[Nocrancid] autopop-onenet.net router config diffs
rancid at rancid.noc.onenet.net
rancid at rancid.noc.onenet.net
Wed Mar 5 17:01:35 CST 2014
Index: core.chi.onenet.net
===================================================================
--- core.chi.onenet.net (revision 112058)
+++ core.chi.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at CHICKASHA-MX480-RE0> show system commit
+# 2014-03-05 16:50:26 CST by jeremyt via cli commit synchronize
# 2014-03-03 16:11:27 CST by rnordmark via cli commit synchronize
# 2014-02-26 11:12:29 CST by andrew via netconf commit synchronize
# 2014-02-25 19:04:20 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:55:13 CST by rnordmark via cli commit synchronize
# 2014-02-14 14:54:06 CST by rnordmark via cli commit synchronize
-# 2014-01-02 12:38:28 CST by donnie via cli commit synchronize
# grnoc-mon at CHICKASHA-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -241,7 +241,7 @@
# grnoc-mon at CHICKASHA-MX480-RE0> show system uptime
# System booted: 2013-12-22 02:53 CST
# Protocols started: 2013-12-22 02:54 CST
-# Last configured: 2014-03-03 16:11 CST by rnordmark
+# Last configured: 2014-03-05 16:50 CST by jeremyt
#
# {master}
# grnoc-mon at CHICKASHA-MX480-RE0> show interface terse
@@ -317,7 +317,7 @@
#pp0 up up
#tap up up
# grnoc-mon at CHICKASHA-MX480-RE0> show configuration
-## Last commit: 2014-03-03 16:11:27 CST by rnordmark
+## Last commit: 2014-03-05 16:50:26 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -361,7 +361,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -461,8 +461,7 @@
}
commit synchronize;
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -883,10 +882,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1058,112 +1090,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1172,19 +1204,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1192,14 +1222,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1207,6 +1244,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core.hut.ato.onenet.net
===================================================================
--- core.hut.ato.onenet.net (revision 112005)
+++ core.hut.ato.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at Atoka-MX40> show system commit
+# 2014-03-05 16:42:21 CST by jeremyt via cli
# 2014-03-03 16:15:35 CST by rnordmark via cli
# 2014-02-26 11:12:37 CST by andrew via netconf
# 2014-02-25 19:07:55 CST by rnordmark via cli
# 2014-01-29 13:03:39 CST by rnordmark via cli
# 2014-01-29 13:02:01 CST by rnordmark via cli commit confirmed, rollback in 5mins
-# 2014-01-29 12:52:56 CST by rnordmark via cli
# grnoc-mon at Atoka-MX40> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -228,7 +228,7 @@
# grnoc-mon at Atoka-MX40> show system uptime
# System booted: 2013-06-05 11:56 CDT
# Protocols started: 2013-06-05 11:58 CDT
-# Last configured: 2014-03-03 16:15 CST by rnordmark
+# Last configured: 2014-03-05 16:42 CST by jeremyt
#
# grnoc-mon at Atoka-MX40> show interface terse
#Interface Admin Link
@@ -295,7 +295,7 @@
#pp0 up up
#tap up up
# grnoc-mon at Atoka-MX40> show configuration
-## Last commit: 2014-03-03 16:15:35 CST by rnordmark
+## Last commit: 2014-03-05 16:42:21 CST by jeremyt
version 12.3R2.5;
system {
host-name Atoka-MX40;
@@ -307,7 +307,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -405,8 +405,7 @@
source-address 164.58.199.161;
}
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -735,10 +734,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -859,112 +891,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -973,19 +1005,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -993,14 +1023,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1008,6 +1045,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core.hut.ard.onenet.net
===================================================================
--- core.hut.ard.onenet.net (revision 111998)
+++ core.hut.ard.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at ARDMORE-MX40> show system commit
+# 2014-03-05 16:54:17 CST by jeremyt via cli
# 2014-03-03 16:15:30 CST by rnordmark via cli
# 2014-02-26 11:12:38 CST by andrew via netconf
# 2014-02-25 19:07:48 CST by rnordmark via cli
# 2014-01-24 15:42:39 CST by joel via cli
# 2014-01-24 15:42:28 CST by joel via cli
-# 2014-01-24 15:41:32 CST by joel via cli
# grnoc-mon at ARDMORE-MX40> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -228,7 +228,7 @@
# grnoc-mon at ARDMORE-MX40> show system uptime
# System booted: 2014-01-03 13:00 CST
# Protocols started: 2014-01-03 13:02 CST
-# Last configured: 2014-03-03 16:15 CST by rnordmark
+# Last configured: 2014-03-05 16:54 CST by jeremyt
#
# grnoc-mon at ARDMORE-MX40> show interface terse
#Interface Admin Link
@@ -292,7 +292,7 @@
#pp0 up up
#tap up up
# grnoc-mon at ARDMORE-MX40> show configuration
-## Last commit: 2014-03-03 16:15:30 CST by rnordmark
+## Last commit: 2014-03-05 16:54:17 CST by jeremyt
version 12.3R2.5;
system {
host-name ARDMORE-MX40;
@@ -304,7 +304,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -399,8 +399,7 @@
source-address 164.58.199.160;
}
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -675,10 +674,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -799,112 +831,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -913,19 +945,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -933,14 +963,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -948,6 +985,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core.hut.sal.onenet.net
===================================================================
--- core.hut.sal.onenet.net (revision 112060)
+++ core.hut.sal.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at Sallisaw-MX40> show system commit
+# 2014-03-05 16:45:31 CST by jeremyt via cli
# 2014-03-03 17:30:04 CST by andrew via cli commit confirmed, rollback in 5mins
# 2014-03-03 17:20:36 CST by admin via cli
# 2014-03-03 17:14:07 CST by andrew via cli
# 2014-03-03 16:15:18 CST by rnordmark via cli
# 2014-02-26 11:12:38 CST by andrew via netconf
-# 2014-02-25 19:07:37 CST by rnordmark via cli
# grnoc-mon at Sallisaw-MX40> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -229,7 +229,7 @@
# grnoc-mon at Sallisaw-MX40> show system uptime
# System booted: 2013-06-07 12:03 CDT
# Protocols started: 2013-06-07 12:04 CDT
-# Last configured: 2014-03-03 17:30 CST by andrew
+# Last configured: 2014-03-05 16:45 CST by jeremyt
#
# grnoc-mon at Sallisaw-MX40> show interface terse
#Interface Admin Link
@@ -295,7 +295,7 @@
#pp0 up up
#tap up up
# grnoc-mon at Sallisaw-MX40> show configuration
-## Last commit: 2014-03-03 17:30:04 CST by andrew
+## Last commit: 2014-03-05 16:45:31 CST by jeremyt
version 12.3R2.5;
system {
host-name Sallisaw-MX40;
Index: core.law.onenet.net
===================================================================
--- core.law.onenet.net (revision 111993)
+++ core.law.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at LAWTON-MX480-RE0> show system commit
+# 2014-03-05 16:56:13 CST by jeremyt via cli commit synchronize
# 2014-03-03 16:16:40 CST by rnordmark via cli commit synchronize
# 2014-02-27 08:46:47 CST by donnie via cli commit synchronize
# 2014-02-26 11:12:37 CST by andrew via netconf commit synchronize
# 2014-02-25 19:08:50 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:50:12 CST by rnordmark via cli commit synchronize
-# 2014-02-19 11:22:11 CST by rnordmark via cli commit confirmed, rollback in 5mins synchronize
# grnoc-mon at LAWTON-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -322,7 +322,7 @@
# grnoc-mon at LAWTON-MX480-RE0> show system uptime
# System booted: 2013-05-28 01:07 CDT
# Protocols started: 2013-05-28 01:08 CDT
-# Last configured: 2014-03-03 16:16 CST by rnordmark
+# Last configured: 2014-03-05 16:56 CST by jeremyt
#
# {master}
# grnoc-mon at LAWTON-MX480-RE0> show interface terse
@@ -483,7 +483,7 @@
#pp0 up up
#tap up up
# grnoc-mon at LAWTON-MX480-RE0> show configuration
-## Last commit: 2014-03-03 16:16:40 CST by rnordmark
+## Last commit: 2014-03-05 16:56:13 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -526,7 +526,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1401,7 +1401,6 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list CAMERON-BAD-IP {
58.68.130.154/32;
64.206.54.198/32;
@@ -1415,7 +1414,41 @@
}
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1586,54 +1619,70 @@
}
firewall {
family inet {
- filter PROTECT-RE {
- term SERVICES {
+ filter CAMERON {
+ term 1 {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ CAMERON-BAD-IP;
}
- protocol tcp;
- destination-port [ ssh http ];
}
+ then {
+ discard;
+ }
+ }
+ term 2 {
then accept;
}
- term OSPF-ALLOW {
+ }
+ filter BLOCK-NTP {
+ term 0.5 {
from {
source-address {
- 164.58.199.0/24;
+ 164.58.68.0/24;
+ 164.58.109.250/32;
+ }
+ protocol udp;
+ port ntp;
+ }
+ then {
+ discard;
+ }
+ }
+ term 1 {
+ from {
+ source-address {
+ 156.110.0.0/16;
164.58.0.0/16;
- 156.110.0.0/16;
+ 140.182.45.75/32;
+ 192.12.206.228/32;
+ 129.79.5.100/32;
}
- protocol ospf;
+ protocol udp;
+ port ntp;
}
then accept;
}
- term EBGP-ALLOW {
+ term 2 {
from {
- prefix-list {
- EBGP-IPV4-NEIGHBORS;
- }
- protocol tcp;
- port 179;
+ protocol udp;
+ port ntp;
}
+ then {
+ discard;
+ }
+ }
+ term 3 {
then accept;
}
- term IBGP-ALLOW {
+ }
+ filter PROTECT-RE {
+ term SSH-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- port 179;
+ destination-port ssh;
}
then accept;
}
@@ -1653,46 +1702,86 @@
discard;
}
}
- term ICMP-ALLOW {
+ term OSPF-ALLOW {
from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
+ }
+ protocol ospf;
}
then accept;
}
- term SERVICES-OUTBOUND {
+ term BGP-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ prefix-list {
+ PRE-BGP-ALLOW;
+ }
+ protocol tcp;
+ port 179;
}
then accept;
}
- term RADIUS {
+ term RADIUS-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
protocol [ udp tcp ];
port [ radius radacct ];
}
then accept;
}
- term NTP {
+ term NTP-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
}
protocol udp;
port ntp;
}
then accept;
}
+ term DOMAIN-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
+ }
+ then accept;
+ }
+ term SYSLOG-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
+ }
+ then accept;
+ }
+ term FTP-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port ftp;
+ }
+ then accept;
+ }
+ term JSPACE-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ source-port 7408;
+ }
+ then accept;
+ }
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1701,19 +1790,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1721,82 +1808,47 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
- term TRACEROUTE-ALLOW {
+ term ICMP-ALLOW {
from {
- protocol udp;
- destination-port 33434-33523;
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
}
then accept;
}
- term DENY_ALL {
- then {
- discard;
- }
- }
- }
- filter CAMERON {
- term 1 {
+ term TRACEROUTE-ALLOW {
from {
- source-prefix-list {
- CAMERON-BAD-IP;
- }
+ protocol udp;
+ destination-port 33434-33523;
}
- then {
- discard;
- }
- }
- term 2 {
then accept;
}
- }
- filter BLOCK-NTP {
- term 0.5 {
+ term DENY-SERVICES-INBOUND {
from {
- source-address {
- 164.58.68.0/24;
- 164.58.109.250/32;
- }
- protocol udp;
- port ntp;
+ destination-port [ ssh telnet http https snmp ntp domain ];
}
then {
discard;
}
}
- term 1 {
+ term SERVICES-OUTBOUND {
from {
- source-address {
- 156.110.0.0/16;
- 164.58.0.0/16;
- 140.182.45.75/32;
- 192.12.206.228/32;
- 129.79.5.100/32;
- }
- protocol udp;
- port ntp;
+ source-port [ ssh telnet ];
}
then accept;
}
- term 2 {
- from {
- protocol udp;
- port ntp;
- }
+ term DENY_ALL {
then {
discard;
}
}
- term 3 {
- then accept;
- }
}
}
policer 10M-POL {
Index: core.hut.law.onenet.net
===================================================================
--- core.hut.law.onenet.net (revision 112058)
+++ core.hut.law.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at LAWTON-HUT-MX40> show system commit
+# 2014-03-05 16:52:25 CST by jeremyt via cli
# 2014-03-03 16:14:28 CST by rnordmark via cli
# 2014-02-26 11:12:35 CST by andrew via netconf
# 2014-02-25 19:06:52 CST by rnordmark via cli
# 2014-01-14 14:28:52 CST by admin via netconf
# 2013-11-13 12:05:26 CST by joel via cli
-# 2013-11-01 14:40:55 CDT by joel via cli
# grnoc-mon at LAWTON-HUT-MX40> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -210,7 +210,7 @@
# grnoc-mon at LAWTON-HUT-MX40> show system uptime
# System booted: 2013-08-28 12:10 CDT
# Protocols started: 2013-08-28 12:12 CDT
-# Last configured: 2014-03-03 16:14 CST by rnordmark
+# Last configured: 2014-03-05 16:52 CST by jeremyt
#
# grnoc-mon at LAWTON-HUT-MX40> show interface terse
#Interface Admin Link
@@ -274,7 +274,7 @@
#pp0 up up
#tap up up
# grnoc-mon at LAWTON-HUT-MX40> show configuration
-## Last commit: 2014-03-03 16:14:28 CST by rnordmark
+## Last commit: 2014-03-05 16:52:25 CST by jeremyt
version 12.3R2.5;
system {
host-name LAWTON-HUT-MX40;
@@ -286,9 +286,7 @@
}
name-server {
164.58.253.10;
- 156.110.198.10;
- 164.58.233.202;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -383,8 +381,7 @@
source-address 164.58.199.148;
}
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -691,10 +688,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -815,112 +845,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -929,19 +959,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -949,14 +977,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -964,6 +999,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core.hut.cli.onenet.net
===================================================================
--- core.hut.cli.onenet.net (revision 112058)
+++ core.hut.cli.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at CLINTON-MX40> show system commit
+# 2014-03-05 16:50:40 CST by jeremyt via cli
# 2014-03-03 16:14:53 CST by rnordmark via cli
# 2014-02-26 11:12:33 CST by andrew via netconf
# 2014-02-25 19:07:17 CST by rnordmark via cli
# 2014-01-14 14:28:52 CST by admin via netconf
# 2013-11-21 08:44:43 CST by rnordmark via cli
-# 2013-11-13 12:06:13 CST by joel via cli
# grnoc-mon at CLINTON-MX40> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -212,7 +212,7 @@
# grnoc-mon at CLINTON-MX40> show system uptime
# System booted: 2013-09-17 10:41 CDT
# Protocols started: 2013-09-17 10:43 CDT
-# Last configured: 2014-03-03 16:14 CST by rnordmark
+# Last configured: 2014-03-05 16:50 CST by jeremyt
#
# grnoc-mon at CLINTON-MX40> show interface terse
#Interface Admin Link
@@ -276,7 +276,7 @@
#pp0 up up
#tap up up
# grnoc-mon at CLINTON-MX40> show configuration
-## Last commit: 2014-03-03 16:14:53 CST by rnordmark
+## Last commit: 2014-03-05 16:50:40 CST by jeremyt
version 12.3R2.5;
system {
host-name CLINTON-MX40;
@@ -288,7 +288,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -383,8 +383,7 @@
source-address 164.58.199.154;
}
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -704,10 +703,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -828,112 +860,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -942,19 +974,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -962,14 +992,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -977,6 +1014,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core.pot.onenet.net
===================================================================
--- core.pot.onenet.net (revision 112058)
+++ core.pot.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at POTEAU-MX480-RE0> show system commit
+# 2014-03-05 16:39:56 CST by jeremyt via cli commit synchronize
# 2014-03-03 16:14:23 CST by rnordmark via cli commit synchronize
# 2014-02-26 16:49:20 CST by joel via cli commit synchronize
# 2014-02-26 16:46:39 CST by joel via cli commit synchronize
# 2014-02-26 11:12:35 CST by andrew via netconf commit synchronize
# 2014-02-25 19:06:46 CST by rnordmark via cli commit synchronize
-# 2014-02-24 17:56:05 CST by rnordmark via cli commit synchronize
# grnoc-mon at POTEAU-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -241,7 +241,7 @@
# grnoc-mon at POTEAU-MX480-RE0> show system uptime
# System booted: 2013-10-03 12:21 CDT
# Protocols started: 2013-10-03 12:24 CDT
-# Last configured: 2014-03-03 16:14 CST by rnordmark
+# Last configured: 2014-03-05 16:39 CST by jeremyt
#
# {master}
# grnoc-mon at POTEAU-MX480-RE0> show interface terse
@@ -322,7 +322,7 @@
#pp0 up up
#tap up up
# grnoc-mon at POTEAU-MX480-RE0> show configuration
-## Last commit: 2014-03-03 16:14:23 CST by rnordmark
+## Last commit: 2014-03-05 16:39:56 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -366,7 +366,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -466,8 +466,7 @@
}
commit synchronize;
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -916,10 +915,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1091,112 +1123,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1205,19 +1237,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1225,14 +1255,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1240,6 +1277,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core.hut.elk.onenet.net
===================================================================
--- core.hut.elk.onenet.net (revision 112058)
+++ core.hut.elk.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at ELK-CITY-MX40> show system commit
+# 2014-03-05 16:50:53 CST by jeremyt via cli
# 2014-03-03 16:14:59 CST by rnordmark via cli
# 2014-02-26 11:12:38 CST by andrew via netconf
# 2014-02-25 19:07:24 CST by rnordmark via cli
# 2014-01-14 14:28:53 CST by admin via netconf
# 2014-01-03 10:59:25 CST by joel via cli
-# 2014-01-03 10:44:25 CST by joel via cli
# grnoc-mon at ELK-CITY-MX40> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -230,7 +230,7 @@
# grnoc-mon at ELK-CITY-MX40> show system uptime
# System booted: 2013-06-06 14:42 CDT
# Protocols started: 2013-06-06 14:43 CDT
-# Last configured: 2014-03-03 16:14 CST by rnordmark
+# Last configured: 2014-03-05 16:50 CST by jeremyt
#
# grnoc-mon at ELK-CITY-MX40> show interface terse
#Interface Admin Link
@@ -294,7 +294,7 @@
#pp0 up up
#tap up up
# grnoc-mon at ELK-CITY-MX40> show configuration
-## Last commit: 2014-03-03 16:14:59 CST by rnordmark
+## Last commit: 2014-03-05 16:50:53 CST by jeremyt
version 12.3R2.5;
system {
host-name ELK-CITY-MX40;
@@ -306,7 +306,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -404,8 +404,7 @@
source-address 164.58.199.155;
}
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -720,10 +719,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -844,112 +876,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -958,19 +990,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -978,14 +1008,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -993,6 +1030,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core.ada.onenet.net
===================================================================
--- core.ada.onenet.net (revision 111990)
+++ core.ada.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at ADA-MX480-RE0> show system commit
+# 2014-03-05 16:45:03 CST by jeremyt via cli commit synchronize
# 2014-03-03 16:09:06 CST by rnordmark via cli commit synchronize
# 2014-02-26 11:12:37 CST by andrew via netconf commit synchronize
# 2014-02-25 19:02:19 CST by rnordmark via cli commit synchronize
# 2014-02-25 16:31:03 CST by joel via cli commit synchronize
# 2014-02-24 17:54:55 CST by rnordmark via cli commit synchronize
-# 2014-02-14 14:53:48 CST by rnordmark via cli commit synchronize
# grnoc-mon at ADA-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -246,7 +246,7 @@
# grnoc-mon at ADA-MX480-RE0> show system uptime
# System booted: 2013-05-26 04:19 CDT
# Protocols started: 2013-05-26 04:22 CDT
-# Last configured: 2014-03-03 16:09 CST by rnordmark
+# Last configured: 2014-03-05 16:45 CST by jeremyt
#
# {master}
# grnoc-mon at ADA-MX480-RE0> show interface terse
@@ -328,7 +328,7 @@
#pp0 up up
#tap up up
# grnoc-mon at ADA-MX480-RE0> show configuration
-## Last commit: 2014-03-03 16:09:06 CST by rnordmark
+## Last commit: 2014-03-05 16:45:03 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -372,7 +372,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -472,8 +472,7 @@
}
commit synchronize;
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -950,10 +949,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1124,54 +1156,61 @@
}
firewall {
family inet {
- filter PROTECT-RE {
- term SERVICES {
+ filter Tupelo-DOS {
+ term K12US {
from {
source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ 8.36.78.0/23;
}
- protocol tcp;
- destination-port [ ssh http ];
}
then accept;
}
- term OSPF-ALLOW {
+ term OneNet {
from {
source-address {
- 164.58.199.0/24;
164.58.0.0/16;
- 156.110.0.0/16;
+ 153.110.0.0/16;
}
- protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term DNS {
from {
- prefix-list {
- EBGP-IPV4-NEIGHBORS;
- }
- protocol tcp;
- port 179;
+ protocol udp;
+ source-port 53;
}
+ then {
+ count TUPELO;
+ discard;
+ }
+ }
+ term UDP {
+ from {
+ protocol udp;
+ port 0;
+ }
+ then {
+ count TUPELOUDP;
+ discard;
+ }
+ }
+ term accept {
then accept;
}
- term IBGP-ALLOW {
+ term reject {
+ then {
+ discard;
+ }
+ }
+ }
+ filter PROTECT-RE {
+ term SSH-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- port 179;
+ destination-port ssh;
}
then accept;
}
@@ -1191,46 +1230,86 @@
discard;
}
}
- term ICMP-ALLOW {
+ term OSPF-ALLOW {
from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
+ }
+ protocol ospf;
}
then accept;
}
- term SERVICES-OUTBOUND {
+ term BGP-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ prefix-list {
+ PRE-BGP-ALLOW;
+ }
+ protocol tcp;
+ port 179;
}
then accept;
}
- term RADIUS {
+ term RADIUS-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
protocol [ udp tcp ];
port [ radius radacct ];
}
then accept;
}
- term NTP {
+ term NTP-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
}
protocol udp;
port ntp;
}
then accept;
}
+ term DOMAIN-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
+ }
+ then accept;
+ }
+ term SYSLOG-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
+ }
+ then accept;
+ }
+ term FTP-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port ftp;
+ }
+ then accept;
+ }
+ term JSPACE-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ source-port 7408;
+ }
+ then accept;
+ }
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1239,19 +1318,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1259,69 +1336,43 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
- term TRACEROUTE-ALLOW {
+ term ICMP-ALLOW {
from {
- protocol udp;
- destination-port 33434-33523;
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
}
then accept;
}
- term DENY_ALL {
- then {
- discard;
- }
- }
- }
- filter Tupelo-DOS {
- term K12US {
+ term TRACEROUTE-ALLOW {
from {
- source-address {
- 8.36.78.0/23;
- }
+ protocol udp;
+ destination-port 33434-33523;
}
then accept;
}
- term OneNet {
+ term DENY-SERVICES-INBOUND {
from {
- source-address {
- 164.58.0.0/16;
- 153.110.0.0/16;
- }
+ destination-port [ ssh telnet http https snmp ntp domain ];
}
- then accept;
- }
- term DNS {
- from {
- protocol udp;
- source-port 53;
- }
then {
- count TUPELO;
discard;
}
}
- term UDP {
+ term SERVICES-OUTBOUND {
from {
- protocol udp;
- port 0;
+ source-port [ ssh telnet ];
}
- then {
- count TUPELOUDP;
- discard;
- }
- }
- term accept {
then accept;
}
- term reject {
+ term DENY_ALL {
then {
discard;
}
Index: core.ard.onenet.net
===================================================================
--- core.ard.onenet.net (revision 112058)
+++ core.ard.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at ARDMORE-MX480-RE0> show system commit
+# 2014-03-05 16:54:36 CST by jeremyt via cli commit synchronize
# 2014-03-03 16:08:29 CST by rnordmark via cli commit synchronize
# 2014-02-26 11:12:30 CST by andrew via netconf commit synchronize
# 2014-02-25 19:01:40 CST by rnordmark via cli commit synchronize
# 2014-02-25 16:29:19 CST by joel via cli commit synchronize
# 2014-02-24 17:55:07 CST by rnordmark via cli commit synchronize
-# 2014-02-14 14:54:00 CST by rnordmark via cli commit synchronize
# grnoc-mon at ARDMORE-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -241,7 +241,7 @@
# grnoc-mon at ARDMORE-MX480-RE0> show system uptime
# System booted: 2013-05-26 00:45 CDT
# Protocols started: 2013-05-26 00:46 CDT
-# Last configured: 2014-03-03 16:08 CST by rnordmark
+# Last configured: 2014-03-05 16:54 CST by jeremyt
#
# {master}
# grnoc-mon at ARDMORE-MX480-RE0> show interface terse
@@ -317,7 +317,7 @@
#pp0 up up
#tap up up
# grnoc-mon at ARDMORE-MX480-RE0> show configuration
-## Last commit: 2014-03-03 16:08:29 CST by rnordmark
+## Last commit: 2014-03-05 16:54:36 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -361,7 +361,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -461,8 +461,7 @@
}
commit synchronize;
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -830,10 +829,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1005,112 +1037,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1119,19 +1151,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1139,14 +1169,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1154,6 +1191,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core1.dc.onenet.net
===================================================================
--- core1.dc.onenet.net (revision 112274)
+++ core1.dc.onenet.net (working copy)
@@ -845,12 +845,12 @@
#lsi.1058265 up up
#lsi.1058340 up up
#lsi.1058990 up up
-#lsi.1058992 up up
#lsi.1059407 up up
#lsi.1059412 up up
#lsi.1059413 up up
#lsi.1059415 up up
#lsi.1059416 up up
+#lsi.1059417 up up
#mtun up up
#pimd up up
#pime up up
Index: core1.okc-mx960.onenet.net
===================================================================
--- core1.okc-mx960.onenet.net (revision 112011)
+++ core1.okc-mx960.onenet.net (working copy)
@@ -695,8 +695,8 @@
#lo0.16385 up up
#lsi up up
#lsi.0 up up
-#lsi.1059329 up up
#lsi.1059334 up up
+#lsi.1059335 up up
#mtun up up
#pimd up up
#pime up up
Index: core.dur.onenet.net
===================================================================
--- core.dur.onenet.net (revision 111989)
+++ core.dur.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at DURANT-MX480-RE0> show system commit
+# 2014-03-05 16:46:30 CST by jeremyt via cli commit synchronize
# 2014-03-03 16:08:42 CST by rnordmark via cli commit synchronize
# 2014-02-26 11:12:28 CST by andrew via netconf commit synchronize
# 2014-02-25 19:01:54 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:55:25 CST by rnordmark via cli commit synchronize
# 2014-02-19 16:51:49 CST by josh via cli commit synchronize
-# 2014-02-19 13:05:03 CST by rnordmark via cli commit synchronize
# grnoc-mon at DURANT-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -246,7 +246,7 @@
# grnoc-mon at DURANT-MX480-RE0> show system uptime
# System booted: 2013-05-26 00:24 CDT
# Protocols started: 2013-05-26 00:27 CDT
-# Last configured: 2014-03-03 16:08 CST by rnordmark
+# Last configured: 2014-03-05 16:46 CST by jeremyt
#
# {master}
# grnoc-mon at DURANT-MX480-RE0> show interface terse
@@ -330,7 +330,7 @@
#pp0 up up
#tap up up
# grnoc-mon at DURANT-MX480-RE0> show configuration
-## Last commit: 2014-03-03 16:08:42 CST by rnordmark
+## Last commit: 2014-03-05 16:46:30 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -374,7 +374,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -474,8 +474,7 @@
}
commit synchronize;
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -949,13 +948,46 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list L3VPN-CUSTOMERS {
172.26.0.0/16;
}
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1166,115 +1198,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- }
source-prefix-list {
- L3VPN-CUSTOMERS;
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1283,22 +1312,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- }
source-prefix-list {
- L3VPN-CUSTOMERS;
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1306,14 +1330,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1321,6 +1352,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core.hut.wea.onenet.net
===================================================================
--- core.hut.wea.onenet.net (revision 111303)
+++ core.hut.wea.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at WEATHERFORD-MX40> show system commit
+# 2014-03-05 16:55:02 CST by jeremyt via cli
# 2014-02-26 11:12:40 CST by andrew via netconf
# 2014-02-25 19:19:13 CST by jeremyt via cli commit confirmed, rollback in 5mins
# 2014-02-24 12:26:30 CST by rnordmark via cli
# 2014-02-24 12:26:19 CST by rnordmark via cli
# 2014-02-24 12:03:18 CST by joel via cli
-# 2014-02-24 12:01:17 CST by joel via cli
# grnoc-mon at WEATHERFORD-MX40> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -228,7 +228,7 @@
# grnoc-mon at WEATHERFORD-MX40> show system uptime
# System booted: 2014-02-13 23:09 CST
# Protocols started: 2014-02-13 23:11 CST
-# Last configured: 2014-02-26 11:12 CST by andrew
+# Last configured: 2014-03-05 16:55 CST by jeremyt
#
# grnoc-mon at WEATHERFORD-MX40> show interface terse
#Interface Admin Link
@@ -295,7 +295,7 @@
#pp0 up up
#tap up up
# grnoc-mon at WEATHERFORD-MX40> show configuration
-## Last commit: 2014-02-26 11:12:40 CST by andrew
+## Last commit: 2014-03-05 16:55:02 CST by jeremyt
version 12.3R2.5;
system {
host-name WEATHERFORD-MX40;
@@ -813,6 +813,7 @@
apply-path "protocols bgp group <*> neighbor <*>";
}
prefix-list PRE-LDP-SOURCES {
+ 10.199.0.0/16;
164.58.198.0/23;
apply-path "interfaces <*> unit <*> family inet address <*>";
}
Index: core.hut.pra.onenet.net
===================================================================
--- core.hut.pra.onenet.net (revision 112058)
+++ core.hut.pra.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at PRAGUE-MX40> show system commit
+# 2014-03-05 16:40:51 CST by jeremyt via cli
# 2014-03-03 16:15:24 CST by rnordmark via cli
# 2014-02-26 11:12:33 CST by andrew via netconf
# 2014-02-25 19:07:42 CST by rnordmark via cli
# 2014-02-12 10:47:48 CST by joel via cli
# 2014-01-14 14:28:52 CST by admin via netconf
-# 2013-11-13 08:44:09 CST by joel via cli
# grnoc-mon at PRAGUE-MX40> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -229,7 +229,7 @@
# grnoc-mon at PRAGUE-MX40> show system uptime
# System booted: 2013-06-04 15:22 CDT
# Protocols started: 2013-06-04 15:23 CDT
-# Last configured: 2014-03-03 16:15 CST by rnordmark
+# Last configured: 2014-03-05 16:40 CST by jeremyt
#
# grnoc-mon at PRAGUE-MX40> show interface terse
#Interface Admin Link
@@ -295,7 +295,7 @@
#pp0 up up
#tap up up
# grnoc-mon at PRAGUE-MX40> show configuration
-## Last commit: 2014-03-03 16:15:24 CST by rnordmark
+## Last commit: 2014-03-05 16:40:51 CST by jeremyt
version 12.3R2.5;
system {
host-name PRAGUE-MX40;
@@ -307,7 +307,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -405,8 +405,7 @@
source-address 164.58.199.159;
}
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -695,10 +694,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -819,112 +851,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -933,19 +965,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -953,14 +983,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -968,6 +1005,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core.wil.onenet.net
===================================================================
--- core.wil.onenet.net (revision 112002)
+++ core.wil.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at WILBURTON-MX480-RE0> show system commit
+# 2014-03-05 16:44:46 CST by jeremyt via cli commit synchronize
# 2014-03-03 16:12:26 CST by rnordmark via cli commit synchronize
# 2014-02-26 11:12:28 CST by andrew via netconf commit synchronize
# 2014-02-25 19:05:04 CST by rnordmark via cli commit synchronize
# 2014-02-25 16:47:38 CST by joel via cli commit synchronize
# 2014-02-24 17:56:52 CST by rnordmark via cli commit synchronize
-# 2014-02-14 14:55:33 CST by rnordmark via cli commit synchronize
# grnoc-mon at WILBURTON-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -246,7 +246,7 @@
# grnoc-mon at WILBURTON-MX480-RE0> show system uptime
# System booted: 2013-07-30 17:16 CDT
# Protocols started: 2013-07-30 17:18 CDT
-# Last configured: 2014-03-03 16:12 CST by rnordmark
+# Last configured: 2014-03-05 16:44 CST by jeremyt
#
# {master}
# grnoc-mon at WILBURTON-MX480-RE0> show interface terse
@@ -322,7 +322,7 @@
#pp0 up up
#tap up up
# grnoc-mon at WILBURTON-MX480-RE0> show configuration
-## Last commit: 2014-03-03 16:12:26 CST by rnordmark
+## Last commit: 2014-03-05 16:44:46 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -366,7 +366,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -469,8 +469,7 @@
}
commit synchronize;
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -884,10 +883,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1059,112 +1091,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1173,19 +1205,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1193,14 +1223,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1208,6 +1245,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core.dun.onenet.net
===================================================================
--- core.dun.onenet.net (revision 112058)
+++ core.dun.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at DUNCAN-MX480-RE0> show system commit
+# 2014-03-05 16:47:55 CST by jeremyt via cli commit synchronize
# 2014-03-03 16:08:53 CST by rnordmark via cli commit synchronize
# 2014-02-26 11:12:26 CST by andrew via netconf commit synchronize
# 2014-02-25 19:02:06 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:55:19 CST by rnordmark via cli commit synchronize
# 2014-02-18 09:07:32 CST by donnie via cli commit synchronize
-# 2014-02-14 14:54:12 CST by rnordmark via cli commit synchronize
# grnoc-mon at DUNCAN-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -240,7 +240,7 @@
# grnoc-mon at DUNCAN-MX480-RE0> show system uptime
# System booted: 2013-05-28 00:35 CDT
# Protocols started: 2013-05-28 01:03 CDT
-# Last configured: 2014-03-03 16:08 CST by rnordmark
+# Last configured: 2014-03-05 16:47 CST by jeremyt
#
# grnoc-mon at DUNCAN-MX480-RE0> show interface terse
#Interface Admin Link
@@ -323,7 +323,7 @@
#pp0 up up
#tap up up
# grnoc-mon at DUNCAN-MX480-RE0> show configuration
-## Last commit: 2014-03-03 16:08:53 CST by rnordmark
+## Last commit: 2014-03-05 16:47:55 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -367,7 +367,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -467,8 +467,7 @@
}
commit synchronize;
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -914,10 +913,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1089,112 +1121,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1203,19 +1235,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1223,14 +1253,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1238,6 +1275,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core.alt.onenet.net
===================================================================
--- core.alt.onenet.net (revision 112080)
+++ core.alt.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at ALTUS-MX480-RE0> show system commit
+# 2014-03-05 16:52:46 CST by jeremyt via cli commit synchronize
# 2014-03-03 16:09:20 CST by rnordmark via cli commit synchronize
# 2014-02-26 11:44:11 CST by donnie via cli commit synchronize
# 2014-02-26 11:12:30 CST by andrew via netconf commit synchronize
# 2014-02-25 19:02:31 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:55:01 CST by rnordmark via cli commit synchronize
-# 2014-02-14 14:53:54 CST by rnordmark via cli commit synchronize
# grnoc-mon at ALTUS-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -243,7 +243,7 @@
# grnoc-mon at ALTUS-MX480-RE0> show system uptime
# System booted: 2013-05-27 00:51 CDT
# Protocols started: 2013-05-27 01:02 CDT
-# Last configured: 2014-03-03 16:09 CST by rnordmark
+# Last configured: 2014-03-05 16:52 CST by jeremyt
#
# grnoc-mon at ALTUS-MX480-RE0> show interface terse
#Interface Admin Link
@@ -330,7 +330,7 @@
#pp0 up up
#tap up up
# grnoc-mon at ALTUS-MX480-RE0> show configuration
-## Last commit: 2014-03-03 16:09:20 CST by rnordmark
+## Last commit: 2014-03-05 16:52:46 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -374,7 +374,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -474,8 +474,7 @@
}
commit synchronize;
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -983,10 +982,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1158,112 +1190,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1272,19 +1304,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1292,14 +1322,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1307,6 +1344,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: hub.alt.onenet.net
===================================================================
--- hub.alt.onenet.net (revision 112072)
+++ hub.alt.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at ALTUS-M120-RE0> show system commit
+# 2014-03-05 16:48:18 CST by jeremyt via cli commit synchronize
# 2014-03-03 16:09:13 CST by rnordmark via cli commit synchronize
# 2014-03-03 16:01:07 CST by jeremyt via cli commit synchronize
# 2014-02-26 11:12:32 CST by andrew via netconf commit synchronize
# 2014-02-25 19:02:26 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:48:09 CST by rnordmark via cli commit synchronize
-# 2014-02-14 14:47:40 CST by rnordmark via cli commit synchronize
# grnoc-mon at ALTUS-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -271,7 +271,7 @@
# grnoc-mon at ALTUS-M120-RE0> show system uptime
# System booted: 2013-12-30 19:52 CST
# Protocols started: 2013-12-30 19:53 CST
-# Last configured: 2014-03-03 16:09 CST by rnordmark
+# Last configured: 2014-03-05 16:48 CST by jeremyt
#
# {master}
# grnoc-mon at ALTUS-M120-RE0> show interface terse
@@ -394,7 +394,7 @@
#pp0 up up
#tap up up
# grnoc-mon at ALTUS-M120-RE0> show configuration
-## Last commit: 2014-03-03 16:09:13 CST by rnordmark
+## Last commit: 2014-03-05 16:48:18 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -437,7 +437,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1108,10 +1108,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1306,114 +1339,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1422,21 +1453,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1444,14 +1471,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1459,6 +1493,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: hub.chi.onenet.net
===================================================================
--- hub.chi.onenet.net (revision 112294)
+++ hub.chi.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at CHICKASHA-M120-RE0> show system commit
+# 2014-03-05 16:53:36 CST by jeremyt via cli commit synchronize
# 2014-03-03 16:11:20 CST by rnordmark via cli commit synchronize
# 2014-03-03 16:01:37 CST by jeremyt via cli commit synchronize
# 2014-02-27 08:17:53 CST by donnie via cli commit synchronize
# 2014-02-26 11:12:29 CST by andrew via netconf commit synchronize
# 2014-02-25 19:04:14 CST by rnordmark via cli commit synchronize
-# 2014-02-24 17:48:45 CST by rnordmark via cli commit synchronize
# grnoc-mon at CHICKASHA-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -268,7 +268,7 @@
# grnoc-mon at CHICKASHA-M120-RE0> show system uptime
# System booted: 2013-12-22 02:53 CST
# Protocols started: 2013-12-22 02:55 CST
-# Last configured: 2014-03-03 16:11 CST by rnordmark
+# Last configured: 2014-03-05 16:53 CST by jeremyt
#
# {master}
# grnoc-mon at CHICKASHA-M120-RE0> show interface terse
@@ -282,7 +282,7 @@
#t3-2/0/1.0 up up
#ct3-2/0/2 up up
#t1-2/0/2:1 up down
-#t1-2/0/2:2 down up
+#t1-2/0/2:2 down down
#t1-2/0/2:3 up down
#t1-2/0/2:4 up up
#t1-2/0/2:4.0 up up
@@ -416,7 +416,7 @@
#pp0 up up
#tap up up
# grnoc-mon at CHICKASHA-M120-RE0> show configuration
-## Last commit: 2014-03-03 16:11:20 CST by rnordmark
+## Last commit: 2014-03-05 16:53:36 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -459,7 +459,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1137,10 +1137,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1335,114 +1368,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1451,21 +1482,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1473,14 +1500,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1488,6 +1522,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: hub.alv.onenet.net
===================================================================
--- hub.alv.onenet.net (revision 112021)
+++ hub.alv.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at ALVA-M120-RE0> show system commit
+# 2014-03-05 16:56:30 CST by jeremyt via cli commit synchronize
# 2014-03-03 16:11:13 CST by rnordmark via cli commit synchronize
# 2014-02-26 11:12:37 CST by andrew via netconf commit synchronize
# 2014-02-25 19:04:06 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:48:19 CST by rnordmark via cli commit synchronize
# 2014-02-14 14:47:50 CST by rnordmark via cli commit synchronize
-# 2014-01-14 09:03:58 CST by donnie via cli commit synchronize
# grnoc-mon at ALVA-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -269,7 +269,7 @@
# grnoc-mon at ALVA-M120-RE0> show system uptime
# System booted: 2013-06-04 22:16 CDT
# Protocols started: 2013-06-04 22:28 CDT
-# Last configured: 2014-03-03 16:11 CST by rnordmark
+# Last configured: 2014-03-05 16:56 CST by jeremyt
#
# {master}
# grnoc-mon at ALVA-M120-RE0> show interface terse
@@ -379,7 +379,7 @@
#pp0 up up
#tap up up
# grnoc-mon at ALVA-M120-RE0> show configuration
-## Last commit: 2014-03-03 16:11:13 CST by rnordmark
+## Last commit: 2014-03-05 16:56:30 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -422,7 +422,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1013,10 +1013,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1211,114 +1244,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1327,21 +1358,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1349,14 +1376,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1364,6 +1398,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: hub.dun.onenet.net
===================================================================
--- hub.dun.onenet.net (revision 112053)
+++ hub.dun.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at DUNCAN-M120-RE0> show system commit
+# 2014-03-05 16:48:41 CST by jeremyt via cli commit synchronize
# 2014-03-03 16:08:48 CST by rnordmark via cli commit synchronize
# 2014-03-03 16:01:56 CST by jeremyt via cli commit synchronize
# 2014-02-26 13:18:18 CST by joe via cli commit synchronize
# 2014-02-26 11:12:32 CST by andrew via netconf commit synchronize
# 2014-02-25 19:02:01 CST by rnordmark via cli commit synchronize
-# 2014-02-24 17:49:00 CST by rnordmark via cli commit synchronize
# grnoc-mon at DUNCAN-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -264,7 +264,7 @@
# grnoc-mon at DUNCAN-M120-RE0> show system uptime
# System booted: 2013-05-28 00:52 CDT
# Protocols started: 2013-05-28 02:18 CDT
-# Last configured: 2014-03-03 16:08 CST by rnordmark
+# Last configured: 2014-03-05 16:48 CST by jeremyt
#
# grnoc-mon at DUNCAN-M120-RE0> show interface terse
#Interface Admin Link
@@ -419,7 +419,7 @@
#pp0 up up
#tap up up
# grnoc-mon at DUNCAN-M120-RE0> show configuration
-## Last commit: 2014-03-03 16:08:48 CST by rnordmark
+## Last commit: 2014-03-05 16:48:41 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -462,7 +462,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1181,10 +1181,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1379,114 +1412,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1495,21 +1526,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1517,14 +1544,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1532,6 +1566,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: hub.ard.onenet.net
===================================================================
--- hub.ard.onenet.net (revision 112251)
+++ hub.ard.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at ARDMORE-M120-RE0> show system commit
+# 2014-03-05 16:31:30 CST by jeremyt via cli commit synchronize
# 2014-03-04 13:04:56 CST by rnordmark via cli commit synchronize
# 2014-03-04 13:04:28 CST by rnordmark via cli commit confirmed, rollback in 5mins synchronize
# 2014-03-04 12:53:48 CST by rnordmark via cli commit synchronize
# 2014-03-04 12:53:36 CST by rnordmark via cli commit synchronize
# 2014-03-04 12:41:25 CST by rnordmark via cli commit synchronize
-# 2014-03-04 12:40:57 CST by rnordmark via cli commit confirmed, rollback in 2mins synchronize
# grnoc-mon at ARDMORE-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -274,7 +274,7 @@
# grnoc-mon at ARDMORE-M120-RE0> show system uptime
# System booted: 2013-05-26 01:53 CDT
# Protocols started: 2013-05-26 01:56 CDT
-# Last configured: 2014-03-04 13:04 CST by rnordmark
+# Last configured: 2014-03-05 16:31 CST by jeremyt
#
# {master}
# grnoc-mon at ARDMORE-M120-RE0> show interface terse
@@ -441,7 +441,7 @@
#pp0 up up
#tap up up
# grnoc-mon at ARDMORE-M120-RE0> show configuration
-## Last commit: 2014-03-04 13:04:56 CST by rnordmark
+## Last commit: 2014-03-05 16:31:30 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -484,7 +484,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1406,10 +1406,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1604,114 +1637,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1720,21 +1751,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1742,14 +1769,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1757,6 +1791,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: hub.ida.onenet.net
===================================================================
--- hub.ida.onenet.net (revision 112051)
+++ hub.ida.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at IDABEL-M120-RE0> show system commit
+# 2014-03-05 16:41:59 CST by jeremyt via cli commit synchronize
# 2014-03-03 16:12:36 CST by rnordmark via cli commit synchronize
# 2014-02-26 11:12:40 CST by andrew via netconf commit synchronize
# 2014-02-25 19:05:12 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:49:57 CST by rnordmark via cli commit synchronize
# 2014-02-24 16:47:58 CST by donnie via cli commit synchronize
-# 2014-02-24 16:12:57 CST by donnie via cli commit synchronize
# grnoc-mon at IDABEL-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -271,7 +271,7 @@
# grnoc-mon at IDABEL-M120-RE0> show system uptime
# System booted: 2013-11-20 09:18 CST
# Protocols started: 2013-11-20 09:20 CST
-# Last configured: 2014-03-03 16:12 CST by rnordmark
+# Last configured: 2014-03-05 16:41 CST by jeremyt
#
# {master}
# grnoc-mon at IDABEL-M120-RE0> show interface terse
@@ -429,7 +429,7 @@
#pp0 up up
#tap up up
# grnoc-mon at IDABEL-M120-RE0> show configuration
-## Last commit: 2014-03-03 16:12:36 CST by rnordmark
+## Last commit: 2014-03-05 16:41:59 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -472,7 +472,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1277,10 +1277,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1475,114 +1508,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1591,21 +1622,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1613,14 +1640,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1628,6 +1662,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: hub.lawm120.onenet.net
===================================================================
--- hub.lawm120.onenet.net (revision 112267)
+++ hub.lawm120.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at LAWTON-M120-RE0> show system commit
+# 2014-03-05 16:56:06 CST by jeremyt via cli commit synchronize
# 2014-03-05 10:02:43 CST by joe via cli commit synchronize
# 2014-03-03 16:15:59 CST by rnordmark via cli commit synchronize
# 2014-02-27 15:34:52 CST by joe via cli commit synchronize
# 2014-02-26 11:12:40 CST by andrew via netconf commit synchronize
# 2014-02-25 19:08:15 CST by rnordmark via cli commit synchronize
-# 2014-02-24 17:55:47 CST by rnordmark via cli commit synchronize
# grnoc-mon at LAWTON-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -268,7 +268,7 @@
# grnoc-mon at LAWTON-M120-RE0> show system uptime
# System booted: 2013-05-28 00:36 CDT
# Protocols started: 2013-05-28 00:38 CDT
-# Last configured: 2014-03-05 10:02 CST by joe
+# Last configured: 2014-03-05 16:56 CST by jeremyt
#
# {master}
# grnoc-mon at LAWTON-M120-RE0> show interface terse
@@ -402,7 +402,7 @@
#pp0 up up
#tap up up
# grnoc-mon at LAWTON-M120-RE0> show configuration
-## Last commit: 2014-03-05 10:02:43 CST by joe
+## Last commit: 2014-03-05 16:56:06 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -445,6 +445,7 @@
}
name-server {
164.58.253.10;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1078,10 +1079,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1276,114 +1310,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1392,21 +1424,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1414,14 +1442,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1429,6 +1464,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: hub.sem.onenet.net
===================================================================
--- hub.sem.onenet.net (revision 112180)
+++ hub.sem.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at SEMINOLE-M120-RE0> show system commit
+# 2014-03-05 16:35:14 CST by jeremyt via cli commit synchronize
+# 2014-03-05 16:28:32 CST by jeremyt via cli commit synchronize
# 2014-03-04 08:47:21 CST by josh via cli commit synchronize
# 2014-03-04 08:31:41 CST by josh via cli commit synchronize
# 2014-03-03 16:10:01 CST by rnordmark via cli commit synchronize
# 2014-02-26 11:12:33 CST by andrew via netconf commit synchronize
-# 2014-02-25 19:03:08 CST by rnordmark via cli commit synchronize
-# 2014-02-24 17:51:42 CST by rnordmark via cli commit synchronize
# grnoc-mon at SEMINOLE-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -267,7 +267,7 @@
# grnoc-mon at SEMINOLE-M120-RE0> show system uptime
# System booted: 2013-06-05 22:38 CDT
# Protocols started: 2013-06-05 22:46 CDT
-# Last configured: 2014-03-04 08:47 CST by josh
+# Last configured: 2014-03-05 16:35 CST by jeremyt
#
# {master}
# grnoc-mon at SEMINOLE-M120-RE0> show interface terse
@@ -460,7 +460,7 @@
#pp0 up up
#tap up up
# grnoc-mon at SEMINOLE-M120-RE0> show configuration
-## Last commit: 2014-03-04 08:47:21 CST by josh
+## Last commit: 2014-03-05 16:35:14 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -503,7 +503,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1481,10 +1481,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1679,114 +1712,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1795,21 +1826,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1817,14 +1844,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1832,6 +1866,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: hub.tis.onenet.net
===================================================================
--- hub.tis.onenet.net (revision 112263)
+++ hub.tis.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at TISHOMINGO-M120-RE0> show system commit
+# 2014-03-05 16:39:29 CST by jeremyt via cli commit synchronize
# 2014-03-03 16:11:36 CST by rnordmark via cli commit synchronize
# 2014-02-26 11:12:35 CST by andrew via netconf commit synchronize
# 2014-02-25 19:04:28 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:51:57 CST by rnordmark via cli commit synchronize
# 2014-02-18 12:42:05 CST by joe via cli commit synchronize
-# 2014-02-18 08:44:58 CST by joe via cli commit synchronize
# grnoc-mon at TISHOMINGO-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -273,7 +273,7 @@
# grnoc-mon at TISHOMINGO-M120-RE0> show system uptime
# System booted: 2013-07-31 09:29 CDT
# Protocols started: 2013-07-31 09:31 CDT
-# Last configured: 2014-03-03 16:11 CST by rnordmark
+# Last configured: 2014-03-05 16:39 CST by jeremyt
#
# {master}
# grnoc-mon at TISHOMINGO-M120-RE0> show interface terse
@@ -423,7 +423,7 @@
#pp0 up up
#tap up up
# grnoc-mon at TISHOMINGO-M120-RE0> show configuration
-## Last commit: 2014-03-03 16:11:36 CST by rnordmark
+## Last commit: 2014-03-05 16:39:29 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -466,7 +466,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1155,10 +1155,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1353,114 +1386,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1469,21 +1500,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1491,14 +1518,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1506,6 +1540,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: hub.pot.onenet.net
===================================================================
--- hub.pot.onenet.net (revision 112269)
+++ hub.pot.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at POTEAU-M120-RE0> show system commit
+# 2014-03-05 16:43:40 CST by jeremyt via cli commit synchronize
# 2014-03-03 16:14:17 CST by rnordmark via cli commit synchronize
# 2014-02-26 17:12:14 CST by joel via cli commit synchronize
# 2014-02-26 17:08:45 CST by joel via cli commit synchronize
# 2014-02-26 11:12:40 CST by andrew via netconf commit synchronize
# 2014-02-25 19:06:40 CST by rnordmark via cli commit synchronize
-# 2014-02-24 17:51:18 CST by rnordmark via cli commit synchronize
# grnoc-mon at POTEAU-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -277,7 +277,7 @@
# grnoc-mon at POTEAU-M120-RE0> show system uptime
# System booted: 2013-10-02 14:04 CDT
# Protocols started: 2013-10-02 14:06 CDT
-# Last configured: 2014-03-03 16:14 CST by rnordmark
+# Last configured: 2014-03-05 16:43 CST by jeremyt
#
# {master}
# grnoc-mon at POTEAU-M120-RE0> show interface terse
@@ -418,7 +418,7 @@
#pp0 up up
#tap up up
# grnoc-mon at POTEAU-M120-RE0> show configuration
-## Last commit: 2014-03-03 16:14:17 CST by rnordmark
+## Last commit: 2014-03-05 16:43:40 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -461,7 +461,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1278,10 +1278,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement CASC-PREFER {
term ACL-75 {
from {
@@ -1499,114 +1532,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1615,21 +1646,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1637,14 +1664,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1652,6 +1686,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: hub.ada.onenet.net
===================================================================
--- hub.ada.onenet.net (revision 112045)
+++ hub.ada.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at ADA-M120-RE0> show system commit
+# 2014-03-05 16:46:45 CST by jeremyt via cli commit synchronize
# 2014-03-03 16:09:00 CST by rnordmark via cli commit synchronize
# 2014-03-03 16:00:58 CST by jeremyt via cli commit synchronize
# 2014-02-26 11:12:29 CST by andrew via netconf commit synchronize
# 2014-02-25 19:02:14 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:48:02 CST by rnordmark via cli commit synchronize
-# 2014-02-24 10:03:29 CST by joe via cli commit synchronize
# grnoc-mon at ADA-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -275,7 +275,7 @@
# grnoc-mon at ADA-M120-RE0> show system uptime
# System booted: 2013-05-26 01:59 CDT
# Protocols started: 2013-05-26 02:02 CDT
-# Last configured: 2014-03-03 16:09 CST by rnordmark
+# Last configured: 2014-03-05 16:46 CST by jeremyt
#
# {master}
# grnoc-mon at ADA-M120-RE0> show interface terse
@@ -453,7 +453,7 @@
#pp0 up up
#tap up up
# grnoc-mon at ADA-M120-RE0> show configuration
-## Last commit: 2014-03-03 16:09:00 CST by rnordmark
+## Last commit: 2014-03-05 16:46:45 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -496,7 +496,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1488,10 +1488,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1724,114 +1757,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1840,21 +1871,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1862,14 +1889,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1877,6 +1911,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: hub.mca.onenet.net
===================================================================
--- hub.mca.onenet.net (revision 112050)
+++ hub.mca.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at MCALESTER-M120-RE0> show system commit
+# 2014-03-05 16:37:58 CST by jeremyt via cli commit synchronize
# 2014-03-03 16:11:45 CST by rnordmark via cli commit synchronize
# 2014-02-26 11:12:32 CST by andrew via netconf commit synchronize
# 2014-02-25 19:04:34 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:50:30 CST by rnordmark via cli commit synchronize
# 2014-02-14 14:49:42 CST by rnordmark via cli commit synchronize
-# 2013-11-21 11:34:08 CST by joe via cli commit synchronize
# grnoc-mon at MCALESTER-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -274,7 +274,7 @@
# grnoc-mon at MCALESTER-M120-RE0> show system uptime
# System booted: 2013-06-05 22:45 CDT
# Protocols started: 2013-06-05 22:48 CDT
-# Last configured: 2014-03-03 16:11 CST by rnordmark
+# Last configured: 2014-03-05 16:37 CST by jeremyt
#
# {master}
# grnoc-mon at MCALESTER-M120-RE0> show interface terse
@@ -432,7 +432,7 @@
#pp0 up up
#tap up up
# grnoc-mon at MCALESTER-M120-RE0> show configuration
-## Last commit: 2014-03-03 16:11:45 CST by rnordmark
+## Last commit: 2014-03-05 16:37:58 CST by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -475,7 +475,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1267,10 +1267,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1465,114 +1498,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1581,21 +1612,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1603,14 +1630,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1618,6 +1652,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
More information about the Nocrancid
mailing list