[Nocrancid] autopop-onenet.net router config diffs
rancid at rancid.noc.onenet.net
rancid at rancid.noc.onenet.net
Mon Mar 3 16:01:24 CST 2014
Index: core.hut.hen.onenet.net
===================================================================
--- core.hut.hen.onenet.net (revision 111293)
+++ core.hut.hen.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at HENRYETTA-MX40> show system commit
+# 2014-03-03 15:16:43 CST by josh via cli commit confirmed, rollback in 5mins
# 2014-02-26 11:12:37 CST by andrew via netconf
# 2014-02-25 19:08:05 CST by rnordmark via cli
# 2014-01-14 14:28:52 CST by admin via netconf
# 2014-01-02 09:55:42 CST by joel via cli
# 2014-01-02 09:55:25 CST by joel via cli
-# 2014-01-02 09:53:30 CST by joel via cli
# grnoc-mon at HENRYETTA-MX40> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -229,7 +229,7 @@
# grnoc-mon at HENRYETTA-MX40> show system uptime
# System booted: 2013-06-10 10:56 CDT
# Protocols started: 2013-06-10 10:58 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 15:16 CST by josh
#
# grnoc-mon at HENRYETTA-MX40> show interface terse
#Interface Admin Link
@@ -295,7 +295,7 @@
#pp0 up up
#tap up up
# grnoc-mon at HENRYETTA-MX40> show configuration
-## Last commit: 2014-02-26 11:12:37 CST by andrew
+## Last commit: 2014-03-03 15:16:43 CST by josh
version 12.3R2.5;
system {
host-name HENRYETTA-MX40;
@@ -307,7 +307,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -405,8 +405,7 @@
source-address 164.58.199.164;
}
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -756,7 +755,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -877,112 +911,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -991,19 +1025,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1011,14 +1043,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1026,6 +1065,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core.hut.web.onenet.net
===================================================================
--- core.hut.web.onenet.net (revision 111310)
+++ core.hut.web.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at Webbers_Falls-MX40> show system commit
+# 2014-03-03 15:33:19 CST by rnordmark via cli
+# 2014-03-03 15:32:11 CST by rnordmark via cli commit confirmed, rollback in 3mins
# 2014-02-26 11:12:37 CST by andrew via netconf
# 2014-02-25 19:07:32 CST by rnordmark via cli
# 2014-01-14 14:28:53 CST by admin via netconf
# 2013-12-04 08:50:14 CST by rnordmark via cli
-# 2013-12-03 09:09:30 CST by rnordmark via cli
-# 2013-12-03 09:09:09 CST by rnordmark via cli
# grnoc-mon at Webbers_Falls-MX40> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -228,7 +228,7 @@
# grnoc-mon at Webbers_Falls-MX40> show system uptime
# System booted: 2013-09-09 00:39 CDT
# Protocols started: 2013-09-09 00:40 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 15:33 CST by rnordmark
#
# grnoc-mon at Webbers_Falls-MX40> show interface terse
#Interface Admin Link
@@ -294,7 +294,7 @@
#pp0 up up
#tap up up
# grnoc-mon at Webbers_Falls-MX40> show configuration
-## Last commit: 2014-02-26 11:12:37 CST by andrew
+## Last commit: 2014-03-03 15:33:19 CST by rnordmark
version 12.3R2.5;
system {
host-name Webbers_Falls-MX40;
@@ -306,9 +306,7 @@
}
name-server {
164.58.253.10;
- 156.110.198.10;
- 164.58.233.202;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -406,8 +404,7 @@
source-address 164.58.199.157;
}
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -724,7 +721,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -845,113 +877,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
- 164.58.248.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -960,19 +991,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -980,14 +1009,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -995,6 +1031,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core.okcbok.onenet.net
===================================================================
--- core.okcbok.onenet.net (revision 111370)
+++ core.okcbok.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at OKCBOK-MX80> show system commit
+# 2014-03-03 15:14:21 CST by andrew via cli commit confirmed, rollback in 5mins
# 2014-02-26 11:12:35 CST by andrew via netconf
# 2014-02-25 19:08:44 CST by rnordmark via cli
# 2014-02-25 09:47:20 CST by donnie via cli
# 2014-02-25 09:38:41 CST by donnie via cli
# 2014-02-04 11:30:27 CST by jeremyt via cli
-# 2014-01-14 14:28:55 CST by admin via netconf
# grnoc-mon at OKCBOK-MX80> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -201,7 +201,7 @@
# grnoc-mon at OKCBOK-MX80> show system uptime
# System booted: 2013-05-22 00:20 CDT
# Protocols started: 2013-05-22 00:22 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 15:14 CST by andrew
#
# grnoc-mon at OKCBOK-MX80> show interface terse
#Interface Admin Link
@@ -247,7 +247,7 @@
#pp0 up up
#tap up up
# grnoc-mon at OKCBOK-MX80> show configuration
-## Last commit: 2014-02-26 11:12:35 CST by andrew
+## Last commit: 2014-03-03 15:14:21 CST by andrew
version 11.4R7.5;
system {
host-name OKCBOK-MX80;
@@ -259,9 +259,7 @@
}
name-server {
164.58.253.10;
- 156.110.198.10;
- 164.58.233.202;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -354,8 +352,7 @@
}
commit synchronize;
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -564,7 +561,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -733,112 +765,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -847,19 +879,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -867,14 +897,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -882,6 +919,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core.sal.onenet.net
===================================================================
--- core.sal.onenet.net (revision 111370)
+++ core.sal.onenet.net (working copy)
@@ -1,13 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at SALLISAW-MX480-RE0> show system commit
+# 2014-03-03 15:12:36 CST by rnordmark via cli commit synchronize
+# 2014-03-03 15:11:20 CST by rnordmark via cli commit confirmed, rollback in 2mins synchronize
# 2014-02-26 11:12:34 CST by andrew via netconf commit synchronize
# 2014-02-25 19:15:56 CST by jeremyt via cli commit synchronize
# 2014-02-25 19:11:07 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:56:11 CST by rnordmark via cli commit synchronize
-# 2014-02-24 17:35:41 CST by rnordmark via cli commit confirmed, rollback in 2mins synchronize
-# 2014-02-21 23:08:48 CST by root via other
-# Synchronization with remote Routing Engine
# grnoc-mon at SALLISAW-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -243,7 +242,7 @@
# grnoc-mon at SALLISAW-MX480-RE0> show system uptime
# System booted: 2014-02-21 23:06 CST
# Protocols started: 2014-02-21 23:08 CST
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 15:12 CST by rnordmark
#
# {master}
# grnoc-mon at SALLISAW-MX480-RE0> show interface terse
@@ -316,7 +315,7 @@
#pp0 up up
#tap up up
# grnoc-mon at SALLISAW-MX480-RE0> show configuration
-## Last commit: 2014-02-26 11:12:34 CST by andrew
+## Last commit: 2014-03-03 15:12:36 CST by rnordmark
version 11.4R7.5;
groups {
re0 {
Index: core.mus.onenet.net
===================================================================
--- core.mus.onenet.net (revision 111370)
+++ core.mus.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at MUSKOGEE-MX480-RE0> show system commit
+# 2014-03-03 15:33:44 CST by jeremyt via cli commit synchronize
+# 2014-03-03 15:32:05 CST by jeremyt via cli commit confirmed, rollback in 5mins synchronize
# 2014-02-26 11:12:30 CST by andrew via netconf commit synchronize
# 2014-02-26 10:54:43 CST by joel via cli commit synchronize
# 2014-02-25 19:04:52 CST by rnordmark via cli commit synchronize
# 2014-02-25 13:03:47 CST by joel via cli commit synchronize
-# 2014-02-25 09:03:06 CST by joel via cli commit synchronize
-# 2014-02-24 17:55:59 CST by rnordmark via cli commit synchronize
# grnoc-mon at MUSKOGEE-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -242,7 +242,7 @@
# grnoc-mon at MUSKOGEE-MX480-RE0> show system uptime
# System booted: 2013-12-21 00:37 CST
# Protocols started: 2013-12-21 00:39 CST
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 15:33 CST by jeremyt
#
# {master}
# grnoc-mon at MUSKOGEE-MX480-RE0> show interface terse
@@ -316,7 +316,7 @@
#pp0 up up
#tap up up
# grnoc-mon at MUSKOGEE-MX480-RE0> show configuration
-## Last commit: 2014-02-26 11:12:30 CST by andrew
+## Last commit: 2014-03-03 15:33:44 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -360,7 +360,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -460,8 +460,7 @@
}
commit synchronize;
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -862,7 +861,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1034,112 +1068,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1148,19 +1182,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1168,14 +1200,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1183,6 +1222,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core1.edm-mx80.onenet.net
===================================================================
--- core1.edm-mx80.onenet.net (revision 111312)
+++ core1.edm-mx80.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at EDMOND-MX80> show system commit
+# 2014-03-03 15:32:35 CST by andrew via cli commit confirmed, rollback in 5mins
# 2014-02-26 11:12:38 CST by andrew via netconf
# 2014-02-25 19:33:53 CST by rnordmark via cli commit confirmed, rollback in 2mins
# 2014-02-25 19:10:41 CST by rnordmark via cli
# 2014-02-24 17:49:16 CST by rnordmark via cli
# 2014-02-14 14:48:43 CST by rnordmark via cli
-# 2013-12-21 00:01:35 CST by rnordmark via cli
# grnoc-mon at EDMOND-MX80> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -202,7 +202,7 @@
# grnoc-mon at EDMOND-MX80> show system uptime
# System booted: 2013-11-01 15:57 CDT
# Protocols started: 2013-11-01 15:58 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 15:32 CST by andrew
#
# grnoc-mon at EDMOND-MX80> show interface terse
#Interface Admin Link
@@ -269,7 +269,7 @@
#pp0 up up
#tap up up
# grnoc-mon at EDMOND-MX80> show configuration
-## Last commit: 2014-02-26 11:12:38 CST by andrew
+## Last commit: 2014-03-03 15:32:35 CST by andrew
version 11.4R7.5;
system {
host-name EDMOND-MX80;
Index: core1.lan-mx80.onenet.net
===================================================================
--- core1.lan-mx80.onenet.net (revision 111377)
+++ core1.lan-mx80.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at LANGSTON-MX80> show system commit
+# 2014-03-03 15:02:48 CST by josh via cli commit confirmed, rollback in 5mins
# 2014-02-26 11:12:36 CST by andrew via netconf
# 2014-02-25 19:38:05 CST by jeremyt via cli commit confirmed, rollback in 5mins
# 2014-02-25 19:10:48 CST by rnordmark via cli
# 2014-02-24 17:50:04 CST by rnordmark via cli
# 2014-02-14 14:49:20 CST by rnordmark via cli
-# 2014-01-21 09:55:58 CST by rnordmark via cli
# grnoc-mon at LANGSTON-MX80> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -202,7 +202,7 @@
# grnoc-mon at LANGSTON-MX80> show system uptime
# System booted: 2013-05-30 22:13 CDT
# Protocols started: 2013-05-30 22:14 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 15:02 CST by josh
#
# grnoc-mon at LANGSTON-MX80> show interface terse
#Interface Admin Link
@@ -278,7 +278,7 @@
#pp0 up up
#tap up up
# grnoc-mon at LANGSTON-MX80> show configuration
-## Last commit: 2014-02-26 11:12:36 CST by andrew
+## Last commit: 2014-03-03 15:02:48 CST by josh
version 11.4R7.5;
system {
host-name LANGSTON-MX80;
Index: core.mca.onenet.net
===================================================================
--- core.mca.onenet.net (revision 111512)
+++ core.mca.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at MCALESTER-MX480-RE0> show system commit
+# 2014-03-03 15:37:31 CST by andrew via cli commit confirmed, rollback in 5mins synchronize
# 2014-02-27 13:29:23 CST by joel via cli commit synchronize
# 2014-02-26 15:38:38 CST by joel via cli commit synchronize
# 2014-02-26 11:12:31 CST by andrew via netconf commit synchronize
# 2014-02-25 19:04:39 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:55:53 CST by rnordmark via cli commit synchronize
-# 2014-02-14 14:54:42 CST by rnordmark via cli commit synchronize
# grnoc-mon at MCALESTER-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -243,7 +243,7 @@
# grnoc-mon at MCALESTER-MX480-RE0> show system uptime
# System booted: 2013-06-05 22:46 CDT
# Protocols started: 2013-06-05 22:54 CDT
-# Last configured: 2014-02-27 13:29 CST by joel
+# Last configured: 2014-03-03 15:37 CST by andrew
#
# {master}
# grnoc-mon at MCALESTER-MX480-RE0> show interface terse
@@ -318,7 +318,7 @@
#pp0 up up
#tap up up
# grnoc-mon at MCALESTER-MX480-RE0> show configuration
-## Last commit: 2014-02-27 13:29:23 CST by joel
+## Last commit: 2014-03-03 15:37:31 CST by andrew
version 11.4R7.5;
groups {
re0 {
@@ -362,7 +362,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -462,8 +462,7 @@
}
commit synchronize;
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -829,7 +828,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1001,112 +1035,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1115,19 +1149,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1135,14 +1167,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1150,6 +1189,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core1.sti-mx960.onenet.net
===================================================================
--- core1.sti-mx960.onenet.net (revision 111577)
+++ core1.sti-mx960.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at STILLWATER-MX960-RE0> show system commit
+# 2014-03-03 15:14:53 CST by jeremyt via cli commit synchronize
+# 2014-03-03 15:12:40 CST by jeremyt via cli commit confirmed, rollback in 5mins synchronize
# 2014-02-27 11:05:31 CST by donnie via cli commit synchronize
# 2014-02-26 20:04:23 CST by donnie via cli commit synchronize
# 2014-02-26 19:46:42 CST by donnie via cli commit synchronize
# 2014-02-26 11:12:38 CST by andrew via netconf commit synchronize
-# 2014-02-25 19:10:24 CST by rnordmark via cli commit synchronize
-# 2014-02-24 17:53:06 CST by rnordmark via cli commit synchronize
# grnoc-mon at STILLWATER-MX960-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -440,7 +440,7 @@
# grnoc-mon at STILLWATER-MX960-RE0> show system uptime
# System booted: 2013-05-29 23:44 CDT
# Protocols started: 2013-05-29 23:46 CDT
-# Last configured: 2014-02-27 11:05 CST by donnie
+# Last configured: 2014-03-03 15:14 CST by jeremyt
#
# {master}
# grnoc-mon at STILLWATER-MX960-RE0> show interface terse
@@ -629,7 +629,7 @@
#pp0 up up
#tap up up
# grnoc-mon at STILLWATER-MX960-RE0> show configuration
-## Last commit: 2014-02-27 11:05:31 CST by donnie
+## Last commit: 2014-03-03 15:14:53 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -672,7 +672,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1840,9 +1840,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS {
- 164.58.10.70/32;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
}
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement DEFAULT-EXPORT {
term ACCEPT-DEFAULT {
from {
@@ -2073,112 +2106,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -2187,19 +2220,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -2207,14 +2238,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -2222,6 +2260,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core1.okccc.onenet.net
===================================================================
--- core1.okccc.onenet.net (revision 111370)
+++ core1.okccc.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at OKCCC-MX960-RE0> show system commit
+# 2014-03-03 15:09:50 CST by andrew via cli commit confirmed, rollback in 2mins synchronize
# 2014-02-26 11:12:37 CST by andrew via netconf commit synchronize
# 2014-02-25 19:41:33 CST by rnordmark via cli commit confirmed, rollback in 2mins synchronize
# 2014-02-25 19:10:30 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:53:13 CST by rnordmark via cli commit synchronize
# 2014-02-14 14:52:12 CST by rnordmark via cli commit synchronize
-# 2014-02-13 23:22:14 CST by joel via cli commit synchronize
# grnoc-mon at OKCCC-MX960-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -389,7 +389,7 @@
# grnoc-mon at OKCCC-MX960-RE0> show system uptime
# System booted: 2013-06-01 14:49 CDT
# Protocols started: 2013-06-01 14:51 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 15:09 CST by andrew
#
# {master}
# grnoc-mon at OKCCC-MX960-RE0> show interface terse
@@ -540,7 +540,7 @@
#pp0 up up
#tap up up
# grnoc-mon at OKCCC-MX960-RE0> show configuration
-## Last commit: 2014-02-26 11:12:37 CST by andrew
+## Last commit: 2014-03-03 15:09:50 CST by andrew
version 11.4R7.5;
groups {
re0 {
Index: core3.tul-m120.onenet.net
===================================================================
--- core3.tul-m120.onenet.net (revision 111904)
+++ core3.tul-m120.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at TULSA-CORE-3-M120-RE0> show system commit
+# 2014-03-03 15:05:10 CST by rnordmark via cli commit synchronize
+# 2014-03-03 15:02:05 CST by rnordmark via cli commit confirmed, rollback in 2mins synchronize
# 2014-02-26 19:39:52 CST by donnie via cli commit synchronize
# 2014-02-26 11:12:39 CST by andrew via netconf commit synchronize
# 2014-02-25 19:09:52 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:54:26 CST by rnordmark via cli commit synchronize
-# 2014-02-14 14:53:19 CST by rnordmark via cli commit synchronize
-# 2014-01-13 08:32:14 CST by donnie via cli commit synchronize
# grnoc-mon at TULSA-CORE-3-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -318,7 +318,7 @@
# grnoc-mon at TULSA-CORE-3-M120-RE0> show system uptime
# System booted: 2013-04-27 23:31 CDT
# Protocols started: 2013-04-27 23:34 CDT
-# Last configured: 2014-02-26 19:39 CST by donnie
+# Last configured: 2014-03-03 15:05 CST by rnordmark
#
# {master}
# grnoc-mon at TULSA-CORE-3-M120-RE0> show interface terse
@@ -652,7 +652,7 @@
#pp0 up up
#tap up up
# grnoc-mon at TULSA-CORE-3-M120-RE0> show configuration
-## Last commit: 2014-02-26 19:39:52 CST by donnie
+## Last commit: 2014-03-03 15:05:10 CST by rnordmark
version 11.4R7.5;
groups {
re0 {
@@ -695,7 +695,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -793,8 +793,7 @@
}
commit synchronize;
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -2242,7 +2241,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement DEFAULT-EXPORT {
term ACCEPT-DEFAULT {
from {
@@ -2482,56 +2516,34 @@
}
firewall {
family inet {
- filter PROTECT-RE {
- term SERVICES {
+ filter Sallisaw {
+ interface-specific;
+ term Roland-Public {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ destination-address {
+ 156.110.207.200/29;
+ 164.58.19.232/29;
}
- protocol tcp;
- destination-port [ ssh http ];
}
- then accept;
+ then policer 15M-POL;
}
- term OSPF-ALLOW {
- from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 10.199.2.0/24;
- 172.23.0.0/16;
- }
- protocol ospf;
- }
+ term ACCEPT-ALL {
then accept;
}
- term EBGP-ALLOW {
- from {
- prefix-list {
- EBGP-IPV4-NEIGHBORS;
- }
- protocol tcp;
- port 179;
+ term REJECT_ALL {
+ then {
+ discard;
}
- then accept;
}
- term IBGP-ALLOW {
+ }
+ filter PROTECT-RE {
+ term SSH-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- port 179;
+ destination-port ssh;
}
then accept;
}
@@ -2551,46 +2563,86 @@
discard;
}
}
- term ICMP-ALLOW {
+ term OSPF-ALLOW {
from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
+ }
+ protocol ospf;
}
then accept;
}
- term SERVICES-OUTBOUND {
+ term BGP-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ prefix-list {
+ PRE-BGP-ALLOW;
+ }
+ protocol tcp;
+ port 179;
}
then accept;
}
- term RADIUS {
+ term RADIUS-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
protocol [ udp tcp ];
port [ radius radacct ];
}
then accept;
}
- term NTP {
+ term NTP-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
}
protocol udp;
port ntp;
}
then accept;
}
+ term DOMAIN-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
+ }
+ then accept;
+ }
+ term SYSLOG-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
+ }
+ then accept;
+ }
+ term FTP-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port ftp;
+ }
+ then accept;
+ }
+ term JSPACE-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ source-port 7408;
+ }
+ then accept;
+ }
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -2599,21 +2651,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -2621,14 +2669,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -2636,27 +2691,21 @@
}
then accept;
}
- term DENY_ALL {
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
then {
discard;
}
}
- }
- filter Sallisaw {
- interface-specific;
- term Roland-Public {
+ term SERVICES-OUTBOUND {
from {
- destination-address {
- 156.110.207.200/29;
- 164.58.19.232/29;
- }
+ source-port [ ssh telnet ];
}
- then policer 15M-POL;
- }
- term ACCEPT-ALL {
then accept;
}
- term REJECT_ALL {
+ term DENY_ALL {
then {
discard;
}
Index: core.ponc.onenet.net
===================================================================
--- core.ponc.onenet.net (revision 111304)
+++ core.ponc.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at PONCA-CITY-MX40> show system commit
+# 2014-03-03 15:27:56 CST by jeremyt via cli
+# 2014-03-03 15:26:15 CST by jeremyt via cli commit confirmed, rollback in 5mins
# 2014-02-26 11:12:35 CST by andrew via netconf
# 2013-12-02 13:44:41 CST by donnie via cli
# 2013-11-13 12:07:18 CST by joel via cli
# 2013-11-01 04:35:42 CDT by joel via cli
-# 2013-11-01 03:53:46 CDT by joel via cli
-# 2013-10-30 08:29:50 CDT by admin via cli
# grnoc-mon at PONCA-CITY-MX40> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -224,7 +224,7 @@
# grnoc-mon at PONCA-CITY-MX40> show system uptime
# System booted: 2013-11-01 00:53 CDT
# Protocols started: 2013-11-01 00:55 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 15:27 CST by jeremyt
#
# grnoc-mon at PONCA-CITY-MX40> show interface terse
#Interface Admin Link
@@ -290,7 +290,7 @@
#pp0 up up
#tap up up
# grnoc-mon at PONCA-CITY-MX40> show configuration
-## Last commit: 2014-02-26 11:12:35 CST by andrew
+## Last commit: 2014-03-03 15:27:56 CST by jeremyt
version 12.3R2.5;
system {
host-name PONCA-CITY-MX40;
@@ -303,7 +303,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -738,7 +738,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -948,114 +983,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1064,21 +1097,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1086,14 +1115,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1101,6 +1137,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core1.ptc.onenet.net
===================================================================
--- core1.ptc.onenet.net (revision 111317)
+++ core1.ptc.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at TULSA-PTC1-MX480-RE0> show system commit
+# 2014-03-03 15:15:40 CST by rnordmark via cli commit synchronize
+# 2014-03-03 15:14:58 CST by rnordmark via cli commit confirmed, rollback in 2mins synchronize
# 2014-02-26 11:12:39 CST by andrew via netconf commit synchronize
# 2014-02-25 19:10:36 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:53:21 CST by rnordmark via cli commit synchronize
# 2014-02-18 17:15:04 CST by rnordmark via cli commit synchronize
-# 2014-02-14 14:52:18 CST by rnordmark via cli commit synchronize
-# 2014-02-13 14:05:08 CST by rnordmark via cli commit synchronize
# grnoc-mon at TULSA-PTC1-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -263,7 +263,7 @@
# grnoc-mon at TULSA-PTC1-MX480-RE0> show system uptime
# System booted: 2013-04-27 22:24 CDT
# Protocols started: 2013-04-27 22:25 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 15:15 CST by rnordmark
#
# {master}
# grnoc-mon at TULSA-PTC1-MX480-RE0> show interface terse
@@ -343,7 +343,7 @@
#pp0 up up
#tap up up
# grnoc-mon at TULSA-PTC1-MX480-RE0> show configuration
-## Last commit: 2014-02-26 11:12:39 CST by andrew
+## Last commit: 2014-03-03 15:15:40 CST by rnordmark
version 11.4R7.5;
groups {
re0 {
@@ -386,7 +386,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -849,7 +849,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1006,112 +1041,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1120,19 +1155,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1140,14 +1173,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1155,6 +1195,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core2-okc-mx960.onenet.net
===================================================================
--- core2-okc-mx960.onenet.net (revision 111935)
+++ core2-okc-mx960.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at OKC-CORE2-MX960-RE0> show system commit
+# 2014-03-03 15:48:24 CST by jeremyt via cli commit synchronize
# 2014-03-03 14:41:28 CST by josh via cli commit confirmed, rollback in 1mins synchronize
# 2014-02-26 11:12:39 CST by andrew via netconf commit synchronize
# 2014-02-26 10:09:44 CST by josh via cli commit synchronize
# 2014-02-25 19:09:06 CST by rnordmark via cli commit synchronize
# 2014-02-25 16:46:38 CST by josh via cli commit synchronize
-# 2014-02-25 13:05:41 CST by donnie via cli commit synchronize
# grnoc-mon at OKC-CORE2-MX960-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -428,7 +428,7 @@
# grnoc-mon at OKC-CORE2-MX960-RE0> show system uptime
# System booted: 2013-04-13 23:28 CDT
# Protocols started: 2013-04-13 23:31 CDT
-# Last configured: 2014-03-03 14:41 CST by josh
+# Last configured: 2014-03-03 15:48 CST by jeremyt
#
# {master}
# grnoc-mon at OKC-CORE2-MX960-RE0> show interface terse
@@ -613,7 +613,7 @@
#pp0 up up
#tap up up
# grnoc-mon at OKC-CORE2-MX960-RE0> show configuration
-## Last commit: 2014-03-03 14:41:28 CST by josh
+## Last commit: 2014-03-03 15:48:24 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -656,7 +656,7 @@
}
name-server {
164.58.253.10;
- 164.58.198.10;
+ 164.58.253.4;
}
radius-server {
156.110.31.11 {
@@ -1825,6 +1825,10 @@
}
}
policy-options {
+ prefix-list EBGP-IPV4-NEIGHBORS {
+ 164.58.17.170/32;
+ 164.58.245.250/32;
+ }
prefix-list DOH-TIME-SEN-LOW-BW {
/* healthcare-authority */
70.184.28.124/32;
@@ -12041,42 +12045,6 @@
10.0.1.48/29;
172.26.0.0/16;
}
- prefix-list PRE-MGMT-SOURCES {
- 64.207.244.14/32;
- 66.129.224.37/32;
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.15.0/24;
- 164.58.244.0/22;
- 164.58.253.0/24;
- }
- prefix-list PRE-RADIUS-SOURCES {
- apply-path "system radius-server <*>";
- }
- prefix-list PRE-NTP-SOURCES {
- apply-path "system ntp server <*>";
- }
- prefix-list PRE-DNS-SOURCES {
- apply-path "system name-server <*>";
- }
- prefix-list PRE-SNMP-SOURCES {
- apply-path "snmp client-list snmp-management <1*>";
- }
- prefix-list PRE-LOCALIPv4-SOURCES {
- apply-path "interfaces <*> unit <*> family inet address <*>";
- }
- prefix-list PRE-BGP-ALLOW {
- apply-path "protocols bgp group <*> neighbor <*>";
- }
- prefix-list PRE-LDP-SOURCES {
- 164.58.198.0/23;
- apply-path "interfaces <*> unit <*> family inet address <*>";
- }
- prefix-list PRE-L0-SOURCES {
- apply-path "interfaces lo0 unit <*> family inet address <164.*>";
- }
policy-statement DEFAULT-ONLY-EXPORT {
term ACCEPT-DEFAULT {
from {
@@ -12462,39 +12430,58 @@
then accept;
}
}
- filter ABUSE {
- term VIDEO-ABUSE {
+ filter PROTECT-RE {
+ term SERVICES {
from {
- source-prefix-list {
- video-abuse;
+ source-address {
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.253.0/24;
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
}
+ protocol tcp;
+ destination-port [ ssh http ];
}
- then {
- discard;
- }
+ then accept;
}
- term WEBSITE-ABUSE {
+ term OSPF-ALLOW {
from {
+ source-address {
+ 164.58.199.0/24;
+ 164.58.0.0/16;
+ 156.110.0.0/16;
+ 10.11.100.0/24;
+ }
source-prefix-list {
- website-abuse;
+ L3VPN-CUSTOMERS;
}
+ protocol ospf;
}
- then {
- discard;
- }
+ then accept;
}
- term ACCEPT_ALL {
+ term EBGP-ALLOW {
+ from {
+ prefix-list {
+ EBGP-IPV4-NEIGHBORS;
+ }
+ protocol tcp;
+ port 179;
+ }
then accept;
}
- }
- filter PROTECT-RE {
- term SSH-ALLOW {
+ term IBGP-ALLOW {
from {
- source-prefix-list {
- PRE-MGMT-SOURCES;
+ source-address {
+ 164.58.199.216/32;
+ 164.58.199.226/32;
}
protocol tcp;
- destination-port ssh;
+ port 179;
}
then accept;
}
@@ -12514,86 +12501,46 @@
discard;
}
}
- term OSPF-ALLOW {
+ term ICMP-ALLOW {
from {
- source-prefix-list {
- PRE-LOCALIPv4-SOURCES;
- }
- protocol ospf;
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
}
then accept;
}
- term BGP-ALLOW {
+ term SERVICES-OUTBOUND {
from {
- prefix-list {
- PRE-BGP-ALLOW;
- }
- protocol tcp;
- port 179;
+ source-port [ domain ntp ssh syslog ftp 7804 telnet ];
}
then accept;
}
- term RADIUS-ALLOW {
+ term RADIUS {
from {
- source-prefix-list {
- PRE-RADIUS-SOURCES;
+ source-address {
+ 156.110.31.11/32;
}
protocol [ udp tcp ];
port [ radius radacct ];
}
then accept;
}
- term NTP-ALLOW {
+ term NTP {
from {
- source-prefix-list {
- PRE-NTP-SOURCES;
- PRE-L0-SOURCES;
+ source-address {
+ 164.58.10.1/32;
+ 164.58.199.0/24;
}
protocol udp;
port ntp;
}
then accept;
}
- term DOMAIN-ALLOW {
- from {
- source-prefix-list {
- PRE-DNS-SOURCES;
- }
- port domain;
- }
- then accept;
- }
- term SYSLOG-ALLOW {
- from {
- source-prefix-list {
- PRE-MGMT-SOURCES;
- }
- port syslog;
- }
- then accept;
- }
- term FTP-ALLOW {
- from {
- source-prefix-list {
- PRE-MGMT-SOURCES;
- }
- port ftp;
- }
- then accept;
- }
- term JSPACE-ALLOW {
- from {
- source-prefix-list {
- PRE-MGMT-SOURCES;
- }
- source-port 7408;
- }
- then accept;
- }
term SNMP-ALLOW {
from {
- source-prefix-list {
- PRE-SNMP-SOURCES;
+ source-address {
+ 164.58.253.0/24;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -12602,17 +12549,22 @@
}
term LDP-ALLOW {
from {
+ source-address {
+ 164.58.199.0/24;
+ 164.58.0.0/16;
+ 156.110.0.0/16;
+ }
source-prefix-list {
- PRE-LDP-SOURCES;
+ L3VPN-CUSTOMERS;
}
port ldp;
}
- then accept;
}
term PIM-ALLOW {
from {
- source-prefix-list {
- PRE-LOCALIPv4-SOURCES;
+ source-address {
+ 164.58.199.0/24;
+ 164.58.0.0/16;
}
protocol pim;
}
@@ -12620,21 +12572,14 @@
}
term BFD-ALLOW {
from {
- source-prefix-list {
- PRE-LOCALIPv4-SOURCES;
+ source-address {
+ 164.58.0.0/16;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
- then accept;
- }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -12642,25 +12587,36 @@
}
then accept;
}
- term DENY-SERVICES-INBOUND {
+ term DENY_ALL {
+ then {
+ discard;
+ }
+ }
+ }
+ filter ABUSE {
+ term VIDEO-ABUSE {
from {
- destination-port [ ssh telnet http https snmp ntp domain ];
+ source-prefix-list {
+ video-abuse;
+ }
}
then {
discard;
}
}
- term SERVICES-OUTBOUND {
+ term WEBSITE-ABUSE {
from {
- source-port [ ssh telnet ];
+ source-prefix-list {
+ website-abuse;
+ }
}
- then accept;
- }
- term DENY_ALL {
then {
discard;
}
}
+ term ACCEPT_ALL {
+ then accept;
+ }
}
}
policer 750K-POL {
Index: core2.sti.onenet.net
===================================================================
--- core2.sti.onenet.net (revision 111324)
+++ core2.sti.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at STILLWATER-CORE2-MX480-RE0> show system commit
+# 2014-03-03 15:25:24 CST by rnordmark via cli commit synchronize
+# 2014-03-03 15:24:35 CST by rnordmark via cli commit confirmed, rollback in 2mins synchronize
# 2014-02-26 11:12:29 CST by andrew via netconf commit synchronize
# 2014-02-25 19:01:20 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:40:08 CST by rnordmark via cli commit synchronize
# 2014-01-28 15:30:06 CST by jeremyt via cli commit synchronize
-# 2014-01-28 15:29:25 CST by jeremyt via cli commit confirmed, rollback in 10mins synchronize
-# 2014-01-14 21:13:40 CST by joel via cli commit synchronize
# grnoc-mon at STILLWATER-CORE2-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -281,7 +281,7 @@
# grnoc-mon at STILLWATER-CORE2-MX480-RE0> show system uptime
# System booted: 2014-01-07 10:59 CST
# Protocols started: 2014-01-07 11:01 CST
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 15:25 CST by rnordmark
#
# {master}
# grnoc-mon at STILLWATER-CORE2-MX480-RE0> show interface terse
@@ -333,7 +333,7 @@
#pp0 up up
#tap up up
# grnoc-mon at STILLWATER-CORE2-MX480-RE0> show configuration
-## Last commit: 2014-02-26 11:12:29 CST by andrew
+## Last commit: 2014-03-03 15:25:24 CST by rnordmark
version 13.2R2.4;
groups {
re0 {
@@ -377,7 +377,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -477,8 +477,7 @@
}
commit synchronize;
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -658,7 +657,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -745,112 +779,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -859,19 +893,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -879,14 +911,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -894,6 +933,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: hub.ard.onenet.net
===================================================================
--- hub.ard.onenet.net (revision 111939)
+++ hub.ard.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at ARDMORE-M120-RE0> show system commit
+# 2014-03-03 15:41:34 CST by root via other
+# 2014-03-03 15:36:22 CST by josh via cli commit confirmed, rollback in 5mins synchronize
# 2014-02-26 11:12:34 CST by andrew via netconf commit synchronize
# 2014-02-25 19:01:35 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:48:27 CST by rnordmark via cli commit synchronize
# 2014-02-14 14:47:58 CST by rnordmark via cli commit synchronize
-# 2014-02-07 07:53:09 CST by joe via cli commit synchronize
-# 2014-02-05 14:51:21 CST by joe via cli commit synchronize
# grnoc-mon at ARDMORE-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -274,7 +274,7 @@
# grnoc-mon at ARDMORE-M120-RE0> show system uptime
# System booted: 2013-05-26 01:53 CDT
# Protocols started: 2013-05-26 01:56 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 15:41 CST by root
#
# {master}
# grnoc-mon at ARDMORE-M120-RE0> show interface terse
@@ -340,8 +340,8 @@
#t1-2/0/3:6 up up
#t1-2/0/3:6.0 up up
#t1-2/0/3:7 up down
-#t1-2/0/3:8 up down
-#t1-2/0/3:8.0 up down
+#t1-2/0/3:8 up up
+#t1-2/0/3:8.0 up up
#t1-2/0/3:9 up down
#t1-2/0/3:10 up up
#t1-2/0/3:10.0 up up
@@ -441,7 +441,7 @@
#pp0 up up
#tap up up
# grnoc-mon at ARDMORE-M120-RE0> show configuration
-## Last commit: 2014-02-26 11:12:34 CST by andrew
+## Last commit: 2014-03-03 15:41:34 CST by root
version 11.4R7.5;
groups {
re0 {
Index: hub.dur.onenet.net
===================================================================
--- hub.dur.onenet.net (revision 111701)
+++ hub.dur.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at DURANT-M120-RE0> show system commit
+# 2014-03-03 15:56:02 CST by jeremyt via cli commit synchronize
+# 2014-03-03 15:37:58 CST by jeremyt via cli commit confirmed, rollback in 5mins synchronize
# 2014-02-26 11:12:34 CST by andrew via netconf commit synchronize
# 2014-02-25 19:01:48 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:49:08 CST by rnordmark via cli commit synchronize
# 2014-02-14 14:48:37 CST by rnordmark via cli commit synchronize
-# 2013-12-31 10:54:36 CST by josh via cli commit synchronize
-# 2013-12-31 10:29:12 CST by josh via cli commit synchronize
# grnoc-mon at DURANT-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -271,7 +271,7 @@
# grnoc-mon at DURANT-M120-RE0> show system uptime
# System booted: 2013-05-26 00:18 CDT
# Protocols started: 2013-05-26 00:24 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 15:56 CST by jeremyt
#
# {master}
# grnoc-mon at DURANT-M120-RE0> show interface terse
@@ -447,7 +447,7 @@
#pp0 up up
#tap up up
# grnoc-mon at DURANT-M120-RE0> show configuration
-## Last commit: 2014-02-26 11:12:34 CST by andrew
+## Last commit: 2014-03-03 15:56:02 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -490,7 +490,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1475,7 +1475,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1675,114 +1711,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1791,21 +1825,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1813,14 +1843,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1828,6 +1865,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: hub.cla.onenet.net
===================================================================
--- hub.cla.onenet.net (revision 111334)
+++ hub.cla.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at CLAREMORE-M120-RE0> show system commit
+# 2014-03-03 15:21:08 CST by josh via cli commit confirmed, rollback in 5mins synchronize
# 2014-02-26 11:12:41 CST by andrew via netconf commit synchronize
# 2014-02-25 19:06:34 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:48:53 CST by rnordmark via cli commit synchronize
# 2014-02-14 14:48:21 CST by rnordmark via cli commit synchronize
# 2013-12-03 09:08:22 CST by rnordmark via cli commit synchronize
-# 2013-12-03 09:08:16 CST by rnordmark via cli commit synchronize
# grnoc-mon at CLAREMORE-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -270,7 +270,7 @@
# grnoc-mon at CLAREMORE-M120-RE0> show system uptime
# System booted: 2013-05-30 22:16 CDT
# Protocols started: 2013-05-30 23:11 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 15:21 CST by josh
#
# {master}
# grnoc-mon at CLAREMORE-M120-RE0> show interface terse
@@ -415,7 +415,7 @@
#pp0 up up
#tap up up
# grnoc-mon at CLAREMORE-M120-RE0> show configuration
-## Last commit: 2014-02-26 11:12:41 CST by andrew
+## Last commit: 2014-03-03 15:21:08 CST by josh
version 11.4R7.5;
groups {
re0 {
@@ -458,7 +458,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1113,7 +1113,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1308,114 +1343,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1424,21 +1457,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1446,14 +1475,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1461,6 +1497,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: hub.mia.onenet.net
===================================================================
--- hub.mia.onenet.net (revision 111544)
+++ hub.mia.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at MIAMI-M120-RE0> show system commit
+# 2014-03-03 15:08:39 CST by jeremyt via cli commit synchronize
+# 2014-03-03 15:07:22 CST by jeremyt via cli commit confirmed, rollback in 5mins synchronize
# 2014-02-26 11:12:39 CST by andrew via netconf commit synchronize
# 2014-02-25 19:06:26 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:50:38 CST by rnordmark via cli commit synchronize
# 2014-02-18 12:40:18 CST by joel via cli commit synchronize
-# 2014-02-18 12:31:37 CST by joel via cli commit synchronize
-# 2014-02-14 14:49:49 CST by rnordmark via cli commit synchronize
# grnoc-mon at MIAMI-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -289,7 +289,7 @@
# grnoc-mon at MIAMI-M120-RE0> show system uptime
# System booted: 2013-05-30 22:17 CDT
# Protocols started: 2013-05-30 23:11 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 15:08 CST by jeremyt
#
# {master}
# grnoc-mon at MIAMI-M120-RE0> show interface terse
@@ -449,7 +449,7 @@
#pp0 up up
#tap up up
# grnoc-mon at MIAMI-M120-RE0> show configuration
-## Last commit: 2014-02-26 11:12:39 CST by andrew
+## Last commit: 2014-03-03 15:08:39 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -492,7 +492,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1147,12 +1147,47 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list VIDEO {
156.110.219.34/32;
156.110.219.35/32;
156.110.219.36/32;
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1347,114 +1382,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1463,21 +1496,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1485,14 +1514,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1500,6 +1536,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: hub.okm.onenet.net
===================================================================
--- hub.okm.onenet.net (revision 111363)
+++ hub.okm.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at OKMULGEE-M120-RE0> show system commit
+# 2014-03-03 15:37:45 CST by rnordmark via cli commit synchronize
+# 2014-03-03 15:37:01 CST by rnordmark via cli commit confirmed, rollback in 3mins synchronize
# 2014-02-26 11:12:32 CST by andrew via netconf commit synchronize
# 2014-02-25 19:05:31 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:51:03 CST by rnordmark via cli commit synchronize
# 2014-02-14 14:50:16 CST by rnordmark via cli commit synchronize
-# 2014-01-16 15:52:54 CST by joe via cli commit synchronize
-# 2014-01-16 15:42:33 CST by joe via cli commit synchronize
# grnoc-mon at OKMULGEE-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -270,7 +270,7 @@
# grnoc-mon at OKMULGEE-M120-RE0> show system uptime
# System booted: 2013-06-04 22:22 CDT
# Protocols started: 2013-06-04 22:38 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 15:37 CST by rnordmark
#
# {master}
# grnoc-mon at OKMULGEE-M120-RE0> show interface terse
@@ -431,7 +431,7 @@
#pp0 up up
#tap up up
# grnoc-mon at OKMULGEE-M120-RE0> show configuration
-## Last commit: 2014-02-26 11:12:32 CST by andrew
+## Last commit: 2014-03-03 15:37:45 CST by rnordmark
version 11.4R7.5;
groups {
re0 {
@@ -474,7 +474,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1417,7 +1417,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1612,114 +1647,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1728,21 +1761,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1750,14 +1779,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1765,6 +1801,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: hub.mus.onenet.net
===================================================================
--- hub.mus.onenet.net (revision 111356)
+++ hub.mus.onenet.net (working copy)
@@ -1,13 +1,13 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at MUSKOGEE-M120-RE0> show system commit
+# 2014-03-03 15:25:12 CST by josh via cli commit confirmed, rollback in 5mins synchronize
# 2014-02-26 11:12:43 CST by andrew via netconf commit synchronize
# 2014-02-25 19:04:47 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:50:55 CST by rnordmark via cli commit synchronize
# 2014-02-14 14:50:08 CST by rnordmark via cli commit synchronize
# 2013-12-21 00:39:02 CST by root via other
# Synchronization with remote Routing Engine
-# 2013-11-11 15:21:50 CST by rnordmark via cli commit synchronize
# grnoc-mon at MUSKOGEE-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -297,7 +297,7 @@
# grnoc-mon at MUSKOGEE-M120-RE0> show system uptime
# System booted: 2013-12-21 00:36 CST
# Protocols started: 2013-12-21 00:38 CST
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 15:25 CST by josh
#
# {master}
# grnoc-mon at MUSKOGEE-M120-RE0> show interface terse
@@ -473,7 +473,7 @@
#pp0 up up
#tap up up
# grnoc-mon at MUSKOGEE-M120-RE0> show configuration
-## Last commit: 2014-02-26 11:12:43 CST by andrew
+## Last commit: 2014-03-03 15:25:12 CST by josh
version 11.4R7.5;
groups {
re0 {
@@ -516,7 +516,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1409,7 +1409,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1622,114 +1657,112 @@
}
}
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1738,21 +1771,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1760,14 +1789,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1775,6 +1811,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: hub.pot.onenet.net
===================================================================
--- hub.pot.onenet.net (revision 111945)
+++ hub.pot.onenet.net (working copy)
@@ -326,8 +326,8 @@
#t1-2/0/3:5 up up
#t1-2/0/3:5.0 up up
#t1-2/0/3:6 down down
-#t1-2/0/3:7 up up
-#t1-2/0/3:7.0 up up
+#t1-2/0/3:7 up down
+#t1-2/0/3:7.0 up down
#t1-2/0/3:8 down down
#t1-2/0/3:9 down down
#t1-2/0/3:10 up up
Index: hub.sal.onenet.net
===================================================================
--- hub.sal.onenet.net (revision 111944)
+++ hub.sal.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at SALLISAW-M120-RE0> show system commit
+# 2014-03-03 15:07:14 CST by rnordmark via cli commit synchronize
+# 2014-03-03 15:05:49 CST by rnordmark via cli commit confirmed, rollback in 2mins synchronize
# 2014-02-26 11:12:37 CST by andrew via netconf commit synchronize
# 2014-02-25 19:05:47 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:51:26 CST by rnordmark via cli commit synchronize
# 2014-02-20 08:35:04 CST by josh via cli commit synchronize
-# 2014-02-14 14:50:39 CST by rnordmark via cli commit synchronize
-# 2014-02-14 10:39:26 CST by joe via cli commit synchronize
# grnoc-mon at SALLISAW-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -272,7 +272,7 @@
# grnoc-mon at SALLISAW-M120-RE0> show system uptime
# System booted: 2013-06-04 22:21 CDT
# Protocols started: 2013-06-04 22:33 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 15:07 CST by rnordmark
#
# {master}
# grnoc-mon at SALLISAW-M120-RE0> show interface terse
@@ -438,7 +438,7 @@
#pp0 up up
#tap up up
# grnoc-mon at SALLISAW-M120-RE0> show configuration
-## Last commit: 2014-02-26 11:12:37 CST by andrew
+## Last commit: 2014-03-03 15:07:14 CST by rnordmark
version 11.4R7.5;
groups {
re0 {
@@ -481,7 +481,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1295,7 +1295,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1490,114 +1525,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1606,21 +1639,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1628,14 +1657,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1643,6 +1679,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: hub.osuokc.onenet.net
===================================================================
--- hub.osuokc.onenet.net (revision 111348)
+++ hub.osuokc.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at OSUOKC-MX80> show system commit
+# 2014-03-03 15:08:18 CST by josh via cli commit confirmed, rollback in 5mins
# 2014-02-26 11:12:38 CST by andrew via netconf
# 2014-02-25 19:03:18 CST by rnordmark via cli
# 2014-02-24 17:51:10 CST by rnordmark via cli
# 2014-02-14 14:50:23 CST by rnordmark via cli
# 2013-11-11 15:22:04 CST by rnordmark via cli
-# 2013-10-31 14:26:59 CDT by jeremyt via cli
# grnoc-mon at OSUOKC-MX80> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -212,7 +212,7 @@
# grnoc-mon at OSUOKC-MX80> show system uptime
# System booted: 2013-04-21 01:16 CDT
# Protocols started: 2013-04-21 01:17 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 15:08 CST by josh
#
# grnoc-mon at OSUOKC-MX80> show interface terse
#Interface Admin Link
@@ -273,7 +273,7 @@
#pp0 up up
#tap up up
# grnoc-mon at OSUOKC-MX80> show configuration
-## Last commit: 2014-02-26 11:12:38 CST by andrew
+## Last commit: 2014-03-03 15:08:18 CST by josh
version 11.4R7.5;
system {
host-name OSUOKC-MX80;
@@ -285,7 +285,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -595,7 +595,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement REDISTRIBUTE-DIRECTS {
term 1 {
from protocol direct;
@@ -682,112 +717,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -796,19 +831,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -816,14 +849,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -831,6 +871,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core4.tul.onenet.net
===================================================================
--- core4.tul.onenet.net (revision 111518)
+++ core4.tul.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at TULSA-CORE4-MX480-RE0> show system commit
+# 2014-03-03 15:19:57 CST by jeremyt via cli commit synchronize
+# 2014-03-03 15:18:29 CST by jeremyt via cli commit confirmed, rollback in 5mins synchronize
# 2014-02-26 14:29:54 CST by donnie via cli commit synchronize
# 2014-02-26 11:12:40 CST by andrew via netconf commit synchronize
# 2014-02-25 19:09:58 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:54:33 CST by rnordmark via cli commit synchronize
-# 2014-02-21 16:09:33 CST by donnie via cli commit synchronize
-# 2014-02-18 10:38:47 CST by donnie via cli commit synchronize
# grnoc-mon at TULSA-CORE4-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -365,7 +365,7 @@
# grnoc-mon at TULSA-CORE4-MX480-RE0> show system uptime
# System booted: 2013-04-28 00:30 CDT
# Protocols started: 2013-04-28 00:31 CDT
-# Last configured: 2014-02-26 14:29 CST by donnie
+# Last configured: 2014-03-03 15:19 CST by jeremyt
#
# {master}
# grnoc-mon at TULSA-CORE4-MX480-RE0> show interface terse
@@ -562,7 +562,7 @@
#pp0 up up
#tap up up
# grnoc-mon at TULSA-CORE4-MX480-RE0> show configuration
-## Last commit: 2014-02-26 14:29:54 CST by donnie
+## Last commit: 2014-03-03 15:19:57 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -608,7 +608,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1771,13 +1771,6 @@
prefix-list DENY-ALL {
0.0.0.0/0;
}
- prefix-list EBGP-IPV4-NEIGHBORS {
- 64.57.21.161/32;
- 64.57.21.165/32;
- 164.58.16.26/32;
- 164.58.253.36/32;
- 216.56.50.37/32;
- }
prefix-list MARTIANS-IPV4 {
0.0.0.0/8;
10.0.0.0/8;
@@ -1821,6 +1814,42 @@
prefix-list L3VPN-CUSTOMERS {
10.0.1.32/29;
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement COMMODITY-PREFIXES-LIST {
term prefixes {
from {
@@ -2619,57 +2648,31 @@
}
firewall {
family inet {
- filter PROTECT-RE {
- term SERVICES {
+ filter TELEMATE {
+ term TELEMATE {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
- }
- protocol tcp;
- destination-port [ ssh http ];
- }
- then accept;
- }
- term OSPF-ALLOW {
- from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- }
source-prefix-list {
- L3VPN-CUSTOMERS;
+ TELEMATE-CUSTOMERS;
}
- protocol ospf;
+ port [ http ftp nntp https ];
}
- then accept;
+ then {
+ port-mirror;
+ accept;
+ }
}
- term EBGP-ALLOW {
- from {
- prefix-list {
- EBGP-IPV4-NEIGHBORS;
- }
- protocol tcp;
- port 179;
- }
+ term ACCEPT-ALL {
then accept;
}
- term IBGP-ALLOW {
+ }
+ filter PROTECT-RE {
+ term SSH-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- port 179;
+ destination-port ssh;
}
then accept;
}
@@ -2689,46 +2692,86 @@
discard;
}
}
- term ICMP-ALLOW {
+ term OSPF-ALLOW {
from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
+ }
+ protocol ospf;
}
then accept;
}
- term SERVICES-OUTBOUND {
+ term BGP-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ prefix-list {
+ PRE-BGP-ALLOW;
+ }
+ protocol tcp;
+ port 179;
}
then accept;
}
- term RADIUS {
+ term RADIUS-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
protocol [ udp tcp ];
port [ radius radacct ];
}
then accept;
}
- term NTP {
+ term NTP-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
}
protocol udp;
port ntp;
}
then accept;
}
+ term DOMAIN-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
+ }
+ then accept;
+ }
+ term SYSLOG-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
+ }
+ then accept;
+ }
+ term FTP-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port ftp;
+ }
+ then accept;
+ }
+ term JSPACE-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ source-port 7408;
+ }
+ then accept;
+ }
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -2737,22 +2780,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- }
source-prefix-list {
- L3VPN-CUSTOMERS;
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -2760,14 +2798,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -2775,28 +2820,25 @@
}
then accept;
}
- term DENY_ALL {
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
then {
discard;
}
}
- }
- filter TELEMATE {
- term TELEMATE {
+ term SERVICES-OUTBOUND {
from {
- source-prefix-list {
- TELEMATE-CUSTOMERS;
- }
- port [ http ftp nntp https ];
+ source-port [ ssh telnet ];
}
+ then accept;
+ }
+ term DENY_ALL {
then {
- port-mirror;
- accept;
+ discard;
}
}
- term ACCEPT-ALL {
- then accept;
- }
}
}
policer 20MB {
Index: core3.okc-m120.onenet.net
===================================================================
--- core3.okc-m120.onenet.net (revision 111948)
+++ core3.okc-m120.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at OKC-CORE3-M120-RE0> show system commit
+# 2014-03-03 15:52:18 CST by rnordmark via cli commit synchronize
+# 2014-03-03 15:50:17 CST by rnordmark via cli commit confirmed, rollback in 5mins synchronize
# 2014-03-03 14:59:27 CST by rnordmark via cli commit synchronize
# 2014-03-03 14:58:03 CST by rnordmark via cli commit confirmed, rollback in 2mins synchronize
# 2014-03-03 14:30:02 CST by rnordmark via cli commit confirmed, rollback in 2mins synchronize
# 2014-02-28 14:23:11 CST by joel via cli commit synchronize
-# 2014-02-27 12:55:10 CST by joe via cli commit synchronize
-# 2014-02-27 12:19:28 CST by josh via cli commit synchronize
# grnoc-mon at OKC-CORE3-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -366,7 +366,7 @@
# grnoc-mon at OKC-CORE3-M120-RE0> show system uptime
# System booted: 2013-04-14 00:17 CDT
# Protocols started: 2013-04-14 00:30 CDT
-# Last configured: 2014-03-03 14:59 CST by rnordmark
+# Last configured: 2014-03-03 15:52 CST by rnordmark
#
# {master}
# grnoc-mon at OKC-CORE3-M120-RE0> show interface terse
@@ -1137,8 +1137,8 @@
#t1-3/3/0:4:19 up down
#t1-3/3/0:4:20 up down
#t1-3/3/0:4:21 up down
-#t1-3/3/0:4:22 up down
-#t1-3/3/0:4:22.0 up down
+#t1-3/3/0:4:22 up up
+#t1-3/3/0:4:22.0 up up
#t1-3/3/0:4:23 up down
#t1-3/3/0:4:24 up up
#t1-3/3/0:4:24.0 up up
@@ -1207,8 +1207,8 @@
#t1-3/3/0:6:7.0 up up
#t1-3/3/0:6:8 up up
#t1-3/3/0:6:8.0 up up
-#t1-3/3/0:6:9 up down
-#t1-3/3/0:6:9.0 up down
+#t1-3/3/0:6:9 up up
+#t1-3/3/0:6:9.0 up up
#t1-3/3/0:6:10 up up
#t1-3/3/0:6:10.0 up up
#t1-3/3/0:6:11 up down
@@ -1950,7 +1950,7 @@
#pp0 up up
#tap up up
# grnoc-mon at OKC-CORE3-M120-RE0> show configuration
-## Last commit: 2014-03-03 14:59:27 CST by rnordmark
+## Last commit: 2014-03-03 15:52:18 CST by rnordmark
version 11.4R7.5;
groups {
re0 {
@@ -1993,7 +1993,7 @@
}
name-server {
164.58.253.10;
- 164.58.198.10;
+ 164.58.253.4;
}
radius-server {
156.110.31.11 {
@@ -2092,7 +2092,8 @@
}
commit synchronize;
ntp {
- server 164.58.3.98 prefer;
+ server 164.58.3.98;
+ server 164.58.253.82 prefer;
}
}
chassis {
@@ -8701,6 +8702,7 @@
204.87.86.36/32;
208.67.57.0/24;
}
+ prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list RESIDENCE-HALL {
164.58.23.131/32;
164.58.23.132/32;
@@ -8748,42 +8750,6 @@
164.58.46.0/24;
164.58.59.0/24;
}
- prefix-list PRE-MGMT-SOURCES {
- 64.207.244.14/32;
- 66.129.224.37/32;
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.15.0/24;
- 164.58.244.0/22;
- 164.58.253.0/24;
- }
- prefix-list PRE-RADIUS-SOURCES {
- apply-path "system radius-server <*>";
- }
- prefix-list PRE-NTP-SOURCES {
- apply-path "system ntp server <*>";
- }
- prefix-list PRE-DNS-SOURCES {
- apply-path "system name-server <*>";
- }
- prefix-list PRE-SNMP-SOURCES {
- apply-path "snmp client-list snmp-management <1*>";
- }
- prefix-list PRE-LOCALIPv4-SOURCES {
- apply-path "interfaces <*> unit <*> family inet address <*>";
- }
- prefix-list PRE-BGP-ALLOW {
- apply-path "protocols bgp group <*> neighbor <*>";
- }
- prefix-list PRE-LDP-SOURCES {
- 164.58.198.0/23;
- apply-path "interfaces <*> unit <*> family inet address <*>";
- }
- prefix-list PRE-L0-SOURCES {
- apply-path "interfaces lo0 unit <*> family inet address <164.*>";
- }
policy-statement DEFAULT-ONLY-EXPORT {
term ACCEPT-DEFAULT {
from {
@@ -9047,28 +9013,56 @@
}
}
}
- filter BLOCK-NTP {
- term 1 {
+ filter PROTECT-RE {
+ term SERVICES {
from {
- protocol udp;
- port ntp;
+ source-address {
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.253.0/24;
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ }
+ protocol tcp;
+ destination-port [ ssh http ];
}
- then {
- discard;
+ then accept;
+ }
+ term OSPF-ALLOW {
+ from {
+ source-address {
+ 164.58.199.0/24;
+ 164.58.0.0/16;
+ 156.110.0.0/16;
+ 10.199.2.0/24;
+ 172.23.0.0/16;
+ }
+ protocol ospf;
}
+ then accept;
}
- term 2 {
+ term EBGP-ALLOW {
+ from {
+ prefix-list {
+ EBGP-IPV4-NEIGHBORS;
+ }
+ protocol tcp;
+ port 179;
+ }
then accept;
}
- }
- filter PROTECT-RE {
- term SSH-ALLOW {
+ term IBGP-ALLOW {
from {
- source-prefix-list {
- PRE-MGMT-SOURCES;
+ source-address {
+ 164.58.199.216/32;
+ 164.58.199.226/32;
}
protocol tcp;
- destination-port ssh;
+ port 179;
}
then accept;
}
@@ -9088,86 +9082,46 @@
discard;
}
}
- term OSPF-ALLOW {
+ term ICMP-ALLOW {
from {
- source-prefix-list {
- PRE-LOCALIPv4-SOURCES;
- }
- protocol ospf;
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
}
then accept;
}
- term BGP-ALLOW {
+ term SERVICES-OUTBOUND {
from {
- prefix-list {
- PRE-BGP-ALLOW;
- }
- protocol tcp;
- port 179;
+ source-port [ domain ntp ssh syslog ftp 7804 telnet ftp-data ];
}
then accept;
}
- term RADIUS-ALLOW {
+ term RADIUS {
from {
- source-prefix-list {
- PRE-RADIUS-SOURCES;
+ source-address {
+ 156.110.31.11/32;
}
protocol [ udp tcp ];
port [ radius radacct ];
}
then accept;
}
- term NTP-ALLOW {
+ term NTP {
from {
- source-prefix-list {
- PRE-NTP-SOURCES;
- PRE-L0-SOURCES;
+ source-address {
+ 164.58.10.1/32;
+ 164.58.199.0/24;
}
protocol udp;
port ntp;
}
then accept;
}
- term DOMAIN-ALLOW {
- from {
- source-prefix-list {
- PRE-DNS-SOURCES;
- }
- port domain;
- }
- then accept;
- }
- term SYSLOG-ALLOW {
- from {
- source-prefix-list {
- PRE-MGMT-SOURCES;
- }
- port syslog;
- }
- then accept;
- }
- term FTP-ALLOW {
- from {
- source-prefix-list {
- PRE-MGMT-SOURCES;
- }
- port ftp;
- }
- then accept;
- }
- term JSPACE-ALLOW {
- from {
- source-prefix-list {
- PRE-MGMT-SOURCES;
- }
- source-port 7408;
- }
- then accept;
- }
term SNMP-ALLOW {
from {
- source-prefix-list {
- PRE-SNMP-SOURCES;
+ source-address {
+ 164.58.253.0/24;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -9176,17 +9130,23 @@
}
term LDP-ALLOW {
from {
- source-prefix-list {
- PRE-LDP-SOURCES;
+ source-address {
+ 164.58.199.0/24;
+ 164.58.0.0/16;
+ 156.110.0.0/16;
+ 172.23.0.0/16;
+ 10.199.2.0/24;
}
port ldp;
}
- then accept;
}
term PIM-ALLOW {
from {
- source-prefix-list {
- PRE-LOCALIPv4-SOURCES;
+ source-address {
+ 164.58.199.0/24;
+ 164.58.0.0/16;
+ 172.23.0.0/16;
+ 10.199.2.0/24;
}
protocol pim;
}
@@ -9194,21 +9154,14 @@
}
term BFD-ALLOW {
from {
- source-prefix-list {
- PRE-LOCALIPv4-SOURCES;
+ source-address {
+ 164.58.0.0/16;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
- then accept;
- }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -9216,25 +9169,25 @@
}
then accept;
}
- term DENY-SERVICES-INBOUND {
- from {
- destination-port [ ssh telnet http https snmp ntp domain ];
- }
+ term DENY_ALL {
then {
discard;
}
}
- term SERVICES-OUTBOUND {
+ }
+ filter BLOCK-NTP {
+ term 1 {
from {
- source-port [ ssh telnet ];
+ protocol udp;
+ port ntp;
}
- then accept;
- }
- term DENY_ALL {
then {
discard;
}
}
+ term 2 {
+ then accept;
+ }
}
}
family mpls {
Index: hub.tah.onenet.net
===================================================================
--- hub.tah.onenet.net (revision 111352)
+++ hub.tah.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at TAHLEQUAH-M120-RE0> show system commit
+# 2014-03-03 15:03:20 CST by jeremyt via cli commit synchronize
+# 2014-03-03 15:01:27 CST by jeremyt via cli commit confirmed, rollback in 5mins synchronize
# 2014-02-26 11:12:37 CST by andrew via netconf commit synchronize
# 2014-02-25 19:06:12 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:51:50 CST by rnordmark via cli commit synchronize
# 2014-02-14 14:51:04 CST by rnordmark via cli commit synchronize
-# 2014-01-21 08:34:43 CST by joe via cli commit synchronize
-# 2014-01-13 15:46:22 CST by joe via cli commit synchronize
# grnoc-mon at TAHLEQUAH-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -290,7 +290,7 @@
# grnoc-mon at TAHLEQUAH-M120-RE0> show system uptime
# System booted: 2013-07-24 02:04 CDT
# Protocols started: 2013-07-24 02:06 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 15:03 CST by jeremyt
#
# {master}
# grnoc-mon at TAHLEQUAH-M120-RE0> show interface terse
@@ -490,7 +490,7 @@
#pp0 up up
#tap up up
# grnoc-mon at TAHLEQUAH-M120-RE0> show configuration
-## Last commit: 2014-02-26 11:12:37 CST by andrew
+## Last commit: 2014-03-03 15:03:20 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -533,7 +533,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1537,7 +1537,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1750,114 +1785,112 @@
}
}
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1866,21 +1899,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1888,14 +1917,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1903,6 +1939,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: hub.chi.onenet.net
===================================================================
--- hub.chi.onenet.net (revision 111927)
+++ hub.chi.onenet.net (working copy)
@@ -309,7 +309,7 @@
#t1-2/0/2:21 down down
#t1-2/0/2:22 down down
#t1-2/0/2:23 down down
-#t1-2/0/2:24 down up
+#t1-2/0/2:24 down down
#t1-2/0/2:25 down up
#t1-2/0/2:26 down down
#t1-2/0/2:27 down down
Index: hub.elr.onenet.net
===================================================================
--- hub.elr.onenet.net (revision 111359)
+++ hub.elr.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at EL-RENO-M120-RE0> show system commit
+# 2014-03-03 15:52:45 CST by josh via cli commit synchronize
+# 2014-03-03 15:26:22 CST by andrew via cli commit confirmed, rollback in 5mins synchronize
# 2014-02-26 11:12:38 CST by andrew via netconf commit synchronize
# 2014-02-25 19:01:28 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:49:24 CST by rnordmark via cli commit synchronize
# 2014-02-21 12:25:28 CST by donnie via cli commit synchronize
-# 2014-02-14 14:48:51 CST by rnordmark via cli commit synchronize
-# 2014-02-14 09:24:42 CST by jeremyt via cli commit synchronize
# grnoc-mon at EL-RENO-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -271,7 +271,7 @@
# grnoc-mon at EL-RENO-M120-RE0> show system uptime
# System booted: 2013-04-20 23:16 CDT
# Protocols started: 2013-04-20 23:22 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 15:52 CST by josh
#
# {master}
# grnoc-mon at EL-RENO-M120-RE0> show interface terse
@@ -417,7 +417,7 @@
#pp0 up up
#tap up up
# grnoc-mon at EL-RENO-M120-RE0> show configuration
-## Last commit: 2014-02-26 11:12:38 CST by andrew
+## Last commit: 2014-03-03 15:52:45 CST by josh
version 11.4R7.5;
groups {
re0 {
Index: hub.bar.onenet.net
===================================================================
--- hub.bar.onenet.net (revision 111332)
+++ hub.bar.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at BARTLESVILLE-M120-RE0> show system commit
+# 2014-03-03 15:28:50 CST by rnordmark via cli commit synchronize
+# 2014-03-03 15:27:51 CST by rnordmark via cli commit confirmed, rollback in 3mins synchronize
# 2014-02-26 11:12:41 CST by andrew via netconf commit synchronize
# 2014-02-25 19:06:19 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:48:35 CST by rnordmark via cli commit synchronize
# 2014-02-14 14:48:06 CST by rnordmark via cli commit synchronize
-# 2013-11-11 15:19:46 CST by rnordmark via cli commit synchronize
-# 2013-10-31 14:24:02 CDT by jeremyt via cli commit synchronize
# grnoc-mon at BARTLESVILLE-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -270,7 +270,7 @@
# grnoc-mon at BARTLESVILLE-M120-RE0> show system uptime
# System booted: 2013-05-30 22:18 CDT
# Protocols started: 2013-05-30 23:11 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 15:28 CST by rnordmark
#
# {master}
# grnoc-mon at BARTLESVILLE-M120-RE0> show interface terse
@@ -419,7 +419,7 @@
#pp0 up up
#tap up up
# grnoc-mon at BARTLESVILLE-M120-RE0> show configuration
-## Last commit: 2014-02-26 11:12:41 CST by andrew
+## Last commit: 2014-03-03 15:28:50 CST by rnordmark
version 11.4R7.5;
groups {
re0 {
@@ -462,7 +462,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1129,7 +1129,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1324,114 +1359,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1440,21 +1473,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1462,14 +1491,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1477,6 +1513,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: hub.tsb.onenet.net
===================================================================
--- hub.tsb.onenet.net (revision 111837)
+++ hub.tsb.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at TULSA-STATE-BUILDING-MX80> show system commit
+# 2014-03-03 15:20:22 CST by rnordmark via cli
+# 2014-03-03 15:18:28 CST by rnordmark via cli commit confirmed, rollback in 2mins
# 2014-02-26 11:12:36 CST by andrew via netconf
# 2014-02-25 19:08:28 CST by rnordmark via cli
# 2013-11-06 11:31:50 CST by jeremyt via cli
# 2013-10-31 14:33:51 CDT by jeremyt via cli
-# 2013-10-21 10:37:16 CDT by jeremyt via cli
-# 2013-08-29 13:22:23 CDT by jeremyt via cli
# grnoc-mon at TULSA-STATE-BUILDING-MX80> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -189,7 +189,8 @@
# grnoc-mon at TULSA-STATE-BUILDING-MX80> show version
# Hostname: TULSA-STATE-BUILDING-MX80 # Model: mx80 # JUNOS Base OS boot [11.4R7.5] # JUNOS Base OS Software Suite [11.4R7.5] # JUNOS Kernel Software Suite [11.4R7.5] # JUNOS Crypto Software Suite [11.4R7.5] # JUNOS Packet Forwarding Engine Support (MX80) [11.4R7.5] # JUNOS Online Documentation [11.4R7.5] # JUNOS Routing Software Suite [11.4R7.5] # # grnoc-mon at TULSA-STATE-BUILDING-MX80> file list /var/tmp detail #
# /var/tmp:
-# total 703944
+# total 944168
+# -rw-rw---- 1 root field 32575488 Mar 3 15:19 autoconfd.core.0
# -rw-r--r-- 1 root field 30 Feb 29 2012 ex.txt
# drwxr-xr-x 2 root field 512 Feb 29 2012 gres-tp/
# -rw-rw---- 1 root field 51974144 Oct 24 09:15 ifinfo.core.0
@@ -198,9 +199,11 @@
# -rw-rw---- 1 root field 52744192 Oct 24 10:23 ifinfo.core.3
# -rw-rw---- 1 root field 51974144 Dec 19 14:49 ifinfo.core.4
# drwxrwxrwx 2 root wheel 512 Oct 12 2012 install/
+# -rw-rw---- 1 root field 33464320 Mar 3 15:19 jdiameterd.core.0
# -rw-r--r-- 1 eng field 99542994 Apr 23 2013 jinstall-ppc-11.4R7.5-domestic-signed.tgz
# -rw-r--r-- 1 root field 155 Jun 12 2013 krt_gencfg_filter.txt
# drwxrwxrwx 2 root wheel 512 Oct 12 2012 pics/
+# -rw-rw---- 1 root field 56872960 Mar 3 15:19 pppoed.core.0
# -r--r--r-- 1 root field 237 Jun 12 2013 preinstall_boot_loader.conf
# drwxr-xr-x 2 root field 512 Feb 29 2012 rtsdb/
# drwxrwxrwT 2 root wheel 512 Feb 29 2012 vi.recover/
@@ -208,7 +211,7 @@
# grnoc-mon at TULSA-STATE-BUILDING-MX80> show system uptime
# System booted: 2013-06-12 22:49 CDT
# Protocols started: 2013-06-12 22:51 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 15:20 CST by rnordmark
#
# grnoc-mon at TULSA-STATE-BUILDING-MX80> show interface terse
#Interface Admin Link
@@ -285,7 +288,7 @@
#pp0 up up
#tap up up
# grnoc-mon at TULSA-STATE-BUILDING-MX80> show configuration
-## Last commit: 2014-02-26 11:12:36 CST by andrew
+## Last commit: 2014-03-03 15:20:22 CST by rnordmark
version 11.4R7.5;
system {
host-name TULSA-STATE-BUILDING-MX80;
@@ -297,7 +300,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -390,8 +393,7 @@
}
commit synchronize;
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -699,7 +701,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -865,112 +902,112 @@
}
}
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -979,19 +1016,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -999,14 +1034,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1014,6 +1056,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: hub.war.onenet.net
===================================================================
--- hub.war.onenet.net (revision 111349)
+++ hub.war.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at WARNER-M120-RE0> show system commit
+# 2014-03-03 15:31:14 CST by josh via cli commit confirmed, rollback in 5mins synchronize
# 2014-02-26 11:12:34 CST by andrew via netconf commit synchronize
# 2014-02-25 19:05:19 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:52:15 CST by rnordmark via cli commit synchronize
# 2014-02-21 10:50:07 CST by jed via cli commit synchronize
# 2014-02-21 10:49:27 CST by root via other
-# 2014-02-21 10:44:13 CST by jed via cli commit confirmed, rollback in 5mins synchronize
# grnoc-mon at WARNER-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -297,7 +297,7 @@
# grnoc-mon at WARNER-M120-RE0> show system uptime
# System booted: 2013-06-04 22:18 CDT
# Protocols started: 2013-06-04 22:27 CDT
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-03 15:31 CST by josh
#
# {master}
# grnoc-mon at WARNER-M120-RE0> show interface terse
@@ -442,7 +442,7 @@
#pp0 up up
#tap up up
# grnoc-mon at WARNER-M120-RE0> show configuration
-## Last commit: 2014-02-26 11:12:34 CST by andrew
+## Last commit: 2014-03-03 15:31:14 CST by josh
version 11.4R7.5;
groups {
re0 {
@@ -485,7 +485,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1484,7 +1484,42 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-LDP-SOURCES {
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1710,56 +1745,52 @@
}
firewall {
family inet {
- filter PROTECT-RE {
- term SERVICES {
+ filter NTP-DETECT {
+ term 1 {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
- }
- protocol tcp;
- destination-port [ ssh http ];
+ packet-length 200-65535;
+ protocol udp;
+ port 123;
}
- then accept;
+ then {
+ count LARGE-NTP-COUNTER;
+ discard;
+ }
}
- term OSPF-ALLOW {
+ term 3 {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
- }
- protocol ospf;
+ packet-length 0-200;
+ protocol udp;
+ port 123;
}
+ then count SMALL-NTP-COUNTER;
+ }
+ term 2 {
then accept;
}
- term EBGP-ALLOW {
+ }
+ filter NTP-DROP {
+ term 1 {
from {
- prefix-list {
- EBGP-IPV4-NEIGHBORS;
- }
- protocol tcp;
- port 179;
+ protocol udp;
+ port 123;
}
+ then {
+ discard;
+ }
+ }
+ term 2 {
then accept;
}
- term IBGP-ALLOW {
+ }
+ filter PROTECT-RE {
+ term SSH-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- port 179;
+ destination-port ssh;
}
then accept;
}
@@ -1779,46 +1810,86 @@
discard;
}
}
- term ICMP-ALLOW {
+ term OSPF-ALLOW {
from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
+ }
+ protocol ospf;
}
then accept;
}
- term SERVICES-OUTBOUND {
+ term BGP-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ prefix-list {
+ PRE-BGP-ALLOW;
+ }
+ protocol tcp;
+ port 179;
}
then accept;
}
- term RADIUS {
+ term RADIUS-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
protocol [ udp tcp ];
port [ radius radacct ];
}
then accept;
}
- term NTP {
+ term NTP-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
}
protocol udp;
port ntp;
}
then accept;
}
+ term DOMAIN-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
+ }
+ then accept;
+ }
+ term SYSLOG-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
+ }
+ then accept;
+ }
+ term FTP-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port ftp;
+ }
+ then accept;
+ }
+ term JSPACE-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ source-port 7408;
+ }
+ then accept;
+ }
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1827,21 +1898,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1849,14 +1916,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1864,49 +1938,25 @@
}
then accept;
}
- term DENY_ALL {
- then {
- discard;
- }
- }
- }
- filter NTP-DETECT {
- term 1 {
+ term DENY-SERVICES-INBOUND {
from {
- packet-length 200-65535;
- protocol udp;
- port 123;
+ destination-port [ ssh telnet http https snmp ntp domain ];
}
then {
- count LARGE-NTP-COUNTER;
discard;
}
}
- term 3 {
+ term SERVICES-OUTBOUND {
from {
- packet-length 0-200;
- protocol udp;
- port 123;
+ source-port [ ssh telnet ];
}
- then count SMALL-NTP-COUNTER;
- }
- term 2 {
then accept;
}
- }
- filter NTP-DROP {
- term 1 {
- from {
- protocol udp;
- port 123;
- }
+ term DENY_ALL {
then {
discard;
}
}
- term 2 {
- then accept;
- }
}
}
}
Index: swi.cai.dun.onenet.net
===================================================================
--- swi.cai.dun.onenet.net (revision 111688)
+++ swi.cai.dun.onenet.net (working copy)
@@ -1,6 +1,7 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at SWI-DUNCAN-PUBLIC-LIBRARY-EX-3300> show system commit
+# show chassis environment
# 2014-02-12 14:39:48 CST by donnie via cli
# 2014-02-12 11:10:28 CST by donnie via cli
# 2014-02-12 11:09:10 CST by donnie via cli
More information about the Nocrancid
mailing list