From d1b4f569134bb070d54a7193d7a6f8d2eda1c575 Mon Sep 17 00:00:00 2001 From: chirac Date: Sun, 8 Jul 2018 19:13:58 +0200 Subject: [PATCH] Generateur de confi de switch HP --- .gitignore | 1 + generated/__init__.py | 0 main.py | 53 ++++++++++++++++++++-- templates/{hp_test.tpl => hp.tpl} | 74 +++++++++++++++++++++++++++++-- 4 files changed, 121 insertions(+), 7 deletions(-) create mode 100644 generated/__init__.py rename templates/{hp_test.tpl => hp.tpl} (52%) diff --git a/.gitignore b/.gitignore index 641c4cc..9e2266d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ config.ini **/__pycache__/** **.list +generated/* diff --git a/generated/__init__.py b/generated/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/main.py b/main.py index 46e6de9..697aaf3 100755 --- a/main.py +++ b/main.py @@ -19,17 +19,62 @@ api_client = Re2oAPIClient(api_hostname, api_username, api_password) client_hostname = socket.gethostname().split('.', 1)[0] +print("get switchs conf") all_switchs = api_client.list("switchs/ports-config/") - +all_vlans = api_client.list("machines/vlan/") +all_roles = api_client.list("machines/role/") # Création de l'environnement Jinja ENV = Environment(loader=FileSystemLoader('.')) # Import du fichier template dans une variable "template" -template = ENV.get_template("templates/hp_test.tpl") +template = ENV.get_template("templates/hp.tpl") # Création du template final avec les valeurs contenues dans le dictionnaire "valeurs" - Ces valeurs sont positionnées dans un objet "temp", qui sera utilisé par le moteur, et que l'on retrouve dans le template. -conf = template.render(switch=all_switchs[2]) -print(all_switchs[2]) +def preprocess(switch): + def add_to_vlans(vlans, vlan, port, tagged=True): + if not vlan['vlan_id'] in vlans: + if not tagged: + vlans[vlan['vlan_id']] = {'ports_untagged' : [str(port['port'])], 'ports_tagged' : [], 'name' : vlan['name']} + else: + vlans[vlan['vlan_id']] = {'ports_tagged' : [str(port['port'])], 'ports_untagged' : [], 'name' : vlan['name']} + else: + if not tagged: + vlans[vlan['vlan_id']]['ports_untagged'].append(str(port['port'])) + else: + vlans[vlan['vlan_id']]['ports_tagged'].append(str(port['port'])) + + ra_guarded = [] + loop_protected = [] + vlans = dict() + + for port in switch['ports']: + if port['get_port_profil']['loop_protect']: + loop_protected.append(str(port['port'])) + if port['get_port_profil']['ra_guard']: + ra_guarded.append(str(port['port'])) + + if port['get_port_profil']['vlan_untagged']: + add_to_vlans(vlans, port['get_port_profil']['vlan_untagged'], port, tagged=False) + if port['get_port_profil']['vlan_tagged']: + for vlan in port['get_port_profil']['vlan_tagged']: + add_to_vlans(vlans, vlan, port) + + arp_protect_vlans = [vlan["vlan_id"] for vlan in all_vlans if vlan["arp_protect"]] + dhcp_snooping_vlans = [vlan["vlan_id"] for vlan in all_vlans if vlan["dhcp_snooping"]] + dhcpv6_snooping_vlans = [vlan["vlan_id"] for vlan in all_vlans if vlan["dhcpv6_snooping"]] + ntp_servers = [server["servers"] for server in all_roles if server["role_type"] == "ntp-server"][0] + log_servers = [server["servers"] for server in all_roles if server["role_type"] == "log-server"][0] + + return {'ra_guarded' : ra_guarded, 'loop_protected' : loop_protected, 'vlans' : vlans, 'arp_protect_vlans' : arp_protect_vlans, 'dhcp_snooping_vlans' : dhcp_snooping_vlans, 'dhcpv6_snooping_vlans' : dhcpv6_snooping_vlans, 'ntp_servers': ntp_servers, 'log_servers': log_servers} + +print("gen tpl") +conf = template.render(switch=all_switchs[2], additionals=preprocess(all_switchs[2])) + +for switch in all_switchs: + with open("generated/" + switch["short_name"] + ".conf", 'w+') as f: + f.write(template.render(switch=switch, additionals=preprocess(switch))) + + print(conf) diff --git a/templates/hp_test.tpl b/templates/hp.tpl similarity index 52% rename from templates/hp_test.tpl rename to templates/hp.tpl index 1ef99a8..90c9f20 100644 --- a/templates/hp_test.tpl +++ b/templates/hp.tpl @@ -12,12 +12,58 @@ snmpv3 restricted-access snmpv3 user "crans" snmpv3 group ManagerPriv user "crans" sec-model ver3 snmp-server community "public" Operator +;--- Heure/date +time timezone 60 +time daylight-time-rule Western-Europe +{%- for server in additionals.ntp_servers %} +{%- for interface in server.interface %} +{%- if switch.subnet.0.vlan_id == interface.vlan_id %} +sntp server priority {{ loop.index }} {{ interface.ipv4 }} 4 +{%- if interface.ipv6 %} +sntp server priority {{ loop.index + 1 }} {{ interface.ipv6.0.ipv6 }} 4 +{%- endif %} +{%- endif %} +{%- endfor %} +{%- endfor %} timesync sntp sntp unicast ;--- Misc --- console inactivity-timer 30 +;--- Logs --- +{%- for server in additionals.log_servers %} +{%- for interface in server.interface %} +{%- if switch.subnet.0.vlan_id == interface.vlan_id %} +logging {{ interface.ipv4 }} +{%- if interface.ipv6 %} +logging {{ interface.ipv6.0.ipv6 }} +{%- endif %} +{%- endif %} +{%- endfor %} +{%- endfor %} ;--- IP du switch --- no ip default-gateway +max-vlans 256 +{%- for id, vlan in additionals.vlans.items() %} +vlan {{ id }} + name "{{ vlan["name"]|capitalize }}" + {%- if vlan["ports_tagged"] %} + tagged {{ vlan["ports_tagged"]|join(' ') }} + {%- endif %} + {%- if vlan["ports_untagged"] %} + untagged {{ vlan["ports_untagged"]|join(' ') }} + {%- endif %} + {%- if switch.subnet.0.vlan_id == id %} + ip address {{ switch.ipv4 }} {{ switch.subnet.0.netmask }} + {%- else %} + no ip address + {%- endif %} + {%- if switch.subnet.0.vlan_id == id %} + ipv6 address {{ switch.ipv6 }} {{ switch.subnet6.netmask }} + {%- else %} + no ipv6 enable + {%- endif %} +exit +{%- endfor %} ;--- Accès d'administration --- no telnet-server no web-management @@ -25,19 +71,41 @@ aaa authentication ssh login public-key none aaa authentication ssh enable public-key none ip ssh ip ssh filetransfer -ip authorized-managers {{ switch.subnet.0.network }} {{switch.subnet.0.netmask }} access manager +ip authorized-managers {{ switch.subnet.0.network }} {{ switch.subnet.0.netmask }} access manager {%- if switch.subnet6 %} -ipv6 authorized-managers {{ switch.subnet6.network }} {{switch.subnet6.netmask }} access manager +ipv6 authorized-managers {{ switch.subnet6.network }} {{ switch.subnet6.netmask }} access manager {%- endif %} +{%- if additionals.loop_protected %} ;--- Protection contre les boucles --- loop-protect disable-timer 30 loop-protect transmit-interval 3 +loop-protect {{ additionals.loop_protected|join(' ') }} +{%- endif %} radius-server dyn-autz-port 3799 ;--- Filtrage mac --- aaa port-access mac-based addr-format multi-colon ;--- Bricoles --- no cdp run +{%- if additionals.dhcp_snooping_vlans %} +;--- DHCP Snooping --- +dhcp-snooping vlan {{ additionals.dhcp_snooping_vlans|join(' ') }} dhcp-snooping +{%- endif %} +{%- if additionals.arp_protect_vlans %} +;--- ARP Protect --- +arp-protect +arp-protect vlan {{ additionals.arp_protect_vlans|join(' ') }} +arp-protect validate src-mac dest-mac +{%- endif %} +{%- if additionals.dhcpv6_snooping_vlans %} +;--- DHCPv6 Snooping --- +dhcpv6-snooping vlan {{ additionals.dhcpv6_snooping_vlans|join(' ') }} +dhcpv6-snooping +{%- endif %} +{%- if additionals.ra_guarded %} +;--- RA guards --- +ipv6 ra-guard ports {{ additionals.ra_guarded|join(' ')}} +{%- endif %} ;--- Config des prises --- {%- for port in switch.ports %} {%- if port.get_port_profil.radius_type == "802.1X" %} @@ -61,7 +129,7 @@ interface {{ port.port }} {%- else %} disable {%- endif %} - name "{{ port.port }}" + name "{{ port.pretty_name }}" {%- if port.get_port_profil.flow_control %} flow control {%- endif %}