; {{ switch.model.reference }}A Configuration Editor; Created on release #{{ switch.model.firmware }} hostname "{{ switch.short_name }}" ; Generated on {{ date_gen }} by re2o ;--- Snmp --- {%- if switch.switchbay.name %} snmp-server location "{{ switch.switchbay.name }}" {%- endif %} ;A faire à la main snmpv3 enable snmpv3 restricted-access snmpv3 user "re2o" snmpv3 group ManagerPriv user "re2o" sec-model ver3 snmp-server community "public" Operator ;--- Heure/date time timezone 60 time daylight-time-rule Western-Europe {%- for server in additionals.ntp_servers %} {%- for interface in server.interface %} {%- if switch.subnet.0.vlan_id == interface.vlan_id %} sntp server priority {{ loop.index }} {{ interface.ipv4 }} 4 {%- if interface.ipv6 %} sntp server priority {{ loop.index + 1 }} {{ interface.ipv6.0.ipv6 }} 4 {%- endif %} {%- endif %} {%- endfor %} {%- endfor %} timesync sntp sntp unicast ;--- Misc --- console inactivity-timer 30 ;--- Logs --- {%- for server in additionals.log_servers %} {%- for interface in server.interface %} {%- if switch.subnet.0.vlan_id == interface.vlan_id %} logging {{ interface.ipv4 }} {%- if interface.ipv6 %} logging {{ interface.ipv6.0.ipv6 }} {%- endif %} {%- endif %} {%- endfor %} {%- endfor %} ;--- IP du switch --- no ip default-gateway max-vlans 256 {%- for id, vlan in additionals.vlans.items() %} vlan {{ id }} name "{{ vlan["name"]|capitalize }}" {%- if vlan["ports_tagged"] %} tagged {{ vlan["ports_tagged"]|join(',') }} {%- endif %} {%- if vlan["ports_untagged"] %} untagged {{ vlan["ports_untagged"]|join(',') }} {%- endif %} {%- if switch.subnet.0.vlan_id == id %} ip address {{ switch.ipv4 }}/{{ switch.subnet.0.netmask_cidr }} {%- else %} no ip address {%- endif %} {%- if switch.subnet.0.vlan_id == id %} ipv6 address {{ switch.ipv6 }}/{{ switch.subnet6.netmask_cidr }} {%- else %} no ipv6 enable {%- endif %} {%- if id in additionals.igmp_vlans %} ip igmp no ip igmp querier {%- endif %} {%- if id in additionals.mld_vlans %} no ipv6 mld querier ipv6 mld version 1 ipv6 mld enable {%- endif %} exit {%- endfor %} ;--- Accès d'administration --- no telnet-server {%- if switch.web_management_enabled %} {%- if switch.web_management_enabled != "ssl" %} web-management plaintext {%- endif %} {%- if switch.web_management_enabled == "ssl" %} web-management ssl {%- endif %} {%- else %} no web-management {%- endif %} {%- if switch.rest_enabled %} rest-interface {%- endif %} aaa authentication ssh login public-key none aaa authentication ssh enable public-key none ip ssh ip ssh filetransfer ip authorized-managers {{ switch.subnet.0.network }} {{ switch.subnet.0.netmask }} access manager {%- if switch.subnet6 %} ipv6 authorized-managers {{ switch.subnet6.network }} {{ switch.subnet6.netmask }} access manager {%- endif %} {%- if additionals.loop_protected %} ;--- Protection contre les boucles --- loop-protect disable-timer 30 loop-protect transmit-interval 3 loop-protect {{ additionals.loop_protected|join(',') }} {%- endif %} ;--- Serveurs Radius radius-server dead-time 2 {%- for server in additionals.radius_servers %} {%- for interface in server.interface %} {%- if switch.subnet.0.vlan_id == interface.vlan_id %} radius-server host {{ interface.ipv4 }} key "plop" radius-server host {{ interface.ipv4 }} dyn-authorization {%- endif %} {%- endfor %} {%- endfor %} radius-server dyn-autz-port 3799 ;--- Filtrage mac --- aaa port-access mac-based addr-format multi-colon ;--- Bricoles --- no cdp run {%- if additionals.dhcp_snooping_vlans %} ;--- DHCP Snooping --- {%- for server in additionals.dhcp_servers %} {%- for interface in server.interface %} dhcp-snooping authorized-server {{ interface.ipv4 }} {%- endfor %} {%- endfor %} dhcp-snooping vlan {{ additionals.dhcp_snooping_vlans|join(' ') }} dhcp-snooping {%- endif %} {%- if additionals.arp_protect_vlans %} ;--- ARP Protect --- arp-protect arp-protect vlan {{ additionals.arp_protect_vlans|join(' ') }} arp-protect validate src-mac dest-mac {%- endif %} {%- if additionals.dhcpv6_snooping_vlans %} ;--- DHCPv6 Snooping --- dhcpv6-snooping vlan {{ additionals.dhcpv6_snooping_vlans|join(' ') }} dhcpv6-snooping {%- endif %} {%- if additionals.ra_guarded %} ;--- RA guards --- ipv6 ra-guard ports {{ additionals.ra_guarded|join(',')}} {%- endif %} ;--- Config des prises --- {%- for port in switch.ports %} {%- if port.get_port_profil.radius_type == "802.1X" %} aaa port-access authenticator {{ port.port }} {%- if port.get_port_profil.mac_limit %} aaa port-access authenticator {{ port.port }} client-limit {{ port.get_port_profil.mac_limit }} {%- endif %} aaa port-access authenticator {{ port.port }} logoff-period 3600 {%- endif %} {%- if port.get_port_profil.radius_type == "MAC-radius" %} aaa port-access mac-based {{ port.port }} {%- if port.get_port_profil.mac_limit %} aaa port-access mac-based {{ port.port }} addr-limit {{ port.get_port_profil.mac_limit }} {%- endif %} aaa port-access mac-based {{ port.port }} logoff-period 3600 aaa port-access mac-based {{ port.port }} unauth-vid 1 {%- endif %} interface {{ port.port }} {%- if port.state %} enable {%- else %} disable {%- endif %} name "{{ port.pretty_name }}" {%- if port.get_port_profil.flow_control %} flow-control {%- endif %} {%- if not port.get_port_profil.dhcp_snooping %} dhcp-snooping trust {%- endif %} {%- if not port.get_port_profil.arp_protect %} arp-protect trust {%- endif %} {%- if not port.get_port_profil.dhcpv6_snooping %} dhcpv6-snooping trust {%- endif %} no lacp exit {%- endfor %} ;--- Configuration comptabilisation RADIUS --- aaa accounting network start-stop radius aaa accounting session-id unique aaa accounting update periodic 240 ;--- Filtre de protocole --- filter multicast 01005e0000fb drop all filter multicast 3333000000fb drop all