(name__startswith='ge-') %}
 {{ interfaceconfig(interface) }}
@@ -200,9 +246,9 @@ interfaces {
 }
 {%- endmacro %}
 
-{% macro snmpsection(rack, snmp) %}
+{% macro snmpsection(device, snmp) %}
 snmp {
-    location "Domicilium Datacentre {{ rack['name'] }}";
+    location "{{ device.rack.site.name }} Rack {{ device.rack.name }}";
     contact "{{ snmp['contact'] }}";
     community {{ snmp['community'] }} {
         authorization read-only;
@@ -219,13 +265,41 @@ snmp {
 }
 {%- endmacro %}
 
-{% macro routingoptionssection(device, overlay_as, gateway) %}
+{% macro forwardingoptionssection(device) %}
+forwarding-options {
+    hash-key {
+        family inet {
+            layer-4;
+        }
+        family mpls {
+            label-1;
+            label-2;
+            payload {
+                ip {
+                    port-data;
+                }
+            }
+        }
+    }
+    family inet {
+        filter {
+            input protect_RE;
+        }
+    }
+}
+{%- endmacro %}
+
+{% macro routingoptionssection(device, overlay_as = None, gateway = None, routes = None) %}
 routing-options {
     router-id {{ device.primary_ip4.address.ip }};
+{% if overlay_as %}
     autonomous-system {{ overlay_as }};
-{% if gateway %}
+{% endif %}
+{% if gateway or routes %}
     static {
+{% if gateway %}
         route 0.0.0.0/0 next-hop {{ gateway }};
+{% endif %}
     }
 {% endif %}
     forwarding-table {