[Nocrancid] autopop-onenet.net router config diffs
rancid at rancid.noc.onenet.net
rancid at rancid.noc.onenet.net
Sat Jul 2 16:02:55 CDT 2016
Index: configs/hub.ton.onenet.net
===================================================================
--- configs/hub.ton.onenet.net (revision 144186)
+++ configs/hub.ton.onenet.net (working copy)
@@ -309,8 +309,8 @@
#t1-2/0/2:4 down down
#t1-2/0/2:4.0 up down
#t1-2/0/2:5 down down
-#t1-2/0/2:6 up up
-#t1-2/0/2:6.0 up up
+#t1-2/0/2:6 up down
+#t1-2/0/2:6.0 up down
#t1-2/0/2:7 down down
#t1-2/0/2:8 down down
#t1-2/0/2:9 down down
Index: configs/maysville-es.client.onenet.net
===================================================================
--- configs/maysville-es.client.onenet.net (revision 144235)
+++ configs/maysville-es.client.onenet.net (working copy)
@@ -614,7 +614,6 @@
# OSPF instance is not running
#
# grnoc-mon at MAYSVILLE-ES-LEASED-ASSET-TAG-004945> show bfd session
-quit
0 sessions, 0 clients
Cumulative transmit rate 0.0 pps, cumulative receive rate 0.0 pps
Index: configs/odot-vinita-regmaint.client.onenet.net
===================================================================
--- configs/odot-vinita-regmaint.client.onenet.net (revision 144236)
+++ configs/odot-vinita-regmaint.client.onenet.net (working copy)
@@ -108,8 +108,8 @@
#
# grnoc-mon at ODOT-VINITA-REGMAINT-SRX220> show interface terse
#Interface Admin Link
-#ge-0/0/0 up down
-#ge-0/0/0.0 up down
+#ge-0/0/0 up up
+#ge-0/0/0.0 up up
#gr-0/0/0 up up
#ip-0/0/0 up up
#lsq-0/0/0 up up
Index: configs/core6.okc.onenet.net
===================================================================
--- configs/core6.okc.onenet.net (revision 144224)
+++ configs/core6.okc.onenet.net (working copy)
@@ -1,14 +1,13 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at ROUTE-REFLECTOR-OKC-RE1> show system commit
+# 2016-07-02 15:43:17 CDT by andrew via cli commit synchronize
+# 2016-07-02 15:35:04 CDT by andrew via cli commit synchronize
+# 2016-07-02 15:30:04 CDT by andrew via cli commit confirmed, rollback in 3mins synchronize
# 2016-07-02 03:00:30 CDT by sky via cli commit synchronize
# 2016-07-02 02:49:22 CDT by sky via cli commit synchronize
# 2016-07-02 02:08:02 CDT by root via other
# Synchronization with remote Routing Engine
-# 2016-07-02 02:07:48 CDT by root via other
-# Synchronization with remote Routing Engine
-# 2016-06-30 17:03:55 CDT by andrew via synchronize
-# 2016-06-29 23:42:37 CDT by andrew via synchronize
# grnoc-mon at ROUTE-REFLECTOR-OKC-RE1> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -384,7 +383,7 @@
# Time Source: NTP CLOCK
# System booted: 2016-07-02 02:07 CDT
# Protocols started: 2016-07-02 02:09 CDT
-# Last configured: 2016-07-02 03:00 CDT by sky
+# Last configured: 2016-07-02 15:43 CDT by andrew
#
# {master}
# grnoc-mon at ROUTE-REFLECTOR-OKC-RE1> show interface terse
@@ -464,7 +463,7 @@
#tap up up
#vtep up up
# grnoc-mon at ROUTE-REFLECTOR-OKC-RE1> show configuration
-## Last commit: 2016-07-02 03:00:30 CDT by sky
+## Last commit: 2016-07-02 15:43:17 CDT by andrew
version 15.1F5.15;
groups {
re0 {
@@ -1901,33 +1900,46 @@
}
}
policy-options {
- prefix-list CORE-BGP {
- 164.58.199.211/32;
- 164.58.199.212/32;
- 164.58.199.213/32;
- 164.58.199.214/32;
- 164.58.199.215/32;
- 164.58.199.216/32;
- 164.58.199.221/32;
- 164.58.199.222/32;
- 164.58.199.223/32;
- 164.58.199.224/32;
- 164.58.199.225/32;
- 164.58.199.226/32;
- 164.58.199.230/32;
- 164.58.199.231/32;
- 164.58.199.232/32;
- 164.58.199.233/32;
- 164.58.199.234/32;
+ prefix-list PRE-MGMT-SOURCES {
+ 64.207.244.14/32;
+ 66.129.224.37/32;
+ 129.15.127.96/28;
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.10.0/24;
+ 164.58.15.0/24;
+ 164.58.244.0/22;
+ 164.58.253.0/24;
}
- prefix-list HUB-BGP {
- 10.199.2.0/24;
- 164.58.198.0/24;
- 164.58.199.0/24;
+ prefix-list PRE-RADIUS-SOURCES {
+ apply-path "system radius-server <*>";
}
+ prefix-list PRE-NTP-SOURCES {
+ apply-path "system ntp server <*>";
+ }
+ prefix-list PRE-DNS-SOURCES {
+ apply-path "system name-server <*>";
+ }
+ prefix-list PRE-SNMP-SOURCES {
+ apply-path "snmp client-list snmp-management <1*>";
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+ prefix-list PRE-BGP-ALLOW {
+ apply-path "protocols bgp group <*> neighbor <*>";
+ }
prefix-list PRE-LDP-SOURCES {
10.199.0.0/16;
+ 164.58.198.0/23;
+ apply-path "interfaces <*> unit <*> family inet address <*>";
}
+ prefix-list PRE-L0-SOURCES {
+ apply-path "interfaces lo0 unit <*> family inet address <164.*>";
+ }
+ prefix-list PRE-BGP-RI-ALLOW {
+ apply-path "routing-instances <*> protocols bgp group <*> neighbor <*>";
+ }
policy-statement DEFAULT-IBGP-EXPORT {
term NEEDED-ROUTES {
from {
@@ -2192,46 +2204,24 @@
firewall {
family inet {
filter PROTECT-RE {
- term SERVICES {
+ term SSH-ALLOW {
from {
- source-address {
- 129.15.127.96/28;
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.10.0/24;
- 164.58.253.0/24;
- 64.207.244.14/32;
- 66.129.224.37/32;
- 164.58.15.0/24;
- 164.58.244.0/22;
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
}
protocol tcp;
- destination-port [ ssh http ];
+ destination-port ssh;
}
then accept;
}
- term OSPF-ALLOW {
+ term VMHOST-ALLOW {
from {
source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ 192.168.1.0/24;
}
- protocol ospf;
}
then accept;
}
- term IBGP-allow {
- from {
- source-prefix-list {
- CORE-BGP;
- HUB-BGP;
- }
- protocol tcp;
- port 179;
- }
- then accept;
- }
term FIRST-FRAG {
from {
first-fragment;
@@ -2248,46 +2238,87 @@
discard;
}
}
- term ICMP-ALLOW {
+ term OSPF-ALLOW {
from {
- protocol icmp;
- icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
+ }
+ protocol ospf;
}
then accept;
}
- term SERVICES-OUTBOUND {
+ term BGP-ALLOW {
from {
- source-port [ domain ntp ssh syslog ftp 7804 telnet ];
+ prefix-list {
+ PRE-BGP-ALLOW;
+ PRE-BGP-RI-ALLOW;
+ }
+ protocol tcp;
+ port 179;
}
then accept;
}
- term RADIUS {
+ term RADIUS-ALLOW {
from {
- source-address {
- 156.110.31.11/32;
+ source-prefix-list {
+ PRE-RADIUS-SOURCES;
}
protocol [ udp tcp ];
port [ radius radacct ];
}
then accept;
}
- term NTP {
+ term NTP-ALLOW {
from {
- source-address {
- 164.58.10.1/32;
- 164.58.199.0/24;
+ source-prefix-list {
+ PRE-NTP-SOURCES;
+ PRE-L0-SOURCES;
}
protocol udp;
port ntp;
}
then accept;
}
+ term DOMAIN-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-DNS-SOURCES;
+ }
+ port domain;
+ }
+ then accept;
+ }
+ term SYSLOG-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port syslog;
+ }
+ then accept;
+ }
+ term FTP-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ port ftp;
+ }
+ then accept;
+ }
+ term JSPACE-ALLOW {
+ from {
+ source-prefix-list {
+ PRE-MGMT-SOURCES;
+ }
+ source-port 7408;
+ }
+ then accept;
+ }
term SNMP-ALLOW {
from {
- source-address {
- 164.58.253.0/24;
- 156.110.31.0/27;
- 156.110.31.32/28;
+ source-prefix-list {
+ PRE-SNMP-SOURCES;
}
protocol [ tcp udp ];
port [ snmp snmptrap ];
@@ -2296,19 +2327,17 @@
}
term LDP-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
- 156.110.0.0/16;
+ source-prefix-list {
+ PRE-LDP-SOURCES;
}
port ldp;
}
+ then accept;
}
term PIM-ALLOW {
from {
- source-address {
- 164.58.199.0/24;
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol pim;
}
@@ -2316,14 +2345,21 @@
}
term BFD-ALLOW {
from {
- source-address {
- 164.58.0.0/16;
+ source-prefix-list {
+ PRE-LOCALIPv4-SOURCES;
}
protocol udp;
port [ 3784 3785 ];
}
then accept;
}
+ term ICMP-ALLOW {
+ from {
+ protocol icmp;
+ icmp-type [ echo-reply echo-request unreachable time-exceeded ];
+ }
+ then accept;
+ }
term TRACEROUTE-ALLOW {
from {
protocol udp;
@@ -2331,6 +2367,20 @@
}
then accept;
}
+ term DENY-SERVICES-INBOUND {
+ from {
+ destination-port [ ssh telnet http https snmp ntp domain ];
+ }
+ then {
+ discard;
+ }
+ }
+ term SERVICES-OUTBOUND {
+ from {
+ source-port [ ssh telnet ];
+ }
+ then accept;
+ }
term DENY_ALL {
then {
discard;
More information about the Nocrancid
mailing list