[Nocrancid] autopop-onenet.net router config diffs
rancid at rancid.noc.onenet.net
rancid at rancid.noc.onenet.net
Mon Mar 10 12:02:22 CDT 2014
Index: core.hut.412.onenet.net
===================================================================
--- core.hut.412.onenet.net (revision 111988)
+++ core.hut.412.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at 412-MX40> show system commit
+# 2014-03-10 11:27:00 CDT by jeremyt via cli
# 2014-03-03 16:14:47 CST by rnordmark via cli
# 2014-02-26 11:12:36 CST by andrew via netconf
# 2014-02-25 19:07:10 CST by rnordmark via cli
# 2014-01-14 14:28:53 CST by admin via netconf
# 2013-12-03 09:09:25 CST by rnordmark via cli
-# 2013-12-03 08:43:13 CST by rnordmark via cli
# grnoc-mon at 412-MX40> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -228,7 +228,7 @@
# grnoc-mon at 412-MX40> show system uptime
# System booted: 2013-06-06 10:54 CDT
# Protocols started: 2013-06-06 10:55 CDT
-# Last configured: 2014-03-03 16:14 CST by rnordmark
+# Last configured: 2014-03-10 11:27 CDT by jeremyt
#
# grnoc-mon at 412-MX40> show interface terse
#Interface Admin Link
@@ -292,7 +292,7 @@
#pp0 up up
#tap up up
# grnoc-mon at 412-MX40> show configuration
-## Last commit: 2014-03-03 16:14:47 CST by rnordmark
+## Last commit: 2014-03-10 11:27:00 CDT by jeremyt
version 12.3R2.5;
system {
host-name 412-MX40;
@@ -304,7 +304,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -402,8 +402,7 @@
source-address 164.58.199.153;
}
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -717,10 +716,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -841,112 +873,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -955,19 +987,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -975,14 +1005,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -990,6 +1027,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core.end.onenet.net
===================================================================
--- core.end.onenet.net (revision 112058)
+++ core.end.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at ENID-MX480-RE0> show system commit
+# 2014-03-10 11:20:32 CDT by jeremyt via cli commit synchronize
# 2014-03-03 16:10:55 CST by rnordmark via cli commit synchronize
# 2014-02-26 15:02:32 CST by joel via cli commit synchronize
# 2014-02-26 11:12:31 CST by andrew via netconf commit synchronize
# 2014-02-25 19:03:52 CST by rnordmark via cli commit synchronize
# 2014-02-25 16:11:54 CST by joel via cli commit synchronize
-# 2014-02-24 17:55:31 CST by rnordmark via cli commit synchronize
# grnoc-mon at ENID-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -240,7 +240,7 @@
# grnoc-mon at ENID-MX480-RE0> show system uptime
# System booted: 2013-05-30 00:12 CDT
# Protocols started: 2013-05-30 00:17 CDT
-# Last configured: 2014-03-03 16:10 CST by rnordmark
+# Last configured: 2014-03-10 11:20 CDT by jeremyt
#
# {master}
# grnoc-mon at ENID-MX480-RE0> show interface terse
@@ -328,7 +328,7 @@
#pp0 up up
#tap up up
# grnoc-mon at ENID-MX480-RE0> show configuration
-## Last commit: 2014-03-03 16:10:55 CST by rnordmark
+## Last commit: 2014-03-10 11:20:32 CDT by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -372,7 +372,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -472,8 +472,7 @@
}
commit synchronize;
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -1028,14 +1027,47 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list L3VPN-CUSTOMERS {
10.0.1.48/29;
172.26.0.0/16;
}
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1246,115 +1278,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- }
source-prefix-list {
- L3VPN-CUSTOMERS;
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1363,22 +1392,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- }
source-prefix-list {
- L3VPN-CUSTOMERS;
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1386,14 +1410,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1401,6 +1432,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core.hut.sei.onenet.net
===================================================================
--- core.hut.sei.onenet.net (revision 111992)
+++ core.hut.sei.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at SEILING-MX40> show system commit
+# 2014-03-10 11:25:13 CDT by jeremyt via cli
# 2014-03-03 16:15:06 CST by rnordmark via cli
# 2014-02-26 11:12:34 CST by andrew via netconf
# 2014-02-25 19:07:28 CST by rnordmark via cli
# 2014-01-14 14:28:52 CST by admin via netconf
# 2013-12-03 09:09:04 CST by rnordmark via cli
-# 2013-12-03 08:41:56 CST by rnordmark via cli
# grnoc-mon at SEILING-MX40> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -228,7 +228,7 @@
# grnoc-mon at SEILING-MX40> show system uptime
# System booted: 2013-06-07 13:06 CDT
# Protocols started: 2013-06-07 13:07 CDT
-# Last configured: 2014-03-03 16:15 CST by rnordmark
+# Last configured: 2014-03-10 11:25 CDT by jeremyt
#
# grnoc-mon at SEILING-MX40> show interface terse
#Interface Admin Link
@@ -292,7 +292,7 @@
#pp0 up up
#tap up up
# grnoc-mon at SEILING-MX40> show configuration
-## Last commit: 2014-03-03 16:15:06 CST by rnordmark
+## Last commit: 2014-03-10 11:25:13 CDT by jeremyt
version 12.3R2.5;
system {
host-name SEILING-MX40;
@@ -304,7 +304,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -402,8 +402,7 @@
source-address 164.58.199.156;
}
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -718,10 +717,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -842,112 +874,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -956,19 +988,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -976,14 +1006,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -991,6 +1028,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core.hut.ori.onenet.net
===================================================================
--- core.hut.ori.onenet.net (revision 112062)
+++ core.hut.ori.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at ORIENTA-MX40> show system commit
+# 2014-03-10 11:24:49 CDT by jeremyt via cli
# 2014-03-03 17:08:31 CST by rnordmark via cli
# 2014-03-03 17:04:56 CST by rnordmark via cli
# 2014-03-03 16:56:27 CST by rnordmark via cli
# 2014-03-03 16:56:12 CST by rnordmark via cli
# 2014-03-03 16:55:39 CST by rnordmark via cli
-# 2014-03-03 16:51:56 CST by rnordmark via cli
# grnoc-mon at ORIENTA-MX40> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -229,7 +229,7 @@
# grnoc-mon at ORIENTA-MX40> show system uptime
# System booted: 2013-06-06 13:15 CDT
# Protocols started: 2013-06-06 13:16 CDT
-# Last configured: 2014-03-03 17:08 CST by rnordmark
+# Last configured: 2014-03-10 11:24 CDT by jeremyt
#
# grnoc-mon at ORIENTA-MX40> show interface terse
#Interface Admin Link
@@ -295,7 +295,7 @@
#pp0 up up
#tap up up
# grnoc-mon at ORIENTA-MX40> show configuration
-## Last commit: 2014-03-03 17:08:31 CST by rnordmark
+## Last commit: 2014-03-10 11:24:49 CDT by jeremyt
version 12.3R2.5;
system {
host-name ORIENTA-MX40;
@@ -794,6 +794,7 @@
apply-path "protocols bgp group <*> neighbor <*>";
}
prefix-list PRE-LDP-SOURCES {
+ 10.199.0.0/16;
164.58.198.0/23;
apply-path "interfaces <*> unit <*> family inet address <*>";
}
Index: core.wea.onenet.net
===================================================================
--- core.wea.onenet.net (revision 112004)
+++ core.wea.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at WEATHERFORD-MX480-RE0> show system commit
+# 2014-03-10 11:21:48 CDT by jeremyt via cli commit synchronize
+# 2014-03-10 11:13:14 CDT by jeremyt via cli commit synchronize
# 2014-03-03 16:09:51 CST by rnordmark via cli commit synchronize
# 2014-02-26 11:12:29 CST by andrew via netconf commit synchronize
# 2014-02-25 19:02:59 CST by rnordmark via cli commit synchronize
# 2014-02-25 16:48:38 CST by joel via cli commit synchronize
-# 2014-02-24 12:12:16 CST by admin via cli commit synchronize
-# 2014-02-24 12:11:12 CST by admin via cli commit synchronize
# grnoc-mon at WEATHERFORD-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -242,7 +242,7 @@
# grnoc-mon at WEATHERFORD-MX480-RE0> show system uptime
# System booted: 2013-05-27 00:49 CDT
# Protocols started: 2013-05-27 01:01 CDT
-# Last configured: 2014-03-03 16:09 CST by rnordmark
+# Last configured: 2014-03-10 11:21 CDT by jeremyt
#
# {master}
# grnoc-mon at WEATHERFORD-MX480-RE0> show interface terse
@@ -318,7 +318,7 @@
#pp0 up up
#tap up up
# grnoc-mon at WEATHERFORD-MX480-RE0> show configuration
-## Last commit: 2014-03-03 16:09:51 CST by rnordmark
+## Last commit: 2014-03-10 11:21:48 CDT by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -362,7 +362,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -462,8 +462,7 @@
}
commit synchronize;
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -834,10 +833,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1009,112 +1041,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1123,19 +1155,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1143,14 +1173,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1158,6 +1195,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core.woo.onenet.net
===================================================================
--- core.woo.onenet.net (revision 112779)
+++ core.woo.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at WOODWARD-MX480-RE0> show system commit
+# 2014-03-10 11:15:36 CDT by jeremyt via cli commit synchronize
# 2014-03-03 16:10:29 CST by rnordmark via cli commit synchronize
# 2014-02-26 11:12:31 CST by andrew via netconf commit synchronize
# 2014-02-25 19:03:32 CST by rnordmark via cli commit synchronize
# 2014-02-25 16:10:14 CST by joel via cli commit synchronize
# 2014-02-24 17:57:03 CST by rnordmark via cli commit synchronize
-# 2014-02-24 17:56:58 CST by rnordmark via cli commit synchronize
# grnoc-mon at WOODWARD-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -245,7 +245,7 @@
# grnoc-mon at WOODWARD-MX480-RE0> show system uptime
# System booted: 2013-09-19 18:07 CDT
# Protocols started: 2013-09-19 18:09 CDT
-# Last configured: 2014-03-03 16:10 CST by rnordmark
+# Last configured: 2014-03-10 11:15 CDT by jeremyt
#
# {master}
# grnoc-mon at WOODWARD-MX480-RE0> show interface terse
@@ -325,7 +325,7 @@
#pp0 up up
#tap up up
# grnoc-mon at WOODWARD-MX480-RE0> show configuration
-## Last commit: 2014-03-03 16:10:29 CST by rnordmark
+## Last commit: 2014-03-10 11:15:36 CDT by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -369,7 +369,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -469,8 +469,7 @@
}
commit synchronize;
ntp {
- server 164.58.3.98;
- server 164.58.253.82 prefer;
+ server 164.58.3.98 prefer;
}
}
chassis {
@@ -894,10 +893,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1069,112 +1101,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1183,19 +1215,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1203,14 +1233,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1218,6 +1255,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: core4.okc.onenet.net
===================================================================
--- core4.okc.onenet.net (revision 112807)
+++ core4.okc.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at OKC-CORE4-MX480-RE0> show system commit
+# 2014-03-10 11:14:07 CDT by donnie via cli commit synchronize
# 2014-03-10 10:03:20 CDT by donnie via cli commit synchronize
# 2014-03-10 09:14:57 CDT by rnordmark via cli commit synchronize
# 2014-03-04 11:22:49 CST by josh via cli commit confirmed, rollback in 1mins synchronize
# 2014-03-03 16:17:23 CST by rnordmark via cli commit synchronize
# 2014-03-03 14:55:46 CST by andrew via cli commit confirmed, rollback in 5mins synchronize
-# 2014-03-01 11:13:42 CST by jeremyt via cli commit confirmed, rollback in 5mins synchronize
# grnoc-mon at OKC-CORE4-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -391,7 +391,7 @@
# grnoc-mon at OKC-CORE4-MX480-RE0> show system uptime
# System booted: 2013-04-14 01:08 CDT
# Protocols started: 2013-04-14 01:10 CDT
-# Last configured: 2014-03-10 10:03 CDT by donnie
+# Last configured: 2014-03-10 11:14 CDT by donnie
#
# grnoc-mon at OKC-CORE4-MX480-RE0> show interface terse
#Interface Admin Link
@@ -625,7 +625,7 @@
#pp0 up up
#tap up up
# grnoc-mon at OKC-CORE4-MX480-RE0> show configuration
-## Last commit: 2014-03-10 10:03:20 CDT by donnie
+## Last commit: 2014-03-10 11:14:07 CDT by donnie
version 11.4R7.5;
groups {
re0 {
@@ -1356,7 +1356,7 @@
}
}
unit 202 {
- description Millwood-Public-Schools-100Mbps-CIR0005434;
+ description "Millwood Public Schools 100Mbps [ORDERED] | CIR0005434";
vlan-id 202;
family inet {
address 156.110.24.253/30;
Index: core.say.onenet.net
===================================================================
--- core.say.onenet.net (revision 112438)
+++ core.say.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at SAYRE-MX480-RE0> show system commit
+# 2014-03-10 11:22:12 CDT by jeremyt via cli commit synchronize
+# 2014-03-10 11:12:56 CDT by jeremyt via cli commit synchronize
# 2014-03-06 14:58:29 CST by jeremyt via cli commit synchronize
# 2014-03-03 16:09:35 CST by rnordmark via cli commit synchronize
# 2014-02-26 11:12:28 CST by andrew via netconf commit synchronize
# 2014-02-25 19:02:44 CST by rnordmark via cli commit synchronize
-# 2014-02-25 13:05:12 CST by donnie via cli commit synchronize
-# 2014-02-25 13:01:28 CST by joel via cli commit synchronize
# grnoc-mon at SAYRE-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -242,7 +242,7 @@
# grnoc-mon at SAYRE-MX480-RE0> show system uptime
# System booted: 2013-05-27 00:53 CDT
# Protocols started: 2013-05-27 00:58 CDT
-# Last configured: 2014-03-06 14:58 CST by jeremyt
+# Last configured: 2014-03-10 11:22 CDT by jeremyt
#
# {master}
# grnoc-mon at SAYRE-MX480-RE0> show interface terse
@@ -314,7 +314,7 @@
#pp0 up up
#tap up up
# grnoc-mon at SAYRE-MX480-RE0> show configuration
-## Last commit: 2014-03-06 14:58:29 CST by jeremyt
+## Last commit: 2014-03-10 11:22:12 CDT by jeremyt
version 11.4R7.5;
groups {
re0 {
Index: core4.tul.onenet.net
===================================================================
--- core4.tul.onenet.net (revision 112633)
+++ core4.tul.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at TULSA-CORE4-MX480-RE0> show system commit
+# 2014-03-10 11:11:58 CDT by donnie via cli commit synchronize
# 2014-03-08 12:19:05 CST by joel via cli commit synchronize
# 2014-03-08 12:18:47 CST by joel via cli commit synchronize
# 2014-03-07 10:40:39 CST by rnordmark via cli commit confirmed, rollback in 5mins synchronize
# 2014-03-03 16:18:03 CST by rnordmark via cli commit synchronize
# 2014-03-03 15:19:57 CST by jeremyt via cli commit synchronize
-# 2014-03-03 15:18:29 CST by jeremyt via cli commit confirmed, rollback in 5mins synchronize
# grnoc-mon at TULSA-CORE4-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -365,7 +365,7 @@
# grnoc-mon at TULSA-CORE4-MX480-RE0> show system uptime
# System booted: 2013-04-28 00:30 CDT
# Protocols started: 2013-04-28 00:31 CDT
-# Last configured: 2014-03-08 12:19 CST by joel
+# Last configured: 2014-03-10 11:11 CDT by donnie
#
# {master}
# grnoc-mon at TULSA-CORE4-MX480-RE0> show interface terse
@@ -453,6 +453,7 @@
#ge-0/3/4.147 up up
#ge-0/3/4.377 up up
#ge-0/3/4.378 up up
+#ge-0/3/4.379 up up
#ge-0/3/4.32767 up up
#ge-0/3/5 up up
#ge-0/3/5.32767 up up
@@ -562,7 +563,7 @@
#pp0 up up
#tap up up
# grnoc-mon at TULSA-CORE4-MX480-RE0> show configuration
-## Last commit: 2014-03-08 12:19:05 CST by joel
+## Last commit: 2014-03-10 11:11:58 CDT by donnie
version 11.4R7.5;
groups {
re0 {
@@ -1072,6 +1073,17 @@
}
family mpls;
}
+ unit 379 {
+ description "Shady Grove School 15m [ORDERED] | CIR0005229";
+ vlan-id 379;
+ family inet {
+ policer {
+ input 15M-POL;
+ output 15M-POL;
+ }
+ address 156.110.25.13/30;
+ }
+ }
}
ge-0/3/5 {
description "NNI to MBO - TUL - CIR000xxxx";
@@ -2852,6 +2864,14 @@
}
then discard;
}
+ policer 15M-POL {
+ logical-interface-policer;
+ if-exceeding {
+ bandwidth-limit 14m;
+ burst-size-limit 300k;
+ }
+ then discard;
+ }
}
routing-instances {
ONENET-GRDA-L3VPN {
Index: hub.chi.onenet.net
===================================================================
--- hub.chi.onenet.net (revision 112796)
+++ hub.chi.onenet.net (working copy)
@@ -309,7 +309,7 @@
#t1-2/0/2:21 down down
#t1-2/0/2:22 down down
#t1-2/0/2:23 down down
-#t1-2/0/2:24 down down
+#t1-2/0/2:24 down up
#t1-2/0/2:25 down up
#t1-2/0/2:26 down down
#t1-2/0/2:27 down down
Index: hub.end.onenet.net
===================================================================
--- hub.end.onenet.net (revision 112052)
+++ hub.end.onenet.net (working copy)
@@ -1,13 +1,13 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at ENID-M120-RE0> show system commit
+# 2014-03-10 11:22:56 CDT by jeremyt via cli commit synchronize
# 2014-03-03 16:10:49 CST by rnordmark via cli commit synchronize
# 2014-02-26 15:23:02 CST by joel via cli commit confirmed, rollback in 10mins synchronize
# Interface clean-up and disable - Joel 20140226 15:22
# 2014-02-26 11:12:33 CST by andrew via netconf commit synchronize
# 2014-02-26 10:38:36 CST by joel via cli commit synchronize
# 2014-02-25 19:03:47 CST by rnordmark via cli commit synchronize
-# 2014-02-24 17:49:34 CST by rnordmark via cli commit synchronize
# grnoc-mon at ENID-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -280,7 +280,7 @@
# grnoc-mon at ENID-M120-RE0> show system uptime
# System booted: 2013-05-30 00:12 CDT
# Protocols started: 2013-05-30 00:17 CDT
-# Last configured: 2014-03-03 16:10 CST by rnordmark
+# Last configured: 2014-03-10 11:22 CDT by jeremyt
#
# {master}
# grnoc-mon at ENID-M120-RE0> show interface terse
@@ -426,7 +426,7 @@
#pp0 up up
#tap up up
# grnoc-mon at ENID-M120-RE0> show configuration
-## Last commit: 2014-03-03 16:10:49 CST by rnordmark
+## Last commit: 2014-03-10 11:22:56 CDT by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -469,7 +469,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1215,10 +1215,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1413,114 +1446,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1529,21 +1560,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1551,14 +1578,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1566,6 +1600,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: hub.ida.onenet.net
===================================================================
--- hub.ida.onenet.net (revision 112582)
+++ hub.ida.onenet.net (working copy)
@@ -360,8 +360,8 @@
#t1-2/0/3:25.0 up up
#t1-2/0/3:26 up up
#t1-2/0/3:26.0 up up
-#t1-2/0/3:27 up up
-#t1-2/0/3:27.0 up up
+#t1-2/0/3:27 up down
+#t1-2/0/3:27.0 up down
#t1-2/0/3:28 down down
#fe-2/1/0 up down
#fe-2/1/1 up up
Index: core3.okc-m120.onenet.net
===================================================================
--- core3.okc-m120.onenet.net (revision 112802)
+++ core3.okc-m120.onenet.net (working copy)
@@ -642,12 +642,12 @@
#t1-2/3/0:5:23.0 up up
#t1-2/3/0:5:24 up down
#t1-2/3/0:5:25 up down
-#t1-2/3/0:5:26 up down
-#t1-2/3/0:5:26.0 up down
+#t1-2/3/0:5:26 up up
+#t1-2/3/0:5:26.0 up up
#t1-2/3/0:5:27 up up
#t1-2/3/0:5:27.0 up up
-#t1-2/3/0:5:28 up down
-#t1-2/3/0:5:28.0 up down
+#t1-2/3/0:5:28 up up
+#t1-2/3/0:5:28.0 up up
#coc1-2/3/0:6 up up
#ct3-2/3/0:6 up up
#t1-2/3/0:6:1 up up
Index: hub.goo.onenet.net
===================================================================
--- hub.goo.onenet.net (revision 112030)
+++ hub.goo.onenet.net (working copy)
@@ -1,13 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at GOODWELL-M120-RE0> show system commit
+# 2014-03-10 11:13:34 CDT by jeremyt via cli commit synchronize
# 2014-03-03 16:10:39 CST by rnordmark via cli commit synchronize
# 2014-02-26 11:12:32 CST by andrew via netconf commit synchronize
# 2014-02-25 19:03:40 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:49:44 CST by rnordmark via cli commit synchronize
# 2014-02-14 14:49:08 CST by rnordmark via cli commit synchronize
-# 2014-02-13 23:59:21 CST by joel via cli commit at
-# Installed new FEBs, set redundancy similar to core3.okc
# grnoc-mon at GOODWELL-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -338,7 +337,7 @@
# grnoc-mon at GOODWELL-M120-RE0> show system uptime
# System booted: 2013-06-12 23:03 CDT
# Protocols started: 2013-06-12 23:07 CDT
-# Last configured: 2014-03-03 16:10 CST by rnordmark
+# Last configured: 2014-03-10 11:13 CDT by jeremyt
#
# {master}
# grnoc-mon at GOODWELL-M120-RE0> show interface terse
@@ -509,7 +508,7 @@
#pp0 up up
#tap up up
# grnoc-mon at GOODWELL-M120-RE0> show configuration
-## Last commit: 2014-03-03 16:10:39 CST by rnordmark
+## Last commit: 2014-03-10 11:13:34 CDT by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -552,7 +551,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1369,10 +1368,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1567,114 +1599,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1683,21 +1713,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1705,14 +1731,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1720,6 +1753,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
Index: hub.woo.onenet.net
===================================================================
--- hub.woo.onenet.net (revision 112043)
+++ hub.woo.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at WOODWARD-M120-RE0> show system commit
+# 2014-03-10 11:26:50 CDT by jeremyt via cli commit synchronize
# 2014-03-03 16:10:24 CST by rnordmark via cli commit synchronize
# 2014-02-26 13:09:34 CST by joe via cli commit synchronize
# 2014-02-26 11:12:31 CST by andrew via netconf commit synchronize
# 2014-02-25 19:03:27 CST by rnordmark via cli commit synchronize
# 2014-02-24 17:52:45 CST by rnordmark via cli commit synchronize
-# 2014-02-14 14:51:48 CST by rnordmark via cli commit synchronize
# grnoc-mon at WOODWARD-M120-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -270,7 +270,7 @@
# grnoc-mon at WOODWARD-M120-RE0> show system uptime
# System booted: 2013-09-19 18:07 CDT
# Protocols started: 2013-09-19 18:09 CDT
-# Last configured: 2014-03-03 16:10 CST by rnordmark
+# Last configured: 2014-03-10 11:26 CDT by jeremyt
#
# {master}
# grnoc-mon at WOODWARD-M120-RE0> show interface terse
@@ -455,7 +455,7 @@
#pp0 up up
#tap up up
# grnoc-mon at WOODWARD-M120-RE0> show configuration
-## Last commit: 2014-03-03 16:10:24 CST by rnordmark
+## Last commit: 2014-03-10 11:26:50 CDT by jeremyt
version 11.4R7.5;
groups {
re0 {
@@ -498,7 +498,7 @@
}
name-server {
164.58.253.10;
- 164.58.253.4;
+ 164.58.198.10;
}
radius-server {
156.110.31.11 {
@@ -1443,10 +1443,43 @@
}
}
policy-options {
- prefix-list EBGP-IPV4-NEIGHBORS;
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
+ }
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
policy-statement LOAD-BALANCE {
then {
load-balance per-packet;
@@ -1641,114 +1674,112 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
+ term FIRST-FRAG {
+ from {
+ first-fragment;
+ }
+ then {
+ discard;
+ }
+ }
+ term NEXT-FRAG {
+ from {
+ is-fragment;
+ }
+ then {
+ discard;
+ }
+ }
term OSPF-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol ospf;
}
then accept;
}
- term EBGP-ALLOW {
+ term BGP-ALLOW {
from {
prefix-list {
- EBGP-IPV4-NEIGHBORS;
+ PRE-BGP-ALLOW;
}
protocol tcp;
port 179;
}
then accept;
}
- term IBGP-ALLOW {
+ term RADIUS-ALLOW {
from {
- source-address {
- 164.58.199.216/32;
- 164.58.199.226/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
- protocol tcp;
- port 179;
+ protocol [ udp tcp ];
+ port [ radius radacct ];
}
then accept;
}
- term FIRST-FRAG {
+ term NTP-ALLOW {
from {
- first-fragment;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
+ }
+ protocol udp;
+ port ntp;
}
- then {
- discard;
- }
+ then accept;
}
- term NEXT-FRAG {
+ term DOMAIN-ALLOW {
from {
- is-fragment;
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
}
- then {
- discard;
- }
- }
- term ICMP-ALLOW {
- from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
- }
then accept;
}
- term SERVICES-OUTBOUND {
+ term SYSLOG-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
}
then accept;
}
- term RADIUS {
+ term FTP-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol [ udp tcp ];
- port [ radius radacct ];
+ port ftp;
}
then accept;
}
- term NTP {
+ term JSPACE-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
- protocol udp;
- port ntp;
+ source-port 7408;
}
then accept;
}
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -1757,21 +1788,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
- 172.23.0.0/16;
- 10.199.2.0/24;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -1779,14 +1806,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -1794,6 +1828,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
More information about the Nocrancid
mailing list