switch_conf.tpl 6.04 KB
Newer Older
1
; {{ model }}A Configuration Editor; Created on release #{{ firmware }}
2
3
4

hostname "{{ hostname }}"
; Generated on {{ date_gen }} by switchs2.py
5
6
7
{% for module in modules %}
module {{ loop.index }} type {{ model }}A
{% endfor %}
8
9
10
11
12
13
14
15
16
17
18
19
20
;--- Snmp ---
snmp-server contact "root@crans.org"
snmp-server location "Batiment {{ bat }}"
;A faire à la main
snmpv3 enable
snmpv3 restricted-access
;snmpv3 user "initial"
snmpv3 user "crans"
snmpv3 group ManagerPriv user "crans" sec-model ver3
snmp-server community "public" Operator
;--- Heure/date ---
time timezone 60
time daylight-time-rule Western-Europe
21
{%- for server in ntp_servers %}
22
{%- if SNTP_NEW_SYNTAX in features %}
23
sntp server priority {{ loop.index }} {{ server|ipv4 }} 4
24
25
26
{%- if IPv6_MGMT in features %}
sntp server priority {{ loop.index + 1 }} {{ server|ipv6 }} 4
{%- endif %}
27
{%- else %}
28
sntp server {{ server|ipv4 }}
29
{%- endif %}
30
31
32
33
34
35
{%- endfor %}
timesync sntp
sntp unicast
;--- Misc ---
console inactivity-timer 30
;--- Logs ---
36
37
{%- for server in log_servers %}
logging {{ server|ipv4 }}
38
{%- if IPv6_MGMT in features and IPv6_LOGGING in features %}
39
40
logging {{ server|ipv6 }}
{%- endif %}
41
42
{%- endfor %}
;--- IP du switch ---
43
no ip default-gateway
44
max-vlans {{ max_vlans }}
45
{%- if OOBM in features %}
46
47
48
49
oobm
    no ip address
    exit
{%- endif %}
50
51
52
53
54
{%- for name, vlan in vlans.iteritems() %}
vlan {{ vlan["id"] }}
   name "{{ name|capitalize }}"
   {%- if vlan["tagged"] %}
   tagged {{ vlan["tagged"] }}
55
   {%- endif %}
56
57
   {%- if vlan["untagged"] %}
   untagged {{ vlan["untagged"] }}
58
   {%- endif %}
59
   {%- if vlan['ip'] %}
60
   ip address {{ vlan['ip'] }} {{ vlan['network']['IPv4'].netmask }}
61
62
63
   {%- else %}
   no ip address
   {%- endif %}
64
65
66
   {%- if vlan['ipv6'] and IPv6_MGMT in features %}
   ipv6 address {{ vlan['network']['IPv6'] }} eui-64
   {%- elif IPv6_MGMT in features %}
Hamza Dely's avatar
Hamza Dely committed
67
   no ipv6 enable
68
69
   {%- endif %}
   {%- if vlan['igmp_snooping'] and IGMP_SNOOPING in features %}
70
71
   ip igmp
   no ip igmp querier
72
   {%- endif %}
73
74
75
76
   {%- if vlan['mld_snooping'] and MLD_SNOOPING in features %}
   ipv6 mld enable
   no ipv6 mld querier
   {%- endif %}
77
78
79
   {%- for l in vlan['extra'] %}
   {{ l|indent(3, false) }}
   {%- endfor %}
80
81
82
83
84
85
86
87
88
exit
{%- endfor %}
;--- Accès d'administration ---
no telnet-server
no web-management
aaa authentication ssh login public-key none
aaa authentication ssh enable public-key none
ip ssh
ip ssh filetransfer
89
ip authorized-managers {{ vlans['switches']['network']['IPv4'].ip }} {{ vlans['switches']['network']['IPv4'].netmask }}
Hamza Dely's avatar
Hamza Dely committed
90
{%- if IPv6_MGMT in features %}
91
92
ipv6 authorized-managers {{ vlans['switches']['network']['IPv6'].ip }} {{ vlans['switches']['network']['IPv6'].netmask }}
{%- endif %}
93
94
95
96
97
98
;--- Protection contre les boucles ---
loop-protect disable-timer 30
loop-protect transmit-interval 3
loop-protect {{ non_trusted }}
;--- Serveurs radius ---
radius-server dead-time 2
99
100
{%- for server in radius_servers %}
radius-server host {{ server|ipv4 }} key {{ radius_key }}
101
{%- endfor %}
102
103
104
105
106
107
{%- if RADIUS_DAE in features %}
{%- for server in radius_servers %}
radius-server host {{ server|ipv4 }} dyn-authorization
{%- endfor %}
radius-server dyn-autz-port 3799
{%- endif %}
108
109
110
111
;--- Filtrage mac ---
aaa port-access mac-based addr-format multi-colon
;--- Bricoles ---
no cdp run
Hamza Dely's avatar
Hamza Dely committed
112
{%- if STACKING_DISABLED in features %}
113
no stack
114
{%- endif %}
115
{%- if DHCP_SNOOPING in features %}
116
117
;--- DHCP Snooping ---
dhcp-snooping vlan {{ vlans.values()|selectattr("dhcp_snooping")|join(" ", attribute="id") }}
118
{%- for rid in dhcp_server_rid %}
119
120
121
{%- for vlan, vconfig in vlans.items() if vconfig['dhcp_snooping'] %}
dhcp-snooping authorized-server {{ vconfig['network']['IPv4'].ip + rid }}
{%- endfor %}
122
123
124
{%- endfor %}
dhcp-snooping
{%- endif %}
Gabriel Detraz's avatar
Gabriel Detraz committed
125
126
127
{%- if ARP_PROTECT in features %}
;--- ARP Protect ---
arp-protect
128
arp-protect vlan {{ vlans.values()|selectattr("dhcp_snooping")|join(" ", attribute="id") }}
129
130
arp-protect validate src-mac
arp-protect validate dest-mac
Gabriel Detraz's avatar
Gabriel Detraz committed
131
{%- endif %}
132
133
134
135
136
137
138
139
140
141
{%- if DHCPv6_SNOOPING in features %}
;--- DHCPv6 Snooping ---
dhcpv6-snooping vlan {{ vlans.values()|selectattr("dhcp_snooping")|join(" ", attribute="id") }}
{%- for mac in dhcpv6_server_mac %}
{%- for vlan, vconfig in vlans.items() if vconfig['dhcp_snooping'] and vconfig['network']['IPv6'] %}
dhcpv6-snooping authorized-server {{ mac|ip6_of_mac(vconfig['network']['IPv6']) }}
{%- endfor %}
{%- endfor %}
dhcpv6-snooping
{%- endif %}
142
143
{%- if RA_GUARD in features %}
;--- RA guards ---
144
ipv6 ra-guard ports {{ non_trusted }}
145
no ipv6 ra-guard ports {{ trusted }}
146
{% endif %}
147
148
;--- Config des prises ---
{%- for port in ports %}
149
{%- if port.radius_auth %}
150
151
{%- if ieee8021X %}
aaa port-access authenticator {{ port.num }}
152
aaa port-access authenticator {{ port.num }} client-limit {{ port.num_mac }}
153
154
aaa port-access authenticator {{ port.num }} logoff-period 3600
{%- endif %}
155
aaa port-access mac-based {{ port.num }}
156
aaa port-access mac-based {{ port.num }} addr-limit {{ port.num_mac }}
157
158
aaa port-access mac-based {{ port.num }} logoff-period 3600
aaa port-access mac-based {{ port.num }} unauth-vid 1
159
{%- endif %}
160
interface {{ port.num }}
161
162
   enable
   name "{{ port }}"
163
   {{ port.flowcontrol }}
Gabriel Detraz's avatar
Gabriel Detraz committed
164
165
   {%- if port.trusted %}
   {%- if DHCP_SNOOPING in features %}
166
167
   dhcp-snooping trust
   {%- endif %}
Gabriel Detraz's avatar
Gabriel Detraz committed
168
   {%- endif %}
169
170
   {%- if ARP_PROTECT in features and port.arp_protect_trust %}
   arp-protect trust
Gabriel Detraz's avatar
Gabriel Detraz committed
171
   {%- endif %}
172
173
174
   {%- if port.trusted and DHCPv6_SNOOPING in features %}
   dhcpv6-snooping trust
   {%- endif %}
175
   {%- if GIGABIT in features %}
176
   {{ port.speed }}
177
   {%- endif %}
178
179
180
181
182
183
   {%- if port.enable_poe and POE in features %}
   power-over-ethernet {{ port.poe_level }}
   poe-allocate-by class
   {%- elif POE in features %}
   no power-over-ethernet
   {%- endif %}
184
185
186
   no lacp
exit
{%- endfor %}
187
188
189
190
{%- if ieee8021X %}
;--- Configuration IEEE 802.1X ---
aaa authentication port-access eap-radius
aaa port-access authenticator active
Hamza Dely's avatar
Hamza Dely committed
191
192
{%- endif %}
;--- Configuration comptabilisation RADIUS ---
193
194
aaa accounting network start-stop radius
aaa accounting session-id unique
195
aaa accounting update periodic 240
Hamza Dely's avatar
Hamza Dely committed
196
{%- if FILTER_MDNS in features %}
197
198
199
200
;--- Filtre de protocole ---
filter multicast 01005e0000fb drop all
filter multicast 3333000000fb drop all
{%- endif %}