-
Notifications
You must be signed in to change notification settings - Fork 1
/
template.j2
173 lines (149 loc) · 4.95 KB
/
template.j2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
{#
! Malconfig fra Atea best practice for Catalyst access-switcher
! Basert på Cisco BP docs, erfaring, Voodo, og litt IPA.
! Versjon 2.1 201503025 - Øyvind Ellefsen
!
! Dette er en Jinja2 mal, for bruk i gencfg.py script. Variable data hentes fra data.csv fil.
!
! Fyll inn variablene øverst først, resten er cut&paste på det aller meste av IOS, switch og router.
! Config er ikke kompatibel med IOS-XR, eller NXOS
! Unike variabler per device, verdier hentes fra data.csv
! HOSTNAME Hostnavn, uten domene, ikke space, maks 15 tegn
! MGMTVLAN VLAN for management switch (1-4 siffer)
! MGMTIP IP for management interface, 4 oktetter
! MGMTSUBNET Subnet for management interface, 4 oktetter
! MGMTGW Default GW for management nettet, 4 oktetter
! Statiske variabler som oftest er like for alle devicer i et nett, verdier hentes fra data.csv
! DOMAIN Domene, sett net.local om ikke annet finnes
! ROCOMMUNITY snmp-read only community
! RWCOMMUNITY snmp-rw community
! CONTACT snmp contact
! LOCATION snmp location
! ENABLESECRET Passord for enable, kun ved utfall av AAA
! TFTPIP TFTP server IP adresse (For archive av config, software, etc)
! SYSLOGIP Syslog server IP
! RADIUS1 AAA server 1
! RADIUS2 AAA server 2
! RADIUSKEY Radius key
! NTP1 NTP server 1
! NTP2 NTP server 2
#}
{#
! Disse må settes først, før statisk config pastes, setter hostnavn, domene, genererer RSA nøkler for SSH, SNMP, etc.
#}
hostname {{ HOSTNAME }}
vlan {{ MGMTVLAN }}
name MGMTVLAN
interface vlan {{ MGMTVLAN }}
ip address {{ MGMTIP }} {{ MGMTSUBNET }}
no shut
ip default-gateway {{ MGMTGW }}
ip domain-name {{ DOMAIN }}
ip access-list standard ACL-MGMT
description Management ACL, for SNMP, SSH, etc.
permit ip 10.0.0.0 0.255.255.255
permit ip 100.0.0.0 0.255.255.255
snmp-server community {{ ROCOMMUNITY }} RO ACL-MGMT
snmp-server community {{ RWCOMMUNITY }} RW ACL-MGMT
snmp-server contact {{ CONTACT }}
snmp-server location {{ LOCATION }}
snmp-server enable traps
snmp-server ifindex persist
ntp server {{ NTP1 }}
ntp server {{ NTP2 }}
! Passord og brukere for lokal fallback login
no enable password
enable secret {{ ENABLESECRET }}
username local-admin privilege 15 secret {{ ENABLESECRET }}
! AAA med fallback til local ved AAA failure.
aaa new-model
aaa group server radius RADIUSSERVERE
server-private {{ RADIUS1 }} key {{ RADIUSKEY }}
server-private {{ RADIUS2 }} key {{ RADIUSKEY }}
aaa authentication login default group RADIUSSERVERE local enable none
aaa authorization exec default group RADIUSSERVERE local
! Klokke, login, logging
clock timezone CET 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no logging console
login block-for 300 attempts 10 within 60
login on-failure log
login on-success log
login delay 5
logging buffered 128000 debugging
logging {{ SYSLOGIP }}
logging on
! Set services status
no service pad
service password-encryption
service sequence-numbers
service tcp-keepalives-in
service tcp-keepalives-out
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
no ip bootp server
no ip finger
no ip source-route
no ip gratuitous-arp
no ip identd
no ip http server
no ip http secure-server
no ip source-route
! Arkivering av config til flash
! Endre evnt. path
archive
log config
logging enable
logging persistent
notify syslog
hidekeys
path flash:$h-$t.cfg
write-memory
! Enable ssh (Denne tar tid, sjekk at hele config går igjennom)
crypto key generate rsa general mod 1024
ip ssh version 2
! TTY timeouts
line con 0
logging synchronous
exec-timeout 120 0
line vty 0 15
logging synchronous
transport input ssh
exec-timeout 120 0
access-class ACL-MGMT in
! Messages
aaa authentication fail-message %
======================================
Login failed - This is now logged
======================================
%
banner exec %
Connected to $(hostname) on line $(line)
%
banner motd %
===================================
**** IF UNAUTHORIZED, EXIT NOW ****
===================================
===================================================================
This system is for the use of authorized users only. Individuals
using this computer system without authority, or in excess of their
authority, are subject to having all of their activities on this
system monitored and recorded by system personnel.
In the course of monitoring individuals improperly using this
system, or in the course of system maintenance, the activities of
authorized users may also be monitored.
Anyone using this system expressly consents to such monitoring and
is advised that if such monitoring reveals possible evidence of
criminal activity, system personnel may provide the evidence of
such monitoring to law enforcement officials.
===================================================================
%
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
end
write