[Nocrancid] autopop-onenet.net router config diffs
rancid at rancid.noc.onenet.net
rancid at rancid.noc.onenet.net
Mon Mar 3 18:02:20 CST 2014
Index: core.hut.sal.onenet.net
===================================================================
--- core.hut.sal.onenet.net (revision 112058)
+++ core.hut.sal.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at Sallisaw-MX40> show system commit
+# 2014-03-03 17:30:04 CST by andrew via cli commit confirmed, rollback in 5mins
+# 2014-03-03 17:20:36 CST by admin via cli
+# 2014-03-03 17:14:07 CST by andrew via cli
# 2014-03-03 16:15:18 CST by rnordmark via cli
# 2014-02-26 11:12:38 CST by andrew via netconf
# 2014-02-25 19:07:37 CST by rnordmark via cli
-# 2014-01-14 14:28:52 CST by admin via netconf
-# 2013-12-04 08:50:19 CST by rnordmark via cli
-# 2013-12-03 09:09:35 CST by rnordmark via cli
# grnoc-mon at Sallisaw-MX40> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -229,7 +229,7 @@
# grnoc-mon at Sallisaw-MX40> show system uptime
# System booted: 2013-06-07 12:03 CDT
# Protocols started: 2013-06-07 12:04 CDT
-# Last configured: 2014-03-03 16:15 CST by rnordmark
+# Last configured: 2014-03-03 17:30 CST by andrew
#
# grnoc-mon at Sallisaw-MX40> show interface terse
#Interface Admin Link
@@ -295,7 +295,7 @@
#pp0 up up
#tap up up
# grnoc-mon at Sallisaw-MX40> show configuration
-## Last commit: 2014-03-03 16:15:18 CST by rnordmark
+## Last commit: 2014-03-03 17:30:04 CST by andrew
version 12.3R2.5;
system {
host-name Sallisaw-MX40;
@@ -307,7 +307,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -405,8 +405,7 @@
source-address 164.58.199.158;
}
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -718,10 +717,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -842,113 +874,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
- 164.58.248.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -957,19 +988,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -977,14 +1006,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -992,6 +1028,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core.hut.ori.onenet.net
===================================================================
--- core.hut.ori.onenet.net (revision 112058)
+++ core.hut.ori.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at ORIENTA-MX40> show system commit
+# 2014-03-03 17:08:31 CST by rnordmark via cli
+# 2014-03-03 17:04:56 CST by rnordmark via cli
# 2014-03-03 16:56:27 CST by rnordmark via cli
# 2014-03-03 16:56:12 CST by rnordmark via cli
# 2014-03-03 16:55:39 CST by rnordmark via cli
# 2014-03-03 16:51:56 CST by rnordmark via cli
-# 2014-02-26 11:12:36 CST by andrew via netconf
-# 2014-02-25 19:21:52 CST by jeremyt via cli commit confirmed, rollback in 5mins
# grnoc-mon at ORIENTA-MX40> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -229,7 +229,7 @@
# grnoc-mon at ORIENTA-MX40> show system uptime
# System booted: 2013-06-06 13:15 CDT
# Protocols started: 2013-06-06 13:16 CDT
-# Last configured: 2014-03-03 16:56 CST by rnordmark
+# Last configured: 2014-03-03 17:08 CST by rnordmark
#
# grnoc-mon at ORIENTA-MX40> show interface terse
#Interface Admin Link
@@ -295,7 +295,7 @@
#pp0 up up
#tap up up
# grnoc-mon at ORIENTA-MX40> show configuration
-## Last commit: 2014-03-03 16:56:27 CST by rnordmark
+## Last commit: 2014-03-03 17:08:31 CST by rnordmark
version 12.3R2.5;
system {
host-name ORIENTA-MX40;
Index: hub.chi.onenet.net
===================================================================
--- hub.chi.onenet.net (revision 112058)
+++ hub.chi.onenet.net (working copy)
@@ -282,7 +282,7 @@
#t3-2/0/1.0 up up
#ct3-2/0/2 up up
#t1-2/0/2:1 up down
-#t1-2/0/2:2 down up
+#t1-2/0/2:2 down down
#t1-2/0/2:3 up down
#t1-2/0/2:4 up up
#t1-2/0/2:4.0 up up
Index: hub.ard.onenet.net
===================================================================
--- hub.ard.onenet.net (revision 112058)
+++ hub.ard.onenet.net (working copy)
@@ -340,8 +340,8 @@
#t1-2/0/3:6 up up
#t1-2/0/3:6.0 up up
#t1-2/0/3:7 up down
-#t1-2/0/3:8 up down
-#t1-2/0/3:8.0 up down
+#t1-2/0/3:8 up up
+#t1-2/0/3:8.0 up up
#t1-2/0/3:9 up down
#t1-2/0/3:10 up up
#t1-2/0/3:10.0 up up
Index: core3.okc-m120.onenet.net
===================================================================
--- core3.okc-m120.onenet.net (revision 112054)
+++ core3.okc-m120.onenet.net (working copy)
@@ -761,8 +761,8 @@
#t1-2/3/0:8:11 up up
#t1-2/3/0:8:11.0 up up
#t1-2/3/0:8:12 up down
-#t1-2/3/0:8:13 up up
-#t1-2/3/0:8:13.0 up up
+#t1-2/3/0:8:13 up down
+#t1-2/3/0:8:13.0 up down
#t1-2/3/0:8:14 up up
#t1-2/3/0:8:14.0 up up
#t1-2/3/0:8:15 up down
More information about the Nocrancid
mailing list