hp.tpl 5.79 KB
Newer Older
1
; {{ switch.model.reference }}A Configuration Editor; Created on release #{{ switch.model.firmware }}
2 3 4 5

hostname "{{ switch.short_name }}"
; Generated on {{ date_gen }} by re2o
;--- Snmp ---
6
{%- if switch.switchbay.name %}
7
snmp-server location "{{ switch.switchbay.name }}"
8
{%- endif %}
9 10 11
;A faire à la main
snmpv3 enable
snmpv3 restricted-access
12 13
snmpv3 user "re2o"
snmpv3 group ManagerPriv user "re2o" sec-model ver3
14
snmp-server community "public" Operator
chirac's avatar
chirac committed
15 16 17
;--- Heure/date
time timezone 60
time daylight-time-rule Western-Europe
18 19
{%- for ipv4 in settings.switchs_management_utils.ntp_servers.ipv4 %}
sntp server priority {{ loop.index }} {{ ipv4 }} 4
chirac's avatar
chirac committed
20
{%- endfor %}
21 22
{%- for ipv6 in settings.switchs_management_utils.ntp_servers.ipv6 %}
sntp server priority {{ loop.index + settings.switchs_management_utils.ntp_servers.ipv4|length }} {{ ipv6 }} 4
chirac's avatar
chirac committed
23
{%- endfor %}
24 25 26 27
timesync sntp
sntp unicast
;--- Misc ---
console inactivity-timer 30
chirac's avatar
chirac committed
28
;--- Logs ---
29 30
{%- for ipv4 in settings.switchs_management_utils.log_servers.ipv4 %}
logging {{ ipv4 }}
chirac's avatar
chirac committed
31
{%- endfor %}
32 33
{%- for ipv6 in settings.switchs_management_utils.log_servers.ipv6 %}
logging {{ ipv6 }}
chirac's avatar
chirac committed
34
{%- endfor %}
35 36
;--- IP du switch ---
no ip default-gateway
chirac's avatar
chirac committed
37 38 39 40 41
max-vlans 256
{%- for id, vlan in additionals.vlans.items() %}
vlan {{ id }}
   name "{{ vlan["name"]|capitalize }}"
   {%- if vlan["ports_tagged"] %}
42
   tagged {{ vlan["ports_tagged"]|join(',') }}
chirac's avatar
chirac committed
43 44
   {%- endif %}
   {%- if vlan["ports_untagged"] %}
45
   untagged {{ vlan["ports_untagged"]|join(',') }}
chirac's avatar
chirac committed
46 47 48 49
   {%- endif %} 
   {%- for ipv4, subnet in switch.interfaces_subnet.items() %}
   {%- if subnet.0.vlan_id == id %}
   ip address {{ ipv4 }}/{{ subnet.0.netmask_cidr }}
chirac's avatar
chirac committed
50
   {%- endif %}
chirac's avatar
chirac committed
51 52 53 54
   {%- endfor %}
   {%- for ipv6, subnet6 in switch.interfaces6_subnet.items() %}
   {%- if subnet6.vlan_id == id %}
   ipv6 address {{ ipv6 }}/{{ subnet6.netmask_cidr }}
chirac's avatar
chirac committed
55
   {%- endif %}
chirac's avatar
chirac committed
56
   {%- endfor %}
chirac's avatar
chirac committed
57 58 59 60 61 62 63 64 65
   {%- if id in additionals.igmp_vlans %}
   ip igmp
   no ip igmp querier
   {%- endif %}
   {%- if id in additionals.mld_vlans %}
   no ipv6 mld querier
   ipv6 mld version 1
   ipv6 mld enable
   {%- endif %}
chirac's avatar
chirac committed
66 67
exit
{%- endfor %}
68 69
;--- Accès d'administration ---
no telnet-server
70
{%- if switch.web_management_enabled %}
71
{%- if switch.web_management_enabled != "ssl" %}
72
web-management plaintext
73 74 75 76
{%- endif %}
{%- if switch.web_management_enabled == "ssl" %}
web-management ssl
{%- endif %}
77
{%- else %}
78
no web-management
79 80 81 82
{%- endif %}
{%- if switch.rest_enabled %}
rest-interface
{%- endif %}
83 84 85 86
aaa authentication ssh login public-key none
aaa authentication ssh enable public-key none
ip ssh
ip ssh filetransfer
87 88 89 90 91
{%- if settings.switchs_management_utils.subnet %}
ip authorized-managers {{ settings.switchs_management_utils.subnet.0.network }} {{ settings.switchs_management_utils.subnet.0.netmask }} access manager
{%- endif %}
{%- if settings.switchs_management_utils.subnet6 %}
ipv6 authorized-managers {{ settings.switchs_management_utils.subnet6.network }} {{ settings.switchs_management_utils.subnet6.netmask }} access manager
92
{%- endif %}
chirac's avatar
chirac committed
93
{%- if additionals.loop_protected %}
94 95 96
;--- Protection contre les boucles ---
loop-protect disable-timer 30
loop-protect transmit-interval 3
97
loop-protect {{ additionals.loop_protected|join(',') }}
chirac's avatar
chirac committed
98
{%- endif %}
chirac's avatar
chirac committed
99 100
;--- Serveurs Radius 
radius-server dead-time 2
101 102 103
{%- for ipv4 in settings.switchs_management_utils.radius_servers.ipv4 %}
radius-server host {{ ipv4 }} key "{{ switch.get_radius_key_value }}"
radius-server host {{ ipv4 }} dyn-authorization
chirac's avatar
chirac committed
104
{%- endfor %}
105 106 107 108 109
radius-server dyn-autz-port 3799
;--- Filtrage mac ---
aaa port-access mac-based addr-format multi-colon
;--- Bricoles ---
no cdp run
chirac's avatar
chirac committed
110 111
{%- if additionals.dhcp_snooping_vlans %}
;--- DHCP Snooping ---
112 113
{%- for ipv4 in settings.switchs_management_utils.dhcp_servers.ipv4 %}
dhcp-snooping authorized-server {{ ipv4 }}
114
{%- endfor %}
chirac's avatar
chirac committed
115
dhcp-snooping vlan {{ additionals.dhcp_snooping_vlans|join(' ') }}
116
dhcp-snooping
chirac's avatar
chirac committed
117 118 119 120 121 122 123 124 125 126 127 128 129 130
{%- endif %}
{%- if additionals.arp_protect_vlans %}
;--- ARP Protect ---
arp-protect
arp-protect vlan {{ additionals.arp_protect_vlans|join(' ') }}
arp-protect validate src-mac dest-mac
{%- endif %}
{%- if additionals.dhcpv6_snooping_vlans %}
;--- DHCPv6 Snooping ---
dhcpv6-snooping vlan {{ additionals.dhcpv6_snooping_vlans|join(' ') }}
dhcpv6-snooping
{%- endif %}
{%- if additionals.ra_guarded %}
;--- RA guards ---
131
ipv6 ra-guard ports {{ additionals.ra_guarded|join(',')}}
chirac's avatar
chirac committed
132
{%- endif %}
133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155
;--- Config des prises ---
{%- for port in switch.ports %}
{%- if port.get_port_profil.radius_type == "802.1X" %}
aaa port-access authenticator {{ port.port }}
{%- if port.get_port_profil.mac_limit %}
aaa port-access authenticator {{ port.port }} client-limit {{ port.get_port_profil.mac_limit }}
{%- endif %}
aaa port-access authenticator {{ port.port }} logoff-period 3600
{%- endif %}
{%- if port.get_port_profil.radius_type == "MAC-radius" %}
aaa port-access mac-based {{ port.port }}
{%- if port.get_port_profil.mac_limit %}
aaa port-access mac-based {{ port.port }} addr-limit {{ port.get_port_profil.mac_limit }}
{%- endif %}
aaa port-access mac-based {{ port.port }} logoff-period 3600
aaa port-access mac-based {{ port.port }} unauth-vid 1
{%- endif %}
interface {{ port.port }}
   {%- if port.state %}
   enable
   {%- else %}
   disable
   {%- endif %}
chirac's avatar
chirac committed
156
   name "{{ port.pretty_name }}"
157
   {%- if port.get_port_profil.flow_control %}
158
   flow-control
159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178
   {%- endif %}
   {%- if not port.get_port_profil.dhcp_snooping %}
   dhcp-snooping trust
   {%- endif %}
   {%- if not port.get_port_profil.arp_protect %}
   arp-protect trust
   {%- endif %}
   {%- if not port.get_port_profil.dhcpv6_snooping %}
   dhcpv6-snooping trust
   {%- endif %}
   no lacp
exit
{%- endfor %}
;--- Configuration comptabilisation RADIUS ---
aaa accounting network start-stop radius
aaa accounting session-id unique
aaa accounting update periodic 240
;--- Filtre de protocole ---
filter multicast 01005e0000fb drop all
filter multicast 3333000000fb drop all