@ -12,12 +12,58 @@ snmpv3 restricted-access
snmpv3 user "crans"
snmpv3 group ManagerPriv user "crans" sec-model ver3
snmp-server community "public" Operator
;--- Heure/date
time timezone 60
time daylight-time-rule Western-Europe
{ % - for server in additionals . ntp_servers % }
{ % - for interface in server . interface % }
{ % - if switch . subnet . 0. vlan_id = = interface . vlan_id % }
sntp server priority { { loop . index } } { { interface . ipv4 } } 4
{ % - if interface . ipv6 % }
sntp server priority { { loop . index + 1 } } { { interface . ipv6 . 0. ipv6 } } 4
{ % - endif % }
{ % - endif % }
{ % - endfor % }
{ % - endfor % }
timesync sntp
sntp unicast
;--- Misc ---
console inactivity-timer 30
;--- Logs ---
{ % - for server in additionals . log_servers % }
{ % - for interface in server . interface % }
{ % - if switch . subnet . 0. vlan_id = = interface . vlan_id % }
logging { { interface . ipv4 } }
{ % - if interface . ipv6 % }
logging { { interface . ipv6 . 0. ipv6 } }
{ % - endif % }
{ % - endif % }
{ % - endfor % }
{ % - endfor % }
;--- IP du switch ---
no ip default-gateway
max-vlans 256
{ % - for id , vlan in additionals . vlans . items ( ) % }
vlan { { id } }
name " { { vlan [ "name" ] | capitalize } } "
{ % - if vlan [ "ports_tagged" ] % }
tagged { { vlan [ "ports_tagged" ] | join ( ' ' ) } }
{ % - endif % }
{ % - if vlan [ "ports_untagged" ] % }
untagged { { vlan [ "ports_untagged" ] | join ( ' ' ) } }
{ % - endif % }
{ % - if switch . subnet . 0. vlan_id = = id % }
ip address { { switch . ipv4 } } { { switch . subnet . 0. netmask } }
{ % - else % }
no ip address
{ % - endif % }
{ % - if switch . subnet . 0. vlan_id = = id % }
ipv6 address { { switch . ipv6 } } { { switch . subnet6 . netmask } }
{ % - else % }
no ipv6 enable
{ % - endif % }
exit
{ % - endfor % }
;--- Accès d'administration ---
no telnet-server
no web-management
@ -25,19 +71,41 @@ aaa authentication ssh login public-key none
aaa authentication ssh enable public-key none
ip ssh
ip ssh filetransfer
ip authorized-managers { { switch . subnet . 0. network } } { { switch . subnet . 0. netmask } } access manager
ip authorized-managers { { switch . subnet . 0. network } } { { switch . subnet . 0. netmask } } access manager
{ % - if switch . subnet6 % }
ipv6 authorized-managers { { switch . subnet6 . network } } { { switch . subnet6 . netmask } } access manager
ipv6 authorized-managers { { switch . subnet6 . network } } { { switch . subnet6 . netmask } } access manager
{ % - endif % }
{ % - if additionals . loop_protected % }
;--- Protection contre les boucles ---
loop-protect disable-timer 30
loop-protect transmit-interval 3
loop-protect { { additionals . loop_protected | join ( ' ' ) } }
{ % - endif % }
radius-server dyn-autz-port 3799
;--- Filtrage mac ---
aaa port-access mac-based addr-format multi-colon
;--- Bricoles ---
no cdp run
{ % - if additionals . dhcp_snooping_vlans % }
;--- DHCP Snooping ---
dhcp-snooping vlan { { additionals . dhcp_snooping_vlans | join ( ' ' ) } }
dhcp-snooping
{ % - endif % }
{ % - if additionals . arp_protect_vlans % }
;--- ARP Protect ---
arp-protect
arp-protect vlan { { additionals . arp_protect_vlans | join ( ' ' ) } }
arp-protect validate src-mac dest-mac
{ % - endif % }
{ % - if additionals . dhcpv6_snooping_vlans % }
;--- DHCPv6 Snooping ---
dhcpv6-snooping vlan { { additionals . dhcpv6_snooping_vlans | join ( ' ' ) } }
dhcpv6-snooping
{ % - endif % }
{ % - if additionals . ra_guarded % }
;--- RA guards ---
ipv6 ra-guard ports { { additionals . ra_guarded | join ( ' ' ) } }
{ % - endif % }
;--- Config des prises ---
{ % - for port in switch . ports % }
{ % - if port . get_port_profil . radius_type = = "802.1X" % }
@ -61,7 +129,7 @@ interface {{ port.port }}
{ % - else % }
disable
{ % - endif % }
name " { { port . p o rt } } "
name " { { port . p ret ty_name } } "
{ % - if port . get_port_profil . flow_control % }
flow control
{ % - endif % }