aurore-firewall/templates/hp.tpl

190 lines
5.8 KiB
Smarty
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

; {{ switch.model.reference }}A Configuration Editor; Created on release #{{ switch.model.firmware }}
hostname "{{ switch.short_name }}"
; Generated on {{ date_gen }} by re2o
;--- Snmp ---
{%- if switch.switchbay.name %}
snmp-server location "{{ switch.switchbay.name }}"
{%- endif %}
;A faire à la main
snmpv3 enable
snmpv3 restricted-access
snmpv3 user "re2o"
snmpv3 group ManagerPriv user "re2o" sec-model ver3
snmp-server community "public" Operator
;--- Heure/date
time timezone 60
time daylight-time-rule Western-Europe
{%- for server in additionals.ntp_servers %}
{%- for interface in server.interface %}
{%- if switch.subnet.0.vlan_id == interface.vlan_id %}
sntp server priority {{ loop.index }} {{ interface.ipv4 }} 4
{%- if interface.ipv6 %}
sntp server priority {{ loop.index + 1 }} {{ interface.ipv6.0.ipv6 }} 4
{%- endif %}
{%- endif %}
{%- endfor %}
{%- endfor %}
timesync sntp
sntp unicast
;--- Misc ---
console inactivity-timer 30
;--- Logs ---
{%- for server in additionals.log_servers %}
{%- for interface in server.interface %}
{%- if switch.subnet.0.vlan_id == interface.vlan_id %}
logging {{ interface.ipv4 }}
{%- if interface.ipv6 %}
logging {{ interface.ipv6.0.ipv6 }}
{%- endif %}
{%- endif %}
{%- endfor %}
{%- endfor %}
;--- IP du switch ---
no ip default-gateway
max-vlans 256
{%- for id, vlan in additionals.vlans.items() %}
vlan {{ id }}
name "{{ vlan["name"]|capitalize }}"
{%- if vlan["ports_tagged"] %}
tagged {{ vlan["ports_tagged"]|join(',') }}
{%- endif %}
{%- if vlan["ports_untagged"] %}
untagged {{ vlan["ports_untagged"]|join(',') }}
{%- endif %}
{%- if switch.subnet.0.vlan_id == id %}
ip address {{ switch.ipv4 }}/{{ switch.subnet.0.netmask_cidr }}
{%- else %}
no ip address
{%- endif %}
{%- if switch.subnet.0.vlan_id == id %}
ipv6 address {{ switch.ipv6 }}/{{ switch.subnet6.netmask_cidr }}
{%- else %}
no ipv6 enable
{%- endif %}
{%- if id in additionals.igmp_vlans %}
ip igmp
no ip igmp querier
{%- endif %}
{%- if id in additionals.mld_vlans %}
no ipv6 mld querier
ipv6 mld version 1
ipv6 mld enable
{%- endif %}
exit
{%- endfor %}
;--- Accès d'administration ---
no telnet-server
{%- if switch.web_management_enabled %}
{%- if switch.web_management_enabled != "ssl" %}
web-management plaintext
{%- endif %}
{%- if switch.web_management_enabled == "ssl" %}
web-management ssl
{%- endif %}
{%- else %}
no web-management
{%- endif %}
{%- if switch.rest_enabled %}
rest-interface
{%- endif %}
aaa authentication ssh login public-key none
aaa authentication ssh enable public-key none
ip ssh
ip ssh filetransfer
ip authorized-managers {{ switch.subnet.0.network }} {{ switch.subnet.0.netmask }} access manager
{%- if switch.subnet6 %}
ipv6 authorized-managers {{ switch.subnet6.network }} {{ switch.subnet6.netmask }} access manager
{%- endif %}
{%- if additionals.loop_protected %}
;--- Protection contre les boucles ---
loop-protect disable-timer 30
loop-protect transmit-interval 3
loop-protect {{ additionals.loop_protected|join(',') }}
{%- endif %}
;--- Serveurs Radius
radius-server dead-time 2
{%- for server in additionals.radius_servers %}
{%- for interface in server.interface %}
{%- if switch.subnet.0.vlan_id == interface.vlan_id %}
radius-server host {{ interface.ipv4 }} key "{{ switch.get_radius_key_value }}"
radius-server host {{ interface.ipv4 }} dyn-authorization
{%- endif %}
{%- endfor %}
{%- endfor %}
radius-server dyn-autz-port 3799
;--- Filtrage mac ---
aaa port-access mac-based addr-format multi-colon
;--- Bricoles ---
no cdp run
{%- if additionals.dhcp_snooping_vlans %}
;--- DHCP Snooping ---
{%- for server in additionals.dhcp_servers %}
{%- for interface in server.interface %}
dhcp-snooping authorized-server {{ interface.ipv4 }}
{%- endfor %}
{%- endfor %}
dhcp-snooping vlan {{ additionals.dhcp_snooping_vlans|join(' ') }}
dhcp-snooping
{%- endif %}
{%- if additionals.arp_protect_vlans %}
;--- ARP Protect ---
arp-protect
arp-protect vlan {{ additionals.arp_protect_vlans|join(' ') }}
arp-protect validate src-mac dest-mac
{%- endif %}
{%- if additionals.dhcpv6_snooping_vlans %}
;--- DHCPv6 Snooping ---
dhcpv6-snooping vlan {{ additionals.dhcpv6_snooping_vlans|join(' ') }}
dhcpv6-snooping
{%- endif %}
{%- if additionals.ra_guarded %}
;--- RA guards ---
ipv6 ra-guard ports {{ additionals.ra_guarded|join(',')}}
{%- endif %}
;--- Config des prises ---
{%- for port in switch.ports %}
{%- if port.get_port_profil.radius_type == "802.1X" %}
aaa port-access authenticator {{ port.port }}
{%- if port.get_port_profil.mac_limit %}
aaa port-access authenticator {{ port.port }} client-limit {{ port.get_port_profil.mac_limit }}
{%- endif %}
aaa port-access authenticator {{ port.port }} logoff-period 3600
{%- endif %}
{%- if port.get_port_profil.radius_type == "MAC-radius" %}
aaa port-access mac-based {{ port.port }}
{%- if port.get_port_profil.mac_limit %}
aaa port-access mac-based {{ port.port }} addr-limit {{ port.get_port_profil.mac_limit }}
{%- endif %}
aaa port-access mac-based {{ port.port }} logoff-period 3600
aaa port-access mac-based {{ port.port }} unauth-vid 1
{%- endif %}
interface {{ port.port }}
{%- if port.state %}
enable
{%- else %}
disable
{%- endif %}
name "{{ port.pretty_name }}"
{%- if port.get_port_profil.flow_control %}
flow-control
{%- endif %}
{%- if not port.get_port_profil.dhcp_snooping %}
dhcp-snooping trust
{%- endif %}
{%- if not port.get_port_profil.arp_protect %}
arp-protect trust
{%- endif %}
{%- if not port.get_port_profil.dhcpv6_snooping %}
dhcpv6-snooping trust
{%- endif %}
no lacp
exit
{%- endfor %}
;--- Configuration comptabilisation RADIUS ---
aaa accounting network start-stop radius
aaa accounting session-id unique
aaa accounting update periodic 240
;--- Filtre de protocole ---
filter multicast 01005e0000fb drop all
filter multicast 3333000000fb drop all