aurore-firewall/templates/hp.tpl

179 lines
5.5 KiB
Smarty
Raw Normal View History

; {{ switch.model.reference }}A Configuration Editor; Created on release #{{ switch.model.firmware }}
hostname "{{ switch.short_name }}"
; Generated on {{ date_gen }} by re2o
;--- Snmp ---
{%- if switch.switchbay.name %}
snmp-server location "{{ switch.switchbay.name }}"
{%- endif %}
;A faire à la main
snmpv3 enable
snmpv3 restricted-access
snmpv3 user "re2o"
snmpv3 group ManagerPriv user "re2o" sec-model ver3
snmp-server community "public" Operator
2018-07-08 19:13:58 +02:00
;--- Heure/date
time timezone 60
time daylight-time-rule Western-Europe
{%- for server in additionals.ntp_servers %}
{%- for interface in server.interface %}
{%- if switch.subnet.0.vlan_id == interface.vlan_id %}
sntp server priority {{ loop.index }} {{ interface.ipv4 }} 4
{%- if interface.ipv6 %}
sntp server priority {{ loop.index + 1 }} {{ interface.ipv6.0.ipv6 }} 4
{%- endif %}
{%- endif %}
{%- endfor %}
{%- endfor %}
timesync sntp
sntp unicast
;--- Misc ---
console inactivity-timer 30
2018-07-08 19:13:58 +02:00
;--- Logs ---
{%- for server in additionals.log_servers %}
{%- for interface in server.interface %}
{%- if switch.subnet.0.vlan_id == interface.vlan_id %}
logging {{ interface.ipv4 }}
{%- if interface.ipv6 %}
logging {{ interface.ipv6.0.ipv6 }}
{%- endif %}
{%- endif %}
{%- endfor %}
{%- endfor %}
;--- IP du switch ---
no ip default-gateway
2018-07-08 19:13:58 +02:00
max-vlans 256
{%- for id, vlan in additionals.vlans.items() %}
vlan {{ id }}
name "{{ vlan["name"]|capitalize }}"
{%- if vlan["ports_tagged"] %}
tagged {{ vlan["ports_tagged"]|join(',') }}
2018-07-08 19:13:58 +02:00
{%- endif %}
{%- if vlan["ports_untagged"] %}
untagged {{ vlan["ports_untagged"]|join(',') }}
2018-07-08 19:13:58 +02:00
{%- endif %}
{%- if switch.subnet.0.vlan_id == id %}
ip address {{ switch.ipv4 }} {{ switch.subnet.0.netmask }}
{%- else %}
no ip address
{%- endif %}
{%- if switch.subnet.0.vlan_id == id %}
ipv6 address {{ switch.ipv6 }} {{ switch.subnet6.netmask }}
{%- else %}
no ipv6 enable
{%- endif %}
2018-07-08 20:31:04 +02:00
{%- if id in additionals.igmp_vlans %}
ip igmp
no ip igmp querier
{%- endif %}
{%- if id in additionals.mld_vlans %}
no ipv6 mld querier
ipv6 mld version 1
ipv6 mld enable
{%- endif %}
2018-07-08 19:13:58 +02:00
exit
{%- endfor %}
;--- Accès d'administration ---
no telnet-server
no web-management
aaa authentication ssh login public-key none
aaa authentication ssh enable public-key none
ip ssh
ip ssh filetransfer
2018-07-08 19:13:58 +02:00
ip authorized-managers {{ switch.subnet.0.network }} {{ switch.subnet.0.netmask }} access manager
{%- if switch.subnet6 %}
2018-07-08 19:13:58 +02:00
ipv6 authorized-managers {{ switch.subnet6.network }} {{ switch.subnet6.netmask }} access manager
{%- endif %}
2018-07-08 19:13:58 +02:00
{%- if additionals.loop_protected %}
;--- Protection contre les boucles ---
loop-protect disable-timer 30
loop-protect transmit-interval 3
loop-protect {{ additionals.loop_protected|join(',') }}
2018-07-08 19:13:58 +02:00
{%- endif %}
2018-07-08 20:31:04 +02:00
;--- Serveurs Radius
radius-server dead-time 2
{%- for server in additionals.radius_servers %}
{%- for interface in server.interface %}
{%- if switch.subnet.0.vlan_id == interface.vlan_id %}
radius-server host {{ interface.ipv4 }} key "plop"
radius-server host {{ interface.ipv4 }} dyn-authorization
{%- endif %}
{%- endfor %}
{%- endfor %}
radius-server dyn-autz-port 3799
;--- Filtrage mac ---
aaa port-access mac-based addr-format multi-colon
;--- Bricoles ---
no cdp run
2018-07-08 19:13:58 +02:00
{%- if additionals.dhcp_snooping_vlans %}
;--- DHCP Snooping ---
{%- for server in additionals.dhcp_servers %}
{%- for interface in server.interface %}
dhcp-snooping authorized-server {{ interface.ipv4 }}
{%- endfor %}
{%- endfor %}
2018-07-08 19:13:58 +02:00
dhcp-snooping vlan {{ additionals.dhcp_snooping_vlans|join(' ') }}
dhcp-snooping
2018-07-08 19:13:58 +02:00
{%- endif %}
{%- if additionals.arp_protect_vlans %}
;--- ARP Protect ---
arp-protect
arp-protect vlan {{ additionals.arp_protect_vlans|join(' ') }}
arp-protect validate src-mac dest-mac
{%- endif %}
{%- if additionals.dhcpv6_snooping_vlans %}
;--- DHCPv6 Snooping ---
dhcpv6-snooping vlan {{ additionals.dhcpv6_snooping_vlans|join(' ') }}
dhcpv6-snooping
{%- endif %}
{%- if additionals.ra_guarded %}
;--- RA guards ---
ipv6 ra-guard ports {{ additionals.ra_guarded|join(',')}}
2018-07-08 19:13:58 +02:00
{%- endif %}
;--- Config des prises ---
{%- for port in switch.ports %}
{%- if port.get_port_profil.radius_type == "802.1X" %}
aaa port-access authenticator {{ port.port }}
{%- if port.get_port_profil.mac_limit %}
aaa port-access authenticator {{ port.port }} client-limit {{ port.get_port_profil.mac_limit }}
{%- endif %}
aaa port-access authenticator {{ port.port }} logoff-period 3600
{%- endif %}
{%- if port.get_port_profil.radius_type == "MAC-radius" %}
aaa port-access mac-based {{ port.port }}
{%- if port.get_port_profil.mac_limit %}
aaa port-access mac-based {{ port.port }} addr-limit {{ port.get_port_profil.mac_limit }}
{%- endif %}
aaa port-access mac-based {{ port.port }} logoff-period 3600
aaa port-access mac-based {{ port.port }} unauth-vid 1
{%- endif %}
interface {{ port.port }}
{%- if port.state %}
enable
{%- else %}
disable
{%- endif %}
2018-07-08 19:13:58 +02:00
name "{{ port.pretty_name }}"
{%- if port.get_port_profil.flow_control %}
flow-control
{%- endif %}
{%- if not port.get_port_profil.dhcp_snooping %}
dhcp-snooping trust
{%- endif %}
{%- if not port.get_port_profil.arp_protect %}
arp-protect trust
{%- endif %}
{%- if not port.get_port_profil.dhcpv6_snooping %}
dhcpv6-snooping trust
{%- endif %}
no lacp
exit
{%- endfor %}
;--- Configuration comptabilisation RADIUS ---
aaa accounting network start-stop radius
aaa accounting session-id unique
aaa accounting update periodic 240
;--- Filtre de protocole ---
filter multicast 01005e0000fb drop all
filter multicast 3333000000fb drop all