[Nocrancid] autopop-onenet.net router config diffs
rancid at rancid.noc.onenet.net
rancid at rancid.noc.onenet.net
Mon Mar 3 15:01:10 CST 2014
Index: core.hut.elr.onenet.net
===================================================================
--- core.hut.elr.onenet.net (revision 111319)
+++ core.hut.elr.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at ELRENO-MX40> show system commit
+# 2014-03-03 14:57:48 CST by josh via cli commit confirmed, rollback in 5mins
# 2014-02-26 11:12:39 CST by andrew via netconf
# 2014-02-25 19:06:59 CST by rnordmark via cli
# 2014-02-14 09:26:05 CST by jeremyt via cli
# 2014-02-14 08:51:11 CST by donnie via cli
# 2014-01-14 14:28:52 CST by admin via netconf
-# 2013-11-13 10:57:57 CST by joel via cli
# grnoc-mon at ELRENO-MX40> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -228,7 +228,7 @@
# grnoc-mon at ELRENO-MX40> show system uptime
# System booted: 2013-06-05 10:30 CDT
# Protocols started: 2013-06-05 10:31 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 14:57 CST by josh
#
# grnoc-mon at ELRENO-MX40> show interface terse
#Interface Admin Link
@@ -294,7 +294,7 @@
#pp0 up up
#tap up up
# grnoc-mon at ELRENO-MX40> show configuration
-## Last commit: 2014-02-26 11:12:39 CST by andrew
+## Last commit: 2014-03-03 14:57:48 CST by josh
version 12.3R2.5;
system {
host-name ELRENO-MX40;
@@ -306,7 +306,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -404,8 +404,7 @@
source-address 164.58.199.150;
}
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -724,7 +723,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -845,112 +879,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -959,19 +993,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -979,14 +1011,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -994,6 +1033,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core1.nor.onenet.net
===================================================================
--- core1.nor.onenet.net (revision 111316)
+++ core1.nor.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at NORMAN1-MX480-RE0> show system commit
+# 2014-03-03 14:52:53 CST by josh via cli commit confirmed, rollback in 5mins synchronize
# 2014-02-26 11:12:34 CST by andrew via netconf commit synchronize
# 2014-02-25 19:10:13 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:52:52 CST by rnordmark via cli commit synchronize
# 2014-02-24 15:03:56 CST by josh via cli commit synchronize
# 2014-02-24 15:03:34 CST by josh via cli commit synchronize
-# 2014-02-20 08:56:34 CST by rnordmark via cli commit synchronize
# grnoc-mon at NORMAN1-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -319,7 +319,7 @@
# grnoc-mon at NORMAN1-MX480-RE0> show system uptime
# System booted: 2013-04-21 01:54 CDT
# Protocols started: 2013-04-21 01:59 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 14:52 CST by josh
#
# {master}
# grnoc-mon at NORMAN1-MX480-RE0> show interface terse
@@ -458,7 +458,7 @@
#pp0 up up
#tap up up
# grnoc-mon at NORMAN1-MX480-RE0> show configuration
-## Last commit: 2014-02-26 11:12:34 CST by andrew
+## Last commit: 2014-03-03 14:52:53 CST by josh
version 11.4R7.5;
groups {
re0 {
@@ -501,7 +501,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1305,12 +1305,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS {
- 156.110.98.122/32;
- 156.110.99.50/32;
- 156.110.99.51/32;
- 164.58.10.98/32;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
}
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement DEFAULT-EXPORT {
term ACCEPT-DEFAULT {
from {
@@ -1590,54 +1620,29 @@
}
firewall {
family inet {
- filter PROTECT-RE {
- term SERVICES {
+ filter BLOCK-NTP {
+ term 2 {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
- }
- protocol tcp;
- destination-port [ ssh http ];
+ protocol udp;
+ port ntp;
}
- then accept;
- }
- term OSPF-ALLOW {
- from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- }
- protocol ospf;
+ then {
+ count weather-ntp;
+ discard;
}
- then accept;
}
- term EBGP-ALLOW {
- from {
- prefix-list {
- EBGP-IPV4-NEIGHBORS;
- }
- protocol tcp;
- port 179;
- }
+ term 3 {
then accept;
}
- term IBGP-ALLOW {
+ }
+ filter PROTECT-RE {
+ term SSH-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- port 179;
+ destination-port ssh;
}
then accept;
}
@@ -1657,46 +1662,86 @@
discard;
}
}
- term ICMP-ALLOW {
+ term OSPF-ALLOW {
from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
+ }
+ protocol ospf;
}
then accept;
}
- term SERVICES-OUTBOUND {
+ term BGP-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ prefix-list {
+ PRE-BGP-ALLOW;
+ }
+ protocol tcp;
+ port 179;
}
then accept;
}
- term RADIUS {
+ term RADIUS-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
protocol [ udp tcp ];
port [ radius radacct ];
}
then accept;
}
- term NTP {
+ term NTP-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
}
protocol udp;
port ntp;
}
then accept;
}
+ term DOMAIN-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
+ }
+ then accept;
+ }
+ term SYSLOG-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
+ }
+ then accept;
+ }
+ term FTP-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port ftp;
+ }
+ then accept;
+ }
+ term JSPACE-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ source-port 7408;
+ }
+ then accept;
+ }
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1705,23 +1750,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
- then {
- syslog;
- accept;
- }
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1729,14 +1768,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1744,26 +1790,25 @@
}
then accept;
}
- term DENY_ALL {
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
then {
discard;
}
}
- }
- filter BLOCK-NTP {
- term 2 {
+ term SERVICES-OUTBOUND {
from {
- protocol udp;
- port ntp;
+ source-port [ ssh telnet ];
}
+ then accept;
+ }
+ term DENY_ALL {
then {
- count weather-ntp;
discard;
}
}
- term 3 {
- then accept;
- }
}
}
}
Index: core5.okc.onenet.net
===================================================================
--- core5.okc.onenet.net (revision 111370)
+++ core5.okc.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at OKC-CORE5-MX480-RE0> show system commit
+# 2014-03-03 14:35:04 CST by rnordmark via cli commit synchronize
+# 2014-03-03 14:33:59 CST by rnordmark via cli commit confirmed, rollback in 2mins synchronize
# 2014-02-26 11:12:34 CST by andrew via netconf commit synchronize
# 2014-02-25 19:09:29 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:54:01 CST by rnordmark via cli commit synchronize
# 2014-02-14 14:52:56 CST by rnordmark via cli commit synchronize
-# 2014-01-18 07:31:35 CST by josh via cli commit synchronize
-# 2014-01-14 21:22:08 CST by joel via cli commit synchronize
# grnoc-mon at OKC-CORE5-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -394,7 +394,7 @@
# grnoc-mon at OKC-CORE5-MX480-RE0> show system uptime
# System booted: 2013-04-14 00:44 CDT
# Protocols started: 2013-04-14 00:45 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 14:35 CST by rnordmark
#
# {master}
# grnoc-mon at OKC-CORE5-MX480-RE0> show interface terse
@@ -586,7 +586,7 @@
#pp0 up up
#tap up up
# grnoc-mon at OKC-CORE5-MX480-RE0> show configuration
-## Last commit: 2014-02-26 11:12:34 CST by andrew
+## Last commit: 2014-03-03 14:35:04 CST by rnordmark
version 11.4R7.5;
groups {
re0 {
@@ -629,7 +629,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1648,10 +1648,6 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS {
- 80.67.67.43/32;
- 164.58.5.194/32;
- }
prefix-list MARTIANS-IPV4 {
0.0.0.0/8;
10.0.0.0/8;
@@ -1680,6 +1676,42 @@
164.58.176.44/30;
164.58.243.208/28;
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement COMMODITY-PREFIXES-LIST {
term prefixes {
from {
@@ -2063,54 +2095,126 @@
}
firewall {
family inet {
- filter PROTECT-RE {
- term SERVICES {
+ filter ELRENO {
+ interface-specific;
+ term source-priority {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ HI-PRIORITY;
}
- protocol tcp;
- destination-port [ ssh http ];
}
+ then {
+ forwarding-class video;
+ accept;
+ }
+ }
+ term dest-priority {
+ from {
+ destination-prefix-list {
+ HI-PRIORITY;
+ }
+ }
+ then {
+ forwarding-class video;
+ accept;
+ }
+ }
+ term Minco-Public {
+ from {
+ destination-address {
+ 156.110.67.16/29;
+ 164.58.28.196/30;
+ }
+ }
+ then policer T1-POL;
+ }
+ term ACCEPT-ALL {
then accept;
}
- term OSPF-ALLOW {
+ term REJECT_ALL {
+ then {
+ discard;
+ }
+ }
+ }
+ filter ALTUS {
+ interface-specific;
+ term Mangum-Public {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ destination-address {
+ 156.110.38.192/30;
+ 164.58.144.192/26;
}
- protocol ospf;
}
+ then policer 50M-POL;
+ }
+ term Merrit-Public {
+ from {
+ destination-address {
+ 156.110.70.40/30;
+ 164.58.237.0/26;
+ }
+ }
+ then policer 100M-POL;
+ }
+ term Leedey-Public {
+ from {
+ destination-address {
+ 164.58.8.68/30;
+ 164.58.151.16/28;
+ }
+ }
+ then policer 50M-POL;
+ }
+ term Erick-Public {
+ from {
+ destination-address {
+ 164.58.4.188/30;
+ 164.58.63.240/29;
+ 164.58.156.64/28;
+ }
+ }
+ then policer 10M-POL;
+ }
+ term ACCEPT-ALL {
then accept;
}
- term EBGP-ALLOW {
+ term REJECT_ALL {
+ then {
+ discard;
+ }
+ }
+ }
+ filter FLOW-INFO {
+ term TELEMATE {
from {
- prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ source-prefix-list {
+ TELEMATE-CUSTOMERS;
}
- protocol tcp;
- port 179;
+ port [ http ftp nntp https ];
}
+ then {
+ port-mirror;
+ accept;
+ }
+ }
+ term ALL_FLOW {
then accept;
}
- term IBGP-ALLOW {
+ term REJECT_ALL {
+ then {
+ discard;
+ }
+ }
+ }
+ filter PROTECT-RE {
+ term SSH-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- port 179;
+ destination-port ssh;
}
then accept;
}
@@ -2130,202 +2234,149 @@
discard;
}
}
- term ICMP-ALLOW {
+ term OSPF-ALLOW {
from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
+ }
+ protocol ospf;
}
then accept;
}
- term SERVICES-OUTBOUND {
+ term BGP-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ prefix-list {
+ PRE-BGP-ALLOW;
+ }
+ protocol tcp;
+ port 179;
}
then accept;
}
- term RADIUS {
+ term RADIUS-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
protocol [ udp tcp ];
port [ radius radacct ];
}
then accept;
}
- term NTP {
+ term NTP-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
}
protocol udp;
port ntp;
}
then accept;
}
- term SNMP-ALLOW {
+ term DOMAIN-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
}
- protocol [ tcp udp ];
- port [ snmp snmptrap ];
+ port domain;
}
then accept;
}
- term LDP-ALLOW {
+ term SYSLOG-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- port ldp;
+ port syslog;
}
+ then accept;
}
- term PIM-ALLOW {
+ term FTP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol pim;
+ port ftp;
}
then accept;
}
- term BFD-ALLOW {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port [ 3784 3785 ];
+ source-port 7408;
}
then accept;
}
- term TRACEROUTE-ALLOW {
+ term SNMP-ALLOW {
from {
- protocol udp;
- destination-port 33434-33523;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
+ }
+ protocol [ tcp udp ];
+ port [ snmp snmptrap ];
}
then accept;
}
- term DENY_ALL {
- then {
- discard;
- }
- }
- }
- filter ELRENO {
- interface-specific;
- term source-priority {
+ term LDP-ALLOW {
from {
source-prefix-list {
- HI-PRIORITY;
+ PRE-LDP-SOURCES;
}
+ port ldp;
}
- then {
- forwarding-class video;
- accept;
- }
+ then accept;
}
- term dest-priority {
+ term PIM-ALLOW {
from {
- destination-prefix-list {
- HI-PRIORITY;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
+ protocol pim;
}
- then {
- forwarding-class video;
- accept;
- }
+ then accept;
}
- term Minco-Public {
+ term BFD-ALLOW {
from {
- destination-address {
- 156.110.67.16/29;
- 164.58.28.196/30;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
+ protocol udp;
+ port [ 3784 3785 ];
}
- then policer T1-POL;
- }
- term ACCEPT-ALL {
then accept;
}
- term REJECT_ALL {
- then {
- discard;
- }
- }
- }
- filter ALTUS {
- interface-specific;
- term Mangum-Public {
+ term ICMP-ALLOW {
from {
- destination-address {
- 156.110.38.192/30;
- 164.58.144.192/26;
- }
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
}
- then policer 50M-POL;
+ then accept;
}
- term Merrit-Public {
+ term TRACEROUTE-ALLOW {
from {
- destination-address {
- 156.110.70.40/30;
- 164.58.237.0/26;
- }
+ protocol udp;
+ destination-port 33434-33523;
}
- then policer 100M-POL;
+ then accept;
}
- term Leedey-Public {
+ term DENY-SERVICES-INBOUND {
from {
- destination-address {
- 164.58.8.68/30;
- 164.58.151.16/28;
- }
+ destination-port [ ssh telnet http https snmp ntp domain ];
}
- then policer 50M-POL;
- }
- term Erick-Public {
- from {
- destination-address {
- 164.58.4.188/30;
- 164.58.63.240/29;
- 164.58.156.64/28;
- }
- }
- then policer 10M-POL;
- }
- term ACCEPT-ALL {
- then accept;
- }
- term REJECT_ALL {
then {
discard;
}
}
- }
- filter FLOW-INFO {
- term TELEMATE {
+ term SERVICES-OUTBOUND {
from {
- source-prefix-list {
- TELEMATE-CUSTOMERS;
- }
- port [ http ftp nntp https ];
+ source-port [ ssh telnet ];
}
- then {
- port-mirror;
- accept;
- }
- }
- term ALL_FLOW {
then accept;
}
- term REJECT_ALL {
+ term DENY_ALL {
then {
discard;
}
Index: core2-okc-mx960.onenet.net
===================================================================
--- core2-okc-mx960.onenet.net (revision 111845)
+++ core2-okc-mx960.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at OKC-CORE2-MX960-RE0> show system commit
+# 2014-03-03 14:41:28 CST by josh via cli commit confirmed, rollback in 1mins synchronize
# 2014-02-26 11:12:39 CST by andrew via netconf commit synchronize
# 2014-02-26 10:09:44 CST by josh via cli commit synchronize
# 2014-02-25 19:09:06 CST by rnordmark via cli commit synchronize
# 2014-02-25 16:46:38 CST by josh via cli commit synchronize
# 2014-02-25 13:05:41 CST by donnie via cli commit synchronize
-# 2014-02-25 10:49:36 CST by rnordmark via cli commit synchronize
# grnoc-mon at OKC-CORE2-MX960-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -428,7 +428,7 @@
# grnoc-mon at OKC-CORE2-MX960-RE0> show system uptime
# System booted: 2013-04-13 23:28 CDT
# Protocols started: 2013-04-13 23:31 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 14:41 CST by josh
#
# {master}
# grnoc-mon at OKC-CORE2-MX960-RE0> show interface terse
@@ -613,7 +613,7 @@
#pp0 up up
#tap up up
# grnoc-mon at OKC-CORE2-MX960-RE0> show configuration
-## Last commit: 2014-02-26 11:12:39 CST by andrew
+## Last commit: 2014-03-03 14:41:28 CST by josh
version 11.4R7.5;
groups {
re0 {
@@ -656,7 +656,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1825,10 +1825,6 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS {
- 164.58.17.170/32;
- 164.58.245.250/32;
- }
prefix-list DOH-TIME-SEN-LOW-BW {
/* healthcare-authority */
70.184.28.124/32;
@@ -12045,6 +12041,42 @@
10.0.1.48/29;
172.26.0.0/16;
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement DEFAULT-ONLY-EXPORT {
term ACCEPT-DEFAULT {
from {
@@ -12430,58 +12462,39 @@
then accept;
}
}
- filter PROTECT-RE {
- term SERVICES {
+ filter ABUSE {
+ term VIDEO-ABUSE {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ video-abuse;
}
- protocol tcp;
- destination-port [ ssh http ];
}
- then accept;
+ then {
+ discard;
+ }
}
- term OSPF-ALLOW {
+ term WEBSITE-ABUSE {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 10.11.100.0/24;
- }
source-prefix-list {
- L3VPN-CUSTOMERS;
+ website-abuse;
}
- protocol ospf;
}
- then accept;
+ then {
+ discard;
+ }
}
- term EBGP-ALLOW {
- from {
- prefix-list {
- EBGP-IPV4-NEIGHBORS;
- }
- protocol tcp;
- port 179;
- }
+ term ACCEPT_ALL {
then accept;
}
- term IBGP-ALLOW {
+ }
+ filter PROTECT-RE {
+ term SSH-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- port 179;
+ destination-port ssh;
}
then accept;
}
@@ -12501,46 +12514,86 @@
discard;
}
}
- term ICMP-ALLOW {
+ term OSPF-ALLOW {
from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
+ }
+ protocol ospf;
}
then accept;
}
- term SERVICES-OUTBOUND {
+ term BGP-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ prefix-list {
+ PRE-BGP-ALLOW;
+ }
+ protocol tcp;
+ port 179;
}
then accept;
}
- term RADIUS {
+ term RADIUS-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
protocol [ udp tcp ];
port [ radius radacct ];
}
then accept;
}
- term NTP {
+ term NTP-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
}
protocol udp;
port ntp;
}
then accept;
}
+ term DOMAIN-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
+ }
+ then accept;
+ }
+ term SYSLOG-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
+ }
+ then accept;
+ }
+ term FTP-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port ftp;
+ }
+ then accept;
+ }
+ term JSPACE-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ source-port 7408;
+ }
+ then accept;
+ }
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -12549,22 +12602,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- }
source-prefix-list {
- L3VPN-CUSTOMERS;
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -12572,14 +12620,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -12587,36 +12642,25 @@
}
then accept;
}
- term DENY_ALL {
- then {
- discard;
- }
- }
- }
- filter ABUSE {
- term VIDEO-ABUSE {
+ term DENY-SERVICES-INBOUND {
from {
- source-prefix-list {
- video-abuse;
- }
+ destination-port [ ssh telnet http https snmp ntp domain ];
}
then {
discard;
}
}
- term WEBSITE-ABUSE {
+ term SERVICES-OUTBOUND {
from {
- source-prefix-list {
- website-abuse;
- }
+ source-port [ ssh telnet ];
}
+ then accept;
+ }
+ term DENY_ALL {
then {
discard;
}
}
- term ACCEPT_ALL {
- then accept;
- }
}
}
policer 750K-POL {
Index: core7.tul.onenet.net
===================================================================
--- core7.tul.onenet.net (revision 111660)
+++ core7.tul.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at TULSA-CORE7-MX480-RE0> show system commit
+# 2014-03-03 14:54:22 CST by rnordmark via cli commit synchronize
+# 2014-03-03 14:53:02 CST by rnordmark via cli commit confirmed, rollback in 2mins synchronize
# 2014-02-27 17:36:41 CST by josh via cli commit confirmed, rollback in 1mins synchronize
# 2014-02-26 11:12:37 CST by andrew via netconf commit synchronize
# 2014-02-25 19:08:20 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:54:48 CST by rnordmark via cli commit synchronize
-# 2014-02-21 11:10:44 CST by rnordmark via cli commit confirmed, rollback in 10mins synchronize
-# 2014-02-21 11:04:59 CST by root via other
# grnoc-mon at TULSA-CORE7-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -357,7 +357,7 @@
# grnoc-mon at TULSA-CORE7-MX480-RE0> show system uptime
# System booted: 2014-01-04 22:25 CST
# Protocols started: 2014-01-04 22:27 CST
-# Last configured: 2014-02-27 17:36 CST by josh
+# Last configured: 2014-03-03 14:54 CST by rnordmark
#
# {master}
# grnoc-mon at TULSA-CORE7-MX480-RE0> show interface terse
@@ -516,7 +516,7 @@
#pp0 up up
#tap up up
# grnoc-mon at TULSA-CORE7-MX480-RE0> show configuration
-## Last commit: 2014-02-27 17:36:41 CST by josh
+## Last commit: 2014-03-03 14:54:22 CST by rnordmark
version 12.3R5.7;
groups {
re0 {
@@ -560,7 +560,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -660,8 +660,7 @@
}
commit synchronize;
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -1883,26 +1882,6 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS {
- 38.104.198.69/32;
- 64.57.21.161/32;
- 64.57.21.165/32;
- 74.200.189.41/32;
- 156.110.202.158/32;
- 164.58.7.50/32;
- 164.58.18.2/32;
- 164.58.245.246/32;
- 164.113.216.137/32;
- 164.113.254.229/32;
- 164.113.254.249/32;
- 164.113.255.13/32;
- 198.71.47.113/32;
- 198.71.47.117/32;
- 198.71.47.121/32;
- 198.71.47.125/32;
- 198.129.77.53/32;
- 216.56.50.65/32;
- }
prefix-list MARTIANS-IPV4 {
0.0.0.0/8;
10.0.0.0/8;
@@ -2054,6 +2033,42 @@
216.38.92.0/24;
216.38.93.0/24;
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement COMMODITY-PREFIXES-LIST {
term prefixes {
from {
@@ -3237,54 +3252,47 @@
}
firewall {
family inet {
- filter PROTECT-RE {
- term SERVICES {
+ filter FLOW-INFO {
+ term TELEMATE {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ TELEMATE-CUSTOMERS;
}
- protocol tcp;
- destination-port [ ssh http ];
+ port [ http ftp nntp https ];
}
+ then {
+ port-mirror;
+ accept;
+ }
+ }
+ term ACCEPT-ALL {
then accept;
}
- term OSPF-ALLOW {
+ }
+ filter ABUSE-BCP38-INBOUND {
+ term 1 {
from {
source-address {
- 164.58.199.0/24;
164.58.0.0/16;
156.110.0.0/16;
}
- protocol ospf;
}
- then accept;
+ then {
+ discard;
+ }
}
- term EBGP-ALLOW {
- from {
- prefix-list {
- EBGP-IPV4-NEIGHBORS;
- }
- protocol tcp;
- port 179;
- }
+ term 2 {
then accept;
}
- term IBGP-ALLOW {
+ }
+ filter PROTECT-RE {
+ term SSH-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- port 179;
+ destination-port ssh;
}
then accept;
}
@@ -3304,46 +3312,86 @@
discard;
}
}
- term ICMP-ALLOW {
+ term OSPF-ALLOW {
from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
+ }
+ protocol ospf;
}
then accept;
}
- term SERVICES-OUTBOUND {
+ term BGP-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ prefix-list {
+ PRE-BGP-ALLOW;
+ }
+ protocol tcp;
+ port 179;
}
then accept;
}
- term RADIUS {
+ term RADIUS-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
protocol [ udp tcp ];
port [ radius radacct ];
}
then accept;
}
- term NTP {
+ term NTP-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
}
protocol udp;
port ntp;
}
then accept;
}
+ term DOMAIN-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
+ }
+ then accept;
+ }
+ term SYSLOG-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
+ }
+ then accept;
+ }
+ term FTP-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port ftp;
+ }
+ then accept;
+ }
+ term JSPACE-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ source-port 7408;
+ }
+ then accept;
+ }
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -3352,19 +3400,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -3372,14 +3418,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -3387,44 +3440,25 @@
}
then accept;
}
- term DENY_ALL {
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
then {
discard;
}
}
- }
- filter FLOW-INFO {
- term TELEMATE {
+ term SERVICES-OUTBOUND {
from {
- source-prefix-list {
- TELEMATE-CUSTOMERS;
- }
- port [ http ftp nntp https ];
+ source-port [ ssh telnet ];
}
- then {
- port-mirror;
- accept;
- }
- }
- term ACCEPT-ALL {
then accept;
}
- }
- filter ABUSE-BCP38-INBOUND {
- term 1 {
- from {
- source-address {
- 164.58.0.0/16;
- 156.110.0.0/16;
- }
- }
+ term DENY_ALL {
then {
discard;
}
}
- term 2 {
- then accept;
- }
}
}
}
Index: core1.okc-mx960.onenet.net
===================================================================
--- core1.okc-mx960.onenet.net (revision 111370)
+++ core1.okc-mx960.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at OKC-CORE1-MX960-RE0> show system commit
+# 2014-03-03 14:49:32 CST by andrew via cli commit synchronize
+# 2014-03-03 14:43:13 CST by andrew via cli commit confirmed, rollback in 2mins synchronize
+# 2014-03-03 14:40:28 CST by andrew via cli commit confirmed, rollback in 5mins synchronize
# 2014-02-26 11:12:39 CST by andrew via netconf commit synchronize
# 2014-02-26 10:09:13 CST by josh via cli commit synchronize
# 2014-02-25 19:08:58 CST by rnordmark via cli commit synchronize
-# 2014-02-25 10:51:26 CST by joel via cli commit synchronize
-# 2014-02-24 17:53:30 CST by rnordmark via cli commit synchronize
-# 2014-02-21 14:22:37 CST by josh via cli commit synchronize
# grnoc-mon at OKC-CORE1-MX960-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -480,7 +480,7 @@
# grnoc-mon at OKC-CORE1-MX960-RE0> show system uptime
# System booted: 2013-04-13 23:52 CDT
# Protocols started: 2013-04-13 23:53 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 14:49 CST by andrew
#
# {master}
# grnoc-mon at OKC-CORE1-MX960-RE0> show interface terse
@@ -704,7 +704,7 @@
#pp0 up up
#tap up up
# grnoc-mon at OKC-CORE1-MX960-RE0> show configuration
-## Last commit: 2014-02-26 11:12:39 CST by andrew
+## Last commit: 2014-03-03 14:49:32 CST by andrew
version 11.4R7.5;
groups {
re0 {
@@ -747,7 +747,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -2229,11 +2229,6 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS {
- 164.58.17.166/32;
- 164.58.87.16/32;
- 164.58.245.254/32;
- }
prefix-list EBGP-REJECT-EXPORT;
prefix-list MARTIANS-IPV4 {
0.0.0.0/8;
@@ -12393,6 +12388,42 @@
172.23.49.180/32;
172.23.49.181/32;
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement COMMODITY-PREFIXES-LIST {
term prefixes {
from {
@@ -12838,55 +12869,80 @@
then accept;
}
}
- filter PROTECT-RE {
- term SERVICES {
+ filter ABUSE {
+ term VIDEO-ABUSE {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.69.122/32;
- 164.58.244.0/22;
+ source-prefix-list {
+ video-abuse;
}
- protocol tcp;
- destination-port [ ssh http ];
}
+ then {
+ discard;
+ }
+ }
+ term WEBSITE-ABUSE {
+ from {
+ source-prefix-list {
+ website-abuse;
+ }
+ }
+ then {
+ discard;
+ }
+ }
+ term ACCEPT_ALL {
then accept;
}
- term OSPF-ALLOW {
+ }
+ filter BLOCK-NTP {
+ term 0.5 {
from {
source-address {
- 164.58.199.0/24;
+ 164.58.68.0/24;
+ 164.58.109.250/32;
+ }
+ protocol udp;
+ port ntp;
+ }
+ then {
+ discard;
+ }
+ }
+ term 1 {
+ from {
+ source-address {
+ 156.110.0.0/16;
164.58.0.0/16;
- 156.110.0.0/16;
+ 140.182.45.75/32;
+ 192.12.206.228/32;
+ 129.79.5.100/32;
}
- protocol ospf;
+ protocol udp;
+ port ntp;
}
then accept;
}
- term EBGP-ALLOW {
+ term 2 {
from {
- prefix-list {
- EBGP-IPV4-NEIGHBORS;
- }
- protocol tcp;
- port 179;
+ protocol udp;
+ port ntp;
}
+ then {
+ discard;
+ }
+ }
+ term 3 {
then accept;
}
- term IBGP-ALLOW {
+ }
+ filter PROTECT-RE {
+ term SSH-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- port 179;
+ destination-port ssh;
}
then accept;
}
@@ -12906,163 +12962,153 @@
discard;
}
}
- term ICMP-ALLOW {
+ term OSPF-ALLOW {
from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
+ }
+ protocol ospf;
}
then accept;
}
- term SERVICES-OUTBOUND {
+ term BGP-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ prefix-list {
+ PRE-BGP-ALLOW;
+ }
+ protocol tcp;
+ port 179;
}
- then {
- count SERVICES-OUTBOUND-COUNTER;
- accept;
- }
+ then accept;
}
- term RADIUS {
+ term RADIUS-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
protocol [ udp tcp ];
port [ radius radacct ];
}
then accept;
}
- term NTP {
+ term NTP-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
}
protocol udp;
port ntp;
}
then accept;
}
- term SNMP-ALLOW {
+ term DOMAIN-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
}
- protocol [ tcp udp ];
- port [ snmp snmptrap ];
+ port domain;
}
then accept;
}
- term LDP-ALLOW {
+ term SYSLOG-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- port ldp;
+ port syslog;
}
+ then accept;
}
- term PIM-ALLOW {
+ term FTP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol pim;
+ port ftp;
}
then accept;
}
- term BFD-ALLOW {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port [ 3784 3785 ];
+ source-port 7408;
}
then accept;
}
- term TRACEROUTE-ALLOW {
+ term SNMP-ALLOW {
from {
- protocol udp;
- destination-port 33434-33523;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
+ }
+ protocol [ tcp udp ];
+ port [ snmp snmptrap ];
}
then accept;
}
- term DENY_ALL {
- then {
- discard;
- }
- }
- }
- filter ABUSE {
- term VIDEO-ABUSE {
+ term LDP-ALLOW {
from {
source-prefix-list {
- video-abuse;
+ PRE-LDP-SOURCES;
}
+ port ldp;
}
- then {
- discard;
- }
+ then accept;
}
- term WEBSITE-ABUSE {
+ term PIM-ALLOW {
from {
source-prefix-list {
- website-abuse;
+ PRE-LOCALIPv4-SOURCES;
}
+ protocol pim;
}
- then {
- discard;
- }
- }
- term ACCEPT_ALL {
then accept;
}
- }
- filter BLOCK-NTP {
- term 0.5 {
+ term BFD-ALLOW {
from {
- source-address {
- 164.58.68.0/24;
- 164.58.109.250/32;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
- port ntp;
+ port [ 3784 3785 ];
}
- then {
- discard;
+ then accept;
+ }
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
}
+ then accept;
}
- term 1 {
+ term TRACEROUTE-ALLOW {
from {
- source-address {
- 156.110.0.0/16;
- 164.58.0.0/16;
- 140.182.45.75/32;
- 192.12.206.228/32;
- 129.79.5.100/32;
- }
protocol udp;
- port ntp;
+ destination-port 33434-33523;
}
then accept;
}
- term 2 {
+ term DENY-SERVICES-INBOUND {
from {
- protocol udp;
- port ntp;
+ destination-port [ ssh telnet http https snmp ntp domain ];
}
then {
discard;
}
}
- term 3 {
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
then accept;
}
+ term DENY_ALL {
+ then {
+ discard;
+ }
+ }
}
}
filter DOH-COS {
Index: core2.tul-mx960.onenet.net
===================================================================
--- core2.tul-mx960.onenet.net (revision 111335)
+++ core2.tul-mx960.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at TULSA-CORE2-MX960-RE0> show system commit
+# 2014-03-03 14:34:32 CST by jeremyt via cli commit confirmed, rollback in 5mins synchronize
# 2014-02-26 11:12:25 CST by andrew via netconf commit synchronize
# 2014-02-25 19:09:45 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:54:19 CST by rnordmark via cli commit synchronize
# 2014-02-14 14:53:12 CST by rnordmark via cli commit synchronize
# 2013-12-22 04:18:34 CST by admin via cli commit synchronize
-# 2013-12-21 22:05:34 CST by rnordmark via cli commit synchronize
# grnoc-mon at TULSA-CORE2-MX960-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -376,7 +376,7 @@
# grnoc-mon at TULSA-CORE2-MX960-RE0> show system uptime
# System booted: 2013-04-28 00:00 CDT
# Protocols started: 2013-04-28 00:02 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 14:34 CST by jeremyt
#
# {master}
# grnoc-mon at TULSA-CORE2-MX960-RE0> show interface terse
@@ -507,7 +507,7 @@
#pp0 up up
#tap up up
# grnoc-mon at TULSA-CORE2-MX960-RE0> show configuration
-## Last commit: 2014-02-26 11:12:25 CST by andrew
+## Last commit: 2014-03-03 14:34:32 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -550,7 +550,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1386,7 +1386,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1571,112 +1606,112 @@
}
}
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1685,19 +1720,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1705,14 +1738,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1720,6 +1760,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: hub.ard.onenet.net
===================================================================
--- hub.ard.onenet.net (revision 111926)
+++ hub.ard.onenet.net (working copy)
@@ -340,8 +340,8 @@
#t1-2/0/3:6 up up
#t1-2/0/3:6.0 up up
#t1-2/0/3:7 up down
-#t1-2/0/3:8 up up
-#t1-2/0/3:8.0 up up
+#t1-2/0/3:8 up down
+#t1-2/0/3:8.0 up down
#t1-2/0/3:9 up down
#t1-2/0/3:10 up up
#t1-2/0/3:10.0 up up
Index: core5.tul.onenet.net
===================================================================
--- core5.tul.onenet.net (revision 111386)
+++ core5.tul.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at TULSA-CORE5-MX480-RE0> show system commit
+# 2014-03-03 14:48:15 CST by jeremyt via cli commit confirmed, rollback in 5mins synchronize
# 2014-02-26 14:21:30 CST by andrew via netconf commit synchronize
# 2014-02-26 11:23:07 CST by joel via cli commit synchronize
# 2014-02-26 11:03:34 CST by joel via cli commit synchronize
# 2014-02-25 19:10:05 CST by rnordmark via cli commit synchronize
# 2014-02-25 19:05:39 CST by rnordmark via cli commit synchronize
-# 2014-02-24 17:54:40 CST by rnordmark via cli commit synchronize
# grnoc-mon at TULSA-CORE5-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -379,7 +379,7 @@
# grnoc-mon at TULSA-CORE5-MX480-RE0> show system uptime
# System booted: 2013-04-27 23:43 CDT
# Protocols started: 2013-04-27 23:45 CDT
-# Last configured: 2014-02-26 14:21 CST by andrew
+# Last configured: 2014-03-03 14:48 CST by jeremyt
#
# {master}
# grnoc-mon at TULSA-CORE5-MX480-RE0> show interface terse
@@ -561,7 +561,7 @@
#pp0 up up
#tap up up
# grnoc-mon at TULSA-CORE5-MX480-RE0> show configuration
-## Last commit: 2014-02-26 14:21:30 CST by andrew
+## Last commit: 2014-03-03 14:48:15 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -604,7 +604,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1985,18 +1985,6 @@
205.143.136.0/21;
205.143.216.0/21;
}
- prefix-list EBGP-IPV4-NEIGHBORS {
- 38.104.198.69/32;
- 64.57.21.17/32;
- 137.164.131.213/32;
- 137.164.131.217/32;
- 156.110.3.250/32;
- 164.58.12.254/32;
- 164.58.199.114/32;
- 164.58.245.86/32;
- 164.58.245.142/32;
- 164.113.255.13/32;
- }
prefix-list MARTIANS-IPV4 {
0.0.0.0/8;
10.0.0.0/8;
@@ -2027,6 +2015,42 @@
10.0.1.42/32;
10.0.3.80/28;
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement COMMODITY-PREFIXES-LIST {
term prefixes {
from {
@@ -2999,115 +3023,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- }
source-prefix-list {
- L3VPN-CUSTOMERS;
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -3116,22 +3137,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- }
source-prefix-list {
- L3VPN-CUSTOMERS;
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -3139,22 +3155,18 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
- term MSDP-ALLOW {
+ term ICMP-ALLOW {
from {
- source-address {
- 164.58.10.20/32;
- 156.110.202.158/32;
- 164.113.255.13/32;
- }
- port msdp;
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
}
then accept;
}
@@ -3165,6 +3177,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core1.tul-mx960.onenet.net
===================================================================
--- core1.tul-mx960.onenet.net (revision 111323)
+++ core1.tul-mx960.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at TULSA-CORE1-MX960-RE0> show system commit
+# 2014-03-03 14:55:43 CST by jeremyt via cli commit synchronize
+# 2014-03-03 14:54:15 CST by jeremyt via cli commit confirmed, rollback in 5mins synchronize
# 2014-02-26 11:12:39 CST by andrew via netconf commit synchronize
# 2014-02-25 19:09:38 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:54:11 CST by rnordmark via cli commit synchronize
# 2014-02-14 14:53:06 CST by rnordmark via cli commit synchronize
-# 2013-12-17 13:03:43 CST by jeremyt via cli commit synchronize
-# 2013-12-16 12:59:51 CST by jeremyt via cli commit synchronize
# grnoc-mon at TULSA-CORE1-MX960-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -391,7 +391,7 @@
# grnoc-mon at TULSA-CORE1-MX960-RE0> show system uptime
# System booted: 2013-04-27 23:12 CDT
# Protocols started: 2013-04-27 23:14 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 14:55 CST by jeremyt
#
# {master}
# grnoc-mon at TULSA-CORE1-MX960-RE0> show interface terse
@@ -537,7 +537,7 @@
#pp0 up up
#tap up up
# grnoc-mon at TULSA-CORE1-MX960-RE0> show configuration
-## Last commit: 2014-02-26 11:12:39 CST by andrew
+## Last commit: 2014-03-03 14:55:43 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -580,7 +580,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1639,7 +1639,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1834,112 +1869,112 @@
}
}
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1948,19 +1983,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1968,14 +2001,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1983,6 +2023,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core4.okc.onenet.net
===================================================================
--- core4.okc.onenet.net (revision 111779)
+++ core4.okc.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at OKC-CORE4-MX480-RE0> show system commit
+# 2014-03-03 14:55:46 CST by andrew via cli commit confirmed, rollback in 5mins synchronize
# 2014-03-01 11:13:42 CST by jeremyt via cli commit confirmed, rollback in 5mins synchronize
# 2014-03-01 11:07:28 CST by root via other
# 2014-03-01 11:06:01 CST by jeremyt via cli commit confirmed, rollback in 1mins synchronize
# 2014-03-01 11:04:08 CST by jeremyt via cli commit synchronize
# 2014-03-01 10:21:12 CST by jeremyt via cli commit synchronize
-# 2014-02-27 15:59:28 CST by josh via cli commit confirmed, rollback in 1mins synchronize
# grnoc-mon at OKC-CORE4-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -391,7 +391,7 @@
# grnoc-mon at OKC-CORE4-MX480-RE0> show system uptime
# System booted: 2013-04-14 01:08 CDT
# Protocols started: 2013-04-14 01:10 CDT
-# Last configured: 2014-03-01 11:13 CST by jeremyt
+# Last configured: 2014-03-03 14:55 CST by andrew
#
# grnoc-mon at OKC-CORE4-MX480-RE0> show interface terse
#Interface Admin Link
@@ -624,7 +624,7 @@
#pp0 up up
#tap up up
# grnoc-mon at OKC-CORE4-MX480-RE0> show configuration
-## Last commit: 2014-03-01 11:13:42 CST by jeremyt
+## Last commit: 2014-03-03 14:55:46 CST by andrew
version 11.4R7.5;
groups {
re0 {
@@ -671,7 +671,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -2594,15 +2594,6 @@
224.0.0.0/4;
240.0.0.0/4;
}
- prefix-list EBGP-IPV4-NEIGHBORS {
- 65.115.192.17/32;
- 156.110.24.98/32;
- 156.110.27.98/32;
- 164.58.5.178/32;
- 164.58.5.194/32;
- 164.58.63.78/32;
- 164.58.87.16/32;
- }
prefix-list TELEMATE-CUSTOMERS {
156.110.46.96/30;
156.110.47.32/29;
@@ -2664,6 +2655,42 @@
222.0.0.0/8;
223.0.0.0/8;
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement COMMODITY-PREFIXES-LIST {
term prefixes {
from {
@@ -3395,57 +3422,118 @@
}
}
}
- filter PROTECT-RE {
- term SERVICES {
+ filter ICMP-POL {
+ term ICMP {
from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then policer ICMP-10M-POL;
+ }
+ term UDP-DNS {
+ from {
+ protocol udp;
+ port 53;
+ }
+ then policer ICMP-10M-POL;
+ }
+ term ACCEPT-ALL {
+ then accept;
+ }
+ }
+ filter OSUOKC_DOS {
+ term 1 {
+ from {
source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ 122.136.0.0/13;
+ 88.227.0.0/16;
+ 210.51.38.0/24;
}
- protocol tcp;
- destination-port [ ssh http ];
}
+ then {
+ discard;
+ }
+ }
+ term 2 {
then accept;
}
- term OSPF-ALLOW {
+ }
+ filter NPS-POL {
+ term ICMP {
from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then policer ICMP-10M-POL;
+ }
+ term NPS-DNS-SERVER {
+ from {
+ destination-address {
+ 164.58.68.175/32;
+ }
+ }
+ then accept;
+ }
+ term UDP-DNS {
+ from {
+ protocol udp;
+ port [ 53 0 ];
+ }
+ then policer ICMP-10M-POL;
+ }
+ term 1GIG {
+ then policer 1G-POL;
+ }
+ term ACCEPT-ALL {
+ then accept;
+ }
+ }
+ filter ABUSE-BCP38-INBOUND {
+ term 1 {
+ from {
source-address {
- 164.58.199.0/24;
164.58.0.0/16;
156.110.0.0/16;
}
- source-prefix-list {
- L3VPN-CUSTOMERS;
- }
- protocol ospf;
}
+ then {
+ discard;
+ }
+ }
+ term 2 {
then accept;
}
- term EBGP-ALLOW {
+ }
+ filter BLOCK-PORT-19 {
+ term 1 {
from {
- prefix-list {
- EBGP-IPV4-NEIGHBORS;
- }
+ protocol udp;
+ port 19;
+ }
+ then {
+ discard;
+ }
+ }
+ term 2 {
+ from {
protocol tcp;
- port 179;
}
+ then {
+ discard;
+ }
+ }
+ term 3 {
then accept;
}
- term IBGP-ALLOW {
+ }
+ filter PROTECT-RE {
+ term SSH-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- port 179;
+ destination-port ssh;
}
then accept;
}
@@ -3465,201 +3553,153 @@
discard;
}
}
- term ICMP-ALLOW {
+ term OSPF-ALLOW {
from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
+ }
+ protocol ospf;
}
then accept;
}
- term SERVICES-OUTBOUND {
+ term BGP-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ prefix-list {
+ PRE-BGP-ALLOW;
+ }
+ protocol tcp;
+ port 179;
}
then accept;
}
- term RADIUS {
+ term RADIUS-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
protocol [ udp tcp ];
port [ radius radacct ];
}
then accept;
}
- term NTP {
+ term NTP-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
}
protocol udp;
port ntp;
}
then accept;
}
- term SNMP-ALLOW {
+ term DOMAIN-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
}
- protocol [ tcp udp ];
- port [ snmp snmptrap ];
+ port domain;
}
then accept;
}
- term LDP-ALLOW {
+ term SYSLOG-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- }
source-prefix-list {
- L3VPN-CUSTOMERS;
+ PRE-MGMT-SOURCES;
}
- port ldp;
+ port syslog;
}
+ then accept;
}
- term PIM-ALLOW {
+ term FTP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol pim;
+ port ftp;
}
then accept;
}
- term BFD-ALLOW {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port [ 3784 3785 ];
+ source-port 7408;
}
then accept;
}
- term TRACEROUTE-ALLOW {
+ term SNMP-ALLOW {
from {
- protocol udp;
- destination-port 33434-33523;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
+ }
+ protocol [ tcp udp ];
+ port [ snmp snmptrap ];
}
then accept;
}
- term DENY_ALL {
- then {
- discard;
- }
- }
- }
- filter ICMP-POL {
- term ICMP {
+ term LDP-ALLOW {
from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ source-prefix-list {
+ PRE-LDP-SOURCES;
+ }
+ port ldp;
}
- then policer ICMP-10M-POL;
+ then accept;
}
- term UDP-DNS {
+ term PIM-ALLOW {
from {
- protocol udp;
- port 53;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
+ }
+ protocol pim;
}
- then policer ICMP-10M-POL;
- }
- term ACCEPT-ALL {
then accept;
}
- }
- filter OSUOKC_DOS {
- term 1 {
+ term BFD-ALLOW {
from {
- source-address {
- 122.136.0.0/13;
- 88.227.0.0/16;
- 210.51.38.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
+ protocol udp;
+ port [ 3784 3785 ];
}
- then {
- discard;
- }
- }
- term 2 {
then accept;
}
- }
- filter NPS-POL {
- term ICMP {
+ term ICMP-ALLOW {
from {
protocol icmp;
icmp-type [ echo-reply echo-request unreachable time-exceeded ];
}
- then policer ICMP-10M-POL;
- }
- term NPS-DNS-SERVER {
- from {
- destination-address {
- 164.58.68.175/32;
- }
- }
then accept;
}
- term UDP-DNS {
+ term TRACEROUTE-ALLOW {
from {
protocol udp;
- port [ 53 0 ];
+ destination-port 33434-33523;
}
- then policer ICMP-10M-POL;
- }
- term 1GIG {
- then policer 1G-POL;
- }
- term ACCEPT-ALL {
then accept;
}
- }
- filter ABUSE-BCP38-INBOUND {
- term 1 {
+ term DENY-SERVICES-INBOUND {
from {
- source-address {
- 164.58.0.0/16;
- 156.110.0.0/16;
- }
+ destination-port [ ssh telnet http https snmp ntp domain ];
}
then {
discard;
}
}
- term 2 {
- then accept;
- }
- }
- filter BLOCK-PORT-19 {
- term 1 {
+ term SERVICES-OUTBOUND {
from {
- protocol udp;
- port 19;
+ source-port [ ssh telnet ];
}
- then {
- discard;
- }
+ then accept;
}
- term 2 {
- from {
- protocol tcp;
- }
+ term DENY_ALL {
then {
discard;
}
}
- term 3 {
- then accept;
- }
}
}
policer 200M-POL {
Index: core1.dc.onenet.net
===================================================================
--- core1.dc.onenet.net (revision 111857)
+++ core1.dc.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at MX480_DC_01_RE0> show system commit
+# 2014-03-03 14:40:54 CST by rnordmark via cli commit confirmed, rollback in 2mins synchronize
# 2014-02-26 11:12:37 CST by andrew via netconf commit synchronize
# 2014-02-26 07:17:21 CST by josh via cli commit synchronize
# 2014-02-25 19:08:36 CST by rnordmark via cli commit synchronize
# 2014-02-25 11:25:26 CST by josh via cli commit synchronize
# 2014-02-19 10:02:08 CST by josh via cli commit synchronize
-# 2014-02-17 16:37:28 CST by rnordmark via cli commit synchronize
# grnoc-mon at MX480_DC_01_RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -429,7 +429,7 @@
# grnoc-mon at MX480_DC_01_RE0> show system uptime
# System booted: 2013-12-22 03:20 CST
# Protocols started: 2013-12-22 03:22 CST
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 14:40 CST by rnordmark
#
# {master}
# grnoc-mon at MX480_DC_01_RE0> show interface terse
@@ -858,7 +858,7 @@
#pp0 up up
#tap up up
# grnoc-mon at MX480_DC_01_RE0> show configuration
-## Last commit: 2014-02-26 11:12:37 CST by andrew
+## Last commit: 2014-03-03 14:40:54 CST by rnordmark
version 12.3R3.4;
groups {
re0 {
@@ -941,7 +941,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1039,8 +1039,7 @@
}
commit synchronize;
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -3111,7 +3110,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement ISIS-STATICS {
term 1 {
from {
@@ -3277,64 +3311,130 @@
}
firewall {
family inet {
- filter PROTECT-RE {
- term SERVICES {
+ filter OSU-SAN-MGMT {
+ term PERMIT {
from {
source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
+ 139.78.3.60/32;
+ }
+ protocol tcp;
+ destination-port 3033;
+ }
+ then accept;
+ }
+ term REJECT {
+ then {
+ discard;
+ }
+ }
+ }
+ filter Lock-Down-Voice-Srvs {
+ term hosts {
+ from {
+ source-address {
+ 156.110.82.38/32;
+ 164.58.69.34/32;
+ 164.58.69.124/32;
+ 156.110.27.34/32;
+ 204.61.1.84/32;
+ 204.61.1.85/32;
+ 164.58.73.62/32;
+ 164.58.233.202/32;
+ 164.58.221.150/32;
+ 164.58.245.58/32;
+ 156.110.27.38/32;
+ 156.110.27.26/32;
+ 164.58.144.138/32;
+ }
+ }
+ then accept;
+ }
+ term https {
+ from {
+ destination-address {
+ 164.58.153.0/25;
+ }
+ destination-port https;
+ }
+ then accept;
+ }
+ term ranges {
+ from {
+ source-address {
164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ 164.58.250.0/24;
+ 164.58.26.84/30;
+ 172.16.1.0/24;
+ 156.110.26.144/30;
+ 156.110.26.184/30;
+ 164.58.245.56/30;
+ 164.58.244.216/30;
+ 164.58.244.220/30;
+ 156.110.27.144/30;
10.0.0.0/8;
+ 156.110.215.48/29;
+ 164.58.19.216/29;
}
- protocol tcp;
- destination-port [ ssh http ];
}
then accept;
}
- term OSPF-ALLOW {
+ term OneNet {
from {
source-address {
- 164.58.199.0/24;
164.58.0.0/16;
156.110.0.0/16;
- 10.199.199.0/24;
- 10.199.198.0/24;
}
- protocol ospf;
}
then accept;
}
- term BFD {
+ }
+ filter MIRROR-PACKETS {
+ term ICMP-Turbo {
from {
- protocol udp;
- destination-port [ 3784 4784 ];
+ source-address {
+ 164.58.253.0/24;
+ }
+ protocol icmp;
}
- then accept;
+ then {
+ accept;
+ dscp ef;
+ }
}
- term EBGP-ALLOW {
+ term all {
+ then {
+ port-mirror;
+ accept;
+ }
+ }
+ }
+ filter CONTENT-FILTER {
+ term HTTP {
from {
- prefix-list {
- EBGP-IPV4-NEIGHBORS;
- }
protocol tcp;
- port 179;
+ port [ http https ];
}
+ then {
+ routing-instance ONENET-CONTENT-FILTER-L3VPN;
+ }
+ }
+ term ACCEPT-ALL {
then accept;
}
- term IBGP-ALLOW {
+ }
+ filter COLLECT-MIRROR-PACKETS {
+ term default {
+ then next-hop-group default-collectors;
+ }
+ }
+ filter PROTECT-RE {
+ term SSH-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- port 179;
+ destination-port ssh;
}
then accept;
}
@@ -3354,220 +3454,154 @@
discard;
}
}
- term ICMP-ALLOW {
+ term OSPF-ALLOW {
from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
+ }
+ protocol ospf;
}
then accept;
}
- term SERVICES-OUTBOUND {
+ term BGP-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ prefix-list {
+ PRE-BGP-ALLOW;
+ }
+ protocol tcp;
+ port 179;
}
then accept;
}
- term RADIUS {
+ term RADIUS-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
protocol [ udp tcp ];
port [ radius radacct ];
}
then accept;
}
- term NTP {
+ term NTP-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
}
protocol udp;
port ntp;
}
then accept;
}
- term SNMP-ALLOW {
+ term DOMAIN-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
}
- protocol [ tcp udp ];
- port [ snmp snmptrap ];
+ port domain;
}
then accept;
}
- term LDP-ALLOW {
+ term SYSLOG-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 10.199.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- port ldp;
+ port syslog;
}
+ then accept;
}
- term PIM-ALLOW {
+ term FTP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol pim;
+ port ftp;
}
then accept;
}
- term BFD-ALLOW {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port [ 3784 3785 ];
+ source-port 7408;
}
then accept;
}
- term TRACEROUTE-ALLOW {
+ term SNMP-ALLOW {
from {
- protocol udp;
- destination-port 33434-33523;
- }
- then accept;
- }
- term ICCP {
- from {
- source-address {
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
+ protocol [ tcp udp ];
+ port [ snmp snmptrap ];
}
then accept;
}
- term DENY_ALL {
- then {
- discard;
- }
- }
- }
- filter OSU-SAN-MGMT {
- term PERMIT {
+ term LDP-ALLOW {
from {
- source-address {
- 139.78.3.60/32;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
- protocol tcp;
- destination-port 3033;
+ port ldp;
}
then accept;
}
- term REJECT {
- then {
- discard;
- }
- }
- }
- filter Lock-Down-Voice-Srvs {
- term hosts {
+ term PIM-ALLOW {
from {
- source-address {
- 156.110.82.38/32;
- 164.58.69.34/32;
- 164.58.69.124/32;
- 156.110.27.34/32;
- 204.61.1.84/32;
- 204.61.1.85/32;
- 164.58.73.62/32;
- 164.58.233.202/32;
- 164.58.221.150/32;
- 164.58.245.58/32;
- 156.110.27.38/32;
- 156.110.27.26/32;
- 164.58.144.138/32;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
+ protocol pim;
}
then accept;
}
- term https {
+ term BFD-ALLOW {
from {
- destination-address {
- 164.58.153.0/25;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
- destination-port https;
+ protocol udp;
+ port [ 3784 3785 ];
}
then accept;
}
- term ranges {
+ term ICMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 164.58.250.0/24;
- 164.58.26.84/30;
- 172.16.1.0/24;
- 156.110.26.144/30;
- 156.110.26.184/30;
- 164.58.245.56/30;
- 164.58.244.216/30;
- 164.58.244.220/30;
- 156.110.27.144/30;
- 10.0.0.0/8;
- 156.110.215.48/29;
- 164.58.19.216/29;
- }
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
}
then accept;
}
- term OneNet {
+ term TRACEROUTE-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
- 156.110.0.0/16;
- }
+ protocol udp;
+ destination-port 33434-33523;
}
then accept;
}
- }
- filter MIRROR-PACKETS {
- term ICMP-Turbo {
+ term DENY-SERVICES-INBOUND {
from {
- source-address {
- 164.58.253.0/24;
- }
- protocol icmp;
+ destination-port [ ssh telnet http https snmp ntp domain ];
}
then {
- accept;
- dscp ef;
+ discard;
}
}
- term all {
- then {
- port-mirror;
- accept;
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
}
+ then accept;
}
- }
- filter CONTENT-FILTER {
- term HTTP {
- from {
- protocol tcp;
- port [ http https ];
- }
+ term DENY_ALL {
then {
- routing-instance ONENET-CONTENT-FILTER-L3VPN;
+ discard;
}
}
- term ACCEPT-ALL {
- then accept;
- }
}
- filter COLLECT-MIRROR-PACKETS {
- term default {
- then next-hop-group default-collectors;
- }
- }
}
}
routing-instances {
Index: hub.sal.onenet.net
===================================================================
--- hub.sal.onenet.net (revision 111929)
+++ hub.sal.onenet.net (working copy)
@@ -307,8 +307,8 @@
#t1-2/0/2:13 up up
#t1-2/0/2:13.0 up up
#t1-2/0/2:14 up down
-#t1-2/0/2:15 up down
-#t1-2/0/2:15.0 up down
+#t1-2/0/2:15 up up
+#t1-2/0/2:15.0 up up
#t1-2/0/2:16 up down
#t1-2/0/2:17 up down
#t1-2/0/2:18 up down
@@ -370,7 +370,7 @@
#gr-2/3/0 up up
#ip-2/3/0 up up
#lsq-2/3/0 up up
-#lsq-2/3/0.3 up down
+#lsq-2/3/0.3 up up
#lsq-2/3/0.4 up up
#lsq-2/3/0.5 up up
#lsq-2/3/0.6 up up
Index: hub.pot.onenet.net
===================================================================
--- hub.pot.onenet.net (revision 111919)
+++ hub.pot.onenet.net (working copy)
@@ -326,8 +326,8 @@
#t1-2/0/3:5 up up
#t1-2/0/3:5.0 up up
#t1-2/0/3:6 down down
-#t1-2/0/3:7 up down
-#t1-2/0/3:7.0 up down
+#t1-2/0/3:7 up up
+#t1-2/0/3:7.0 up up
#t1-2/0/3:8 down down
#t1-2/0/3:9 down down
#t1-2/0/3:10 up up
Index: hub.ton.onenet.net
===================================================================
--- hub.ton.onenet.net (revision 111908)
+++ hub.ton.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at TONKAWA-M120-RE0> show system commit
+# 2014-03-03 14:41:18 CST by jeremyt via cli commit confirmed, rollback in 5mins synchronize
# 2014-02-27 13:10:32 CST by rnordmark via cli commit synchronize
# 2014-02-27 12:14:07 CST by donnie via cli commit synchronize
# 2014-02-27 09:06:36 CST by josh via cli commit synchronize
# 2014-02-27 08:27:15 CST by donnie via cli commit synchronize
# 2014-02-26 11:12:33 CST by andrew via netconf commit synchronize
-# 2014-02-25 19:03:58 CST by rnordmark via cli commit synchronize
# grnoc-mon at TONKAWA-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -293,7 +293,7 @@
# grnoc-mon at TONKAWA-M120-RE0> show system uptime
# System booted: 2013-05-29 22:20 CDT
# Protocols started: 2013-05-29 22:23 CDT
-# Last configured: 2014-02-27 13:10 CST by rnordmark
+# Last configured: 2014-03-03 14:41 CST by jeremyt
#
# {master}
# grnoc-mon at TONKAWA-M120-RE0> show interface terse
@@ -493,7 +493,7 @@
#pp0 up up
#tap up up
# grnoc-mon at TONKAWA-M120-RE0> show configuration
-## Last commit: 2014-02-27 13:10:32 CST by rnordmark
+## Last commit: 2014-03-03 14:41:18 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -536,7 +536,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1608,7 +1608,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1802,56 +1837,37 @@
}
firewall {
family inet {
- filter PROTECT-RE {
- term SERVICES {
+ filter DDOS-MITIGATION {
+ term UDP-19 {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
- }
- protocol tcp;
- destination-port [ ssh http ];
+ protocol udp;
+ port 19;
}
- then accept;
- }
- term OSPF-ALLOW {
- from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
- }
- protocol ospf;
+ then {
+ discard;
}
- then accept;
}
- term EBGP-ALLOW {
+ term TCP-19 {
from {
- prefix-list {
- EBGP-IPV4-NEIGHBORS;
- }
protocol tcp;
- port 179;
+ port 19;
}
+ then {
+ discard;
+ }
+ }
+ term ACCEPT {
then accept;
}
- term IBGP-ALLOW {
+ }
+ filter PROTECT-RE {
+ term SSH-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- port 179;
+ destination-port ssh;
}
then accept;
}
@@ -1871,46 +1887,86 @@
discard;
}
}
- term ICMP-ALLOW {
+ term OSPF-ALLOW {
from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
+ }
+ protocol ospf;
}
then accept;
}
- term SERVICES-OUTBOUND {
+ term BGP-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ prefix-list {
+ PRE-BGP-ALLOW;
+ }
+ protocol tcp;
+ port 179;
}
then accept;
}
- term RADIUS {
+ term RADIUS-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
protocol [ udp tcp ];
port [ radius radacct ];
}
then accept;
}
- term NTP {
+ term NTP-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
}
protocol udp;
port ntp;
}
then accept;
}
+ term DOMAIN-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
+ }
+ then accept;
+ }
+ term SYSLOG-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
+ }
+ then accept;
+ }
+ term FTP-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port ftp;
+ }
+ then accept;
+ }
+ term JSPACE-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ source-port 7408;
+ }
+ then accept;
+ }
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1919,21 +1975,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1941,14 +1993,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1956,34 +2015,25 @@
}
then accept;
}
- term DENY_ALL {
- then {
- discard;
- }
- }
- }
- filter DDOS-MITIGATION {
- term UDP-19 {
+ term DENY-SERVICES-INBOUND {
from {
- protocol udp;
- port 19;
+ destination-port [ ssh telnet http https snmp ntp domain ];
}
then {
discard;
}
}
- term TCP-19 {
+ term SERVICES-OUTBOUND {
from {
- protocol tcp;
- port 19;
+ source-port [ ssh telnet ];
}
+ then accept;
+ }
+ term DENY_ALL {
then {
discard;
}
}
- term ACCEPT {
- then accept;
- }
}
}
policer 10M-POL {
Index: hub.wil.onenet.net
===================================================================
--- hub.wil.onenet.net (revision 111351)
+++ hub.wil.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at WILBURTON-M120-RE0> show system commit
+# 2014-03-03 14:45:08 CST by rnordmark via cli commit confirmed, rollback in 2mins synchronize
# 2014-02-26 11:12:33 CST by andrew via netconf commit synchronize
# 2014-02-25 19:04:59 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:52:37 CST by rnordmark via cli commit synchronize
# 2014-02-24 10:35:01 CST by josh via cli commit synchronize
# 2014-02-14 14:51:40 CST by rnordmark via cli commit synchronize
-# 2014-01-31 11:52:18 CST by josh via cli commit synchronize
# grnoc-mon at WILBURTON-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -275,7 +275,7 @@
# grnoc-mon at WILBURTON-M120-RE0> show system uptime
# System booted: 2013-07-30 14:03 CDT
# Protocols started: 2013-07-30 14:05 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 14:45 CST by rnordmark
#
# {master}
# grnoc-mon at WILBURTON-M120-RE0> show interface terse
@@ -446,7 +446,7 @@
#pp0 up up
#tap up up
# grnoc-mon at WILBURTON-M120-RE0> show configuration
-## Last commit: 2014-02-26 11:12:33 CST by andrew
+## Last commit: 2014-03-03 14:45:08 CST by rnordmark
version 11.4R7.5;
groups {
re0 {
@@ -489,7 +489,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1458,7 +1458,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1652,56 +1687,56 @@
}
firewall {
family inet {
- filter PROTECT-RE {
- term SERVICES {
+ filter DNS-CONTENT-FILTER {
+ term DNS-ALLOWED {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ destination-address {
+ 208.67.222.222/32;
+ 208.67.220.220/32;
}
- protocol tcp;
- destination-port [ ssh http ];
+ protocol udp;
+ port 53;
}
then accept;
}
- term OSPF-ALLOW {
+ term DNS-DISCARD {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ destination-address {
+ 0.0.0.0/0;
}
- protocol ospf;
+ protocol udp;
+ port 53;
}
+ then {
+ discard;
+ }
+ }
+ term ACCEPT-ALL-ELSE {
then accept;
}
- term EBGP-ALLOW {
+ }
+ filter BLOCK-NTP {
+ term 1 {
from {
- prefix-list {
- EBGP-IPV4-NEIGHBORS;
- }
- protocol tcp;
- port 179;
+ protocol udp;
+ port ntp;
}
+ then {
+ discard;
+ }
+ }
+ term 2 {
then accept;
}
- term IBGP-ALLOW {
+ }
+ filter PROTECT-RE {
+ term SSH-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- port 179;
+ destination-port ssh;
}
then accept;
}
@@ -1721,46 +1756,86 @@
discard;
}
}
- term ICMP-ALLOW {
+ term OSPF-ALLOW {
from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
+ }
+ protocol ospf;
}
then accept;
}
- term SERVICES-OUTBOUND {
+ term BGP-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ prefix-list {
+ PRE-BGP-ALLOW;
+ }
+ protocol tcp;
+ port 179;
}
then accept;
}
- term RADIUS {
+ term RADIUS-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
protocol [ udp tcp ];
port [ radius radacct ];
}
then accept;
}
- term NTP {
+ term NTP-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
}
protocol udp;
port ntp;
}
then accept;
}
+ term DOMAIN-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
+ }
+ then accept;
+ }
+ term SYSLOG-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
+ }
+ then accept;
+ }
+ term FTP-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port ftp;
+ }
+ then accept;
+ }
+ term JSPACE-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ source-port 7408;
+ }
+ then accept;
+ }
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1769,21 +1844,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1791,68 +1862,47 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
- term TRACEROUTE-ALLOW {
+ term ICMP-ALLOW {
from {
- protocol udp;
- destination-port 33434-33523;
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
}
then accept;
}
- term DENY_ALL {
- then {
- discard;
- }
- }
- }
- filter DNS-CONTENT-FILTER {
- term DNS-ALLOWED {
+ term TRACEROUTE-ALLOW {
from {
- destination-address {
- 208.67.222.222/32;
- 208.67.220.220/32;
- }
protocol udp;
- port 53;
+ destination-port 33434-33523;
}
then accept;
}
- term DNS-DISCARD {
+ term DENY-SERVICES-INBOUND {
from {
- destination-address {
- 0.0.0.0/0;
- }
- protocol udp;
- port 53;
+ destination-port [ ssh telnet http https snmp ntp domain ];
}
then {
discard;
}
}
- term ACCEPT-ALL-ELSE {
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
then accept;
}
- }
- filter BLOCK-NTP {
- term 1 {
- from {
- protocol udp;
- port ntp;
- }
+ term DENY_ALL {
then {
discard;
}
}
- term 2 {
- then accept;
- }
}
}
}
Index: core3.okc-m120.onenet.net
===================================================================
--- core3.okc-m120.onenet.net (revision 111928)
+++ core3.okc-m120.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at OKC-CORE3-M120-RE0> show system commit
+# 2014-03-03 14:59:27 CST by rnordmark via cli commit synchronize
+# 2014-03-03 14:58:03 CST by rnordmark via cli commit confirmed, rollback in 2mins synchronize
+# 2014-03-03 14:30:02 CST by rnordmark via cli commit confirmed, rollback in 2mins synchronize
# 2014-02-28 14:23:11 CST by joel via cli commit synchronize
# 2014-02-27 12:55:10 CST by joe via cli commit synchronize
# 2014-02-27 12:19:28 CST by josh via cli commit synchronize
-# 2014-02-27 09:12:47 CST by josh via cli commit synchronize
-# 2014-02-26 11:12:43 CST by andrew via netconf commit synchronize
-# 2014-02-25 19:09:18 CST by rnordmark via cli commit synchronize
# grnoc-mon at OKC-CORE3-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -366,7 +366,7 @@
# grnoc-mon at OKC-CORE3-M120-RE0> show system uptime
# System booted: 2013-04-14 00:17 CDT
# Protocols started: 2013-04-14 00:30 CDT
-# Last configured: 2014-02-28 14:23 CST by joel
+# Last configured: 2014-03-03 14:59 CST by rnordmark
#
# {master}
# grnoc-mon at OKC-CORE3-M120-RE0> show interface terse
@@ -1950,7 +1950,7 @@
#pp0 up up
#tap up up
# grnoc-mon at OKC-CORE3-M120-RE0> show configuration
-## Last commit: 2014-02-28 14:23:11 CST by joel
+## Last commit: 2014-03-03 14:59:27 CST by rnordmark
version 11.4R7.5;
groups {
re0 {
@@ -1993,7 +1993,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -2092,8 +2092,7 @@
}
commit synchronize;
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -8702,7 +8701,6 @@
204.87.86.36/32;
208.67.57.0/24;
}
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list RESIDENCE-HALL {
164.58.23.131/32;
164.58.23.132/32;
@@ -8750,6 +8748,42 @@
164.58.46.0/24;
164.58.59.0/24;
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement DEFAULT-ONLY-EXPORT {
term ACCEPT-DEFAULT {
from {
@@ -9013,56 +9047,28 @@
}
}
}
- filter PROTECT-RE {
- term SERVICES {
+ filter BLOCK-NTP {
+ term 1 {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
- }
- protocol tcp;
- destination-port [ ssh http ];
+ protocol udp;
+ port ntp;
}
- then accept;
- }
- term OSPF-ALLOW {
- from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 10.199.2.0/24;
- 172.23.0.0/16;
- }
- protocol ospf;
+ then {
+ discard;
}
- then accept;
}
- term EBGP-ALLOW {
- from {
- prefix-list {
- EBGP-IPV4-NEIGHBORS;
- }
- protocol tcp;
- port 179;
- }
+ term 2 {
then accept;
}
- term IBGP-ALLOW {
+ }
+ filter PROTECT-RE {
+ term SSH-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- port 179;
+ destination-port ssh;
}
then accept;
}
@@ -9082,46 +9088,86 @@
discard;
}
}
- term ICMP-ALLOW {
+ term OSPF-ALLOW {
from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
+ }
+ protocol ospf;
}
then accept;
}
- term SERVICES-OUTBOUND {
+ term BGP-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ftp-data ];
+ prefix-list {
+ PRE-BGP-ALLOW;
+ }
+ protocol tcp;
+ port 179;
}
then accept;
}
- term RADIUS {
+ term RADIUS-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
protocol [ udp tcp ];
port [ radius radacct ];
}
then accept;
}
- term NTP {
+ term NTP-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
}
protocol udp;
port ntp;
}
then accept;
}
+ term DOMAIN-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
+ }
+ then accept;
+ }
+ term SYSLOG-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
+ }
+ then accept;
+ }
+ term FTP-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port ftp;
+ }
+ then accept;
+ }
+ term JSPACE-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ source-port 7408;
+ }
+ then accept;
+ }
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -9130,23 +9176,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -9154,14 +9194,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -9169,25 +9216,25 @@
}
then accept;
}
- term DENY_ALL {
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
then {
discard;
}
}
- }
- filter BLOCK-NTP {
- term 1 {
+ term SERVICES-OUTBOUND {
from {
- protocol udp;
- port ntp;
+ source-port [ ssh telnet ];
}
+ then accept;
+ }
+ term DENY_ALL {
then {
discard;
}
}
- term 2 {
- then accept;
- }
}
}
family mpls {
More information about the Nocrancid
mailing list