131 lines
3.5 KiB
Text
131 lines
3.5 KiB
Text
|
{{ header }}
|
|||
|
hostname "{{ hostname }}"
|
|||
|
console idle-timeout 1800
|
|||
|
console idle-timeout serial-usb 1800
|
|||
|
no cdp run
|
|||
|
{%- if dhcp_snooping_vlans %}
|
|||
|
dhcp-snooping
|
|||
|
{%- for s in dhcp_servers %}
|
|||
|
dhcp-snooping authorized-server {{ s }}
|
|||
|
{%- endfor %}
|
|||
|
dhcp-snooping vlan {{ dhcp_snooping_vlans }}
|
|||
|
{%- endif %}
|
|||
|
{%- if dhcpv6_snooping_vlans %}
|
|||
|
dhcpv6-snooping
|
|||
|
dhcpv6-snooping vlan {{ dhcpv6_snooping_vlans }}
|
|||
|
{%- endif %}
|
|||
|
{%- for m in multicast_filter %}
|
|||
|
filter multicast {{ m.mac_addr }} drop {{ m.ports }}
|
|||
|
{%- endfor %}
|
|||
|
{%- for l in logging %}
|
|||
|
logging {{ l }}
|
|||
|
{%- endfor %}
|
|||
|
{%- if radius_servers %}
|
|||
|
{%- for r in radius_servers %}
|
|||
|
radius-server host {{ r.ip }} dyn-authorization
|
|||
|
radius-server host {{ r.ip }} key {{ r.secret }}
|
|||
|
{%- endfor %}
|
|||
|
radius-server dead-time 2
|
|||
|
{%- endif %}
|
|||
|
timesync sntp
|
|||
|
sntp unicast
|
|||
|
{%- for s in sntp %}
|
|||
|
sntp server priority {{ loop.index }} {{ s }}
|
|||
|
{%- endfor %}
|
|||
|
no telnet-server
|
|||
|
time daylight-time-rule western-europe
|
|||
|
time timezone 60
|
|||
|
{%- for i4 in ipv4_managers.values() %}
|
|||
|
ip authorized-managers {{ i4.ip }} {{ i4.subnet }} access manager
|
|||
|
{%- endfor %}
|
|||
|
{%- for d in dns %}
|
|||
|
ip dns server-address priority {{ loop.index }} {{ d }}
|
|||
|
{%- endfor %}
|
|||
|
ip ssh filetransfer
|
|||
|
{%- for i6 in ipv6_managers.values() %}
|
|||
|
ipv6 authorized-managers {{ i6.ip }} {{ i6.subnet }} access manager
|
|||
|
{%- endfor %}
|
|||
|
{%- if ra_guard_ports %}
|
|||
|
ipv6 ra-guard ports {{ ra_guard_ports }}
|
|||
|
{%- endif %}
|
|||
|
{%- for iface in interfaces %}
|
|||
|
interface {{ iface.number }}
|
|||
|
name "{{ iface.name }}"
|
|||
|
{%- if iface.dhcp_trust %}
|
|||
|
dhcp-snooping trust
|
|||
|
{%- endif %}
|
|||
|
{%- if iface.dhcpv6_trust %}
|
|||
|
dhcpv6-snooping trust
|
|||
|
{%- endif %}
|
|||
|
{%- if iface.flowcontrol %}
|
|||
|
flow-control
|
|||
|
{% endif %}
|
|||
|
{%- if iface.arp_trust %}
|
|||
|
arp-protect trust
|
|||
|
{%- endif %}
|
|||
|
exit
|
|||
|
{%- endfor %}
|
|||
|
snmp-server community "public" operator
|
|||
|
snmp-server location "{{ location }}"
|
|||
|
snmpv3 enable
|
|||
|
snmpv3 restricted-access
|
|||
|
snmpv3 group managerpriv user "{{ snmp_user }}" sec-model ver3
|
|||
|
snmpv3 user "{{ snmp_user }}"
|
|||
|
aaa accounting update periodic 240
|
|||
|
aaa accounting network start-stop radius
|
|||
|
aaa authentication ssh login public-key
|
|||
|
aaa authentication ssh enable public-key
|
|||
|
{%- if mac_based_ports %}
|
|||
|
aaa port-access mac-based {{ mac_based_ports }}
|
|||
|
{%- for iface in interfaces %}
|
|||
|
{%- if iface.mac_based %}
|
|||
|
aaa port-access mac-based {{ iface.number }} addr-limit {{ iface.addr_limit }}
|
|||
|
aaa port-access mac-based {{ iface.number }} logoff-period {{ iface.logoff }}
|
|||
|
{%- endif %}
|
|||
|
{%- endfor %}
|
|||
|
aaa port-access mac-based addr-format multi-colon
|
|||
|
aaa port-access mac-based unauth-redirect "{{ unauth_redirect }}"
|
|||
|
{%- endif %}
|
|||
|
{%- for number, vlan in vlans.items() %}
|
|||
|
vlan {{ number }}
|
|||
|
name "{{ vlan.name }}"
|
|||
|
{%- if vlan.untagged %}
|
|||
|
untagged {{ vlan.untagged }}
|
|||
|
{%- endif %}
|
|||
|
{%- if vlan.tagged %}
|
|||
|
tagged {{ vlan.tagged }}
|
|||
|
{%- endif %}
|
|||
|
{%- if vlan.ip %}
|
|||
|
ip address {{ vlan.ip.addr }} {{ vlan.ip.subnet }}
|
|||
|
{%- if vlan.ip.addr6 %}
|
|||
|
ipv6 address {{ vlan.ip.addr6 }}/{{ vlan.ip.subnet6 }}
|
|||
|
{%- endif %}
|
|||
|
{%- else %}
|
|||
|
no ip address
|
|||
|
{%- endif %}
|
|||
|
{%- if vlan.igmp %}
|
|||
|
ip igmp
|
|||
|
{%- endif %}
|
|||
|
{%- if vlan.ipv6_mld %}
|
|||
|
ipv6 mld enable
|
|||
|
{%- endif %}
|
|||
|
exit
|
|||
|
{%- endfor %}
|
|||
|
allow-unsupported-transceiver
|
|||
|
{%- if loop_protect %}
|
|||
|
loop-protect {{ loop_protect.ports }}
|
|||
|
loop-protect transmit-interval 3 disable-timer 30
|
|||
|
{%- endif %}
|
|||
|
{%- if arp_protect %}
|
|||
|
arp-protect
|
|||
|
arp-protect validate src-mac dest-mac
|
|||
|
arp-protect vlan {{ arp_protect.vlans }}
|
|||
|
{%- endif %}
|
|||
|
device-profile name "default-ap-profile"
|
|||
|
cos 0
|
|||
|
exit
|
|||
|
activate software-update disable
|
|||
|
activate provision disable
|
|||
|
password manager
|
|||
|
password operator
|