[Nocrancid] autopop-onenet.net router config diffs
rancid at rancid.noc.onenet.net
rancid at rancid.noc.onenet.net
Sat Aug 5 21:04:55 CDT 2017
Index: configs/allen-public-library.client.onenet.net
===================================================================
--- configs/allen-public-library.client.onenet.net (revision 155490)
+++ configs/allen-public-library.client.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at ALLEN-PUBLIC-LIBRARY-TAG-004890> show system commit
+# 2017-08-05 20:44:42 CDT by root via other
# 2017-08-02 23:07:04 CDT by root via other
# 2017-04-17 22:37:16 CDT by andrew via cli
# 2016-09-07 18:00:58 CDT by andrew via cli
# 2016-01-29 12:21:25 CST by sean via cli commit confirmed, rollback in 3mins
# 2015-12-03 15:20:27 CST by root via other
-# 2015-12-03 14:21:28 CST by admin via cli
# grnoc-mon at ALLEN-PUBLIC-LIBRARY-TAG-004890> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -21,8 +21,8 @@
#
# grnoc-mon at ALLEN-PUBLIC-LIBRARY-TAG-004890> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at ALLEN-PUBLIC-LIBRARY-TAG-004890> show chassis fpc detail
# Slot 0 information:
@@ -54,8 +54,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -106,26 +109,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s1a
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s2a
#
# grnoc-mon at ALLEN-PUBLIC-LIBRARY-TAG-004890> show version
# Hostname: ALLEN-PUBLIC-LIBRARY-TAG-004890
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at ALLEN-PUBLIC-LIBRARY-TAG-004890> show version invoke-on all-routing-engines
# Hostname: ALLEN-PUBLIC-LIBRARY-TAG-004890
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at ALLEN-PUBLIC-LIBRARY-TAG-004890> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at ALLEN-PUBLIC-LIBRARY-TAG-004890> show system uptime
-# System booted: 2017-08-02 23:04 CDT
-# Protocols started: 2017-08-02 23:08 CDT
-# Last configured: 2017-08-02 23:07 CDT by root
+# System booted: 2017-08-05 20:41 CDT
+# Protocols started: 2017-08-05 20:46 CDT
+# Last configured: 2017-08-05 20:44 CDT by root
#
# grnoc-mon at ALLEN-PUBLIC-LIBRARY-TAG-004890> show interface terse
#Interface Admin Link
@@ -192,8 +196,8 @@
#vlan.3 up up
#vlan.999 up down
# grnoc-mon at ALLEN-PUBLIC-LIBRARY-TAG-004890> show configuration
-## Last commit: 2017-08-02 23:07:04 CDT by root
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 20:44:42 CDT by root
+version 12.3X48-D40.5;
system {
host-name ALLEN-PUBLIC-LIBRARY-TAG-004890;
auto-snapshot;
@@ -337,100 +341,6 @@
server 164.58.3.98 prefer;
}
}
-interfaces {
- interface-range TRUST-VLAN {
- member-range ge-0/0/2 to ge-0/0/15;
- description "L2 INTERFACE - TRUST-VLAN";
- unit 0 {
- family ethernet-switching {
- vlan {
- members TRUST-VLAN;
- }
- }
- }
- }
- ge-0/0/0 {
- description "L3 INTERFACE - UNTRUST-WAN - 164.58.40.54/30";
- speed 100m;
- link-mode full-duplex;
- gigether-options {
- no-auto-negotiation;
- }
- unit 0 {
- family inet {
- address 164.58.40.54/30;
- }
- }
- }
- ge-0/0/1 {
- description "L2 INTERFACE - TEST-VLAN";
- unit 0 {
- family ethernet-switching {
- port-mode access;
- vlan {
- members TEST-VLAN;
- }
- }
- }
- }
- lo0 {
- unit 0 {
- family inet {
- filter {
- input PROTECT-RE;
- }
- }
- }
- }
- vlan {
- unit 3 {
- description "L3 INTERFACE - TRUST-VLAN - 172.16.1.1/16";
- family inet {
- address 172.16.1.1/16;
- }
- }
- unit 999 {
- description "L3 INTERFACE - TEST-VLAN - 10.1.0.1/24";
- family inet {
- address 10.1.0.1/24;
- }
- }
- }
-}
-snmp {
- description OneNet;
- contact "Net Group";
- community "<removed>" {
- authorization read-only;
- }
- community "<removed>" {
- authorization read-only;
- }
- community "<removed>" {
- authorization read-write;
- }
-}
-routing-options {
- static {
- route 0.0.0.0/0 next-hop 164.58.40.53;
- }
-}
-protocols {
- lldp {
- interface all;
- }
- stp;
-}
-policy-options {
- prefix-list PRE-MGMT-SOURCES {
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.253.0/24;
- }
- prefix-list PRE-LOCALIPv4-SOURCES {
- apply-path "interfaces <*> unit <*> family inet address <*>";
- }
-}
security {
screen {
ids-option UNTRUST-SCREEN {
@@ -555,6 +465,100 @@
}
}
}
+interfaces {
+ interface-range TRUST-VLAN {
+ member-range ge-0/0/2 to ge-0/0/15;
+ description "L2 INTERFACE - TRUST-VLAN";
+ unit 0 {
+ family ethernet-switching {
+ vlan {
+ members TRUST-VLAN;
+ }
+ }
+ }
+ }
+ ge-0/0/0 {
+ description "L3 INTERFACE - UNTRUST-WAN - 164.58.40.54/30";
+ speed 100m;
+ link-mode full-duplex;
+ gigether-options {
+ no-auto-negotiation;
+ }
+ unit 0 {
+ family inet {
+ address 164.58.40.54/30;
+ }
+ }
+ }
+ ge-0/0/1 {
+ description "L2 INTERFACE - TEST-VLAN";
+ unit 0 {
+ family ethernet-switching {
+ port-mode access;
+ vlan {
+ members TEST-VLAN;
+ }
+ }
+ }
+ }
+ lo0 {
+ unit 0 {
+ family inet {
+ filter {
+ input PROTECT-RE;
+ }
+ }
+ }
+ }
+ vlan {
+ unit 3 {
+ description "L3 INTERFACE - TRUST-VLAN - 172.16.1.1/16";
+ family inet {
+ address 172.16.1.1/16;
+ }
+ }
+ unit 999 {
+ description "L3 INTERFACE - TEST-VLAN - 10.1.0.1/24";
+ family inet {
+ address 10.1.0.1/24;
+ }
+ }
+ }
+}
+snmp {
+ description OneNet;
+ contact "Net Group";
+ community "<removed>" {
+ authorization read-only;
+ }
+ community "<removed>" {
+ authorization read-only;
+ }
+ community "<removed>" {
+ authorization read-write;
+ }
+}
+routing-options {
+ static {
+ route 0.0.0.0/0 next-hop 164.58.40.53;
+ }
+}
+protocols {
+ lldp {
+ interface all;
+ }
+ stp;
+}
+policy-options {
+ prefix-list PRE-MGMT-SOURCES {
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+}
firewall {
family inet {
filter PROTECT-RE {
Index: configs/choctaw-interlocal-coop.client.onenet.net
===================================================================
--- configs/choctaw-interlocal-coop.client.onenet.net (revision 155150)
+++ configs/choctaw-interlocal-coop.client.onenet.net (working copy)
@@ -1,12 +1,13 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at CHOCTAW-INTERLOCAL-SRX240-004878-LR> show system commit
+# 2017-08-05 20:57:40 CDT by root via other
# 2017-07-23 13:50:25 CDT by root via other
# 2016-02-18 08:39:45 CST by admin via cli commit confirmed, rollback in 3mins
# 2016-02-17 10:29:41 CST by root via cli
# 2015-11-27 07:14:28 CST by root via other
# 2015-11-25 13:47:27 CST by root via other
-# rescue 2017-07-23 13:54:59 CDT by andrew via cli
+# rescue 2017-08-05 20:38:28 CDT by andrew via cli
#
# grnoc-mon at CHOCTAW-INTERLOCAL-SRX240-004878-LR> show chassis environment
# Class Item Status Measurement
@@ -22,8 +23,8 @@
#
# grnoc-mon at CHOCTAW-INTERLOCAL-SRX240-004878-LR> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at CHOCTAW-INTERLOCAL-SRX240-004878-LR> show chassis fpc detail
# Slot 0 information:
@@ -55,8 +56,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -107,26 +111,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s2a
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s1a
#
# grnoc-mon at CHOCTAW-INTERLOCAL-SRX240-004878-LR> show version
# Hostname: CHOCTAW-INTERLOCAL-SRX240-004878-LR
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at CHOCTAW-INTERLOCAL-SRX240-004878-LR> show version invoke-on all-routing-engines
# Hostname: CHOCTAW-INTERLOCAL-SRX240-004878-LR
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at CHOCTAW-INTERLOCAL-SRX240-004878-LR> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at CHOCTAW-INTERLOCAL-SRX240-004878-LR> show system uptime
-# System booted: 2017-07-23 13:47 CDT
-# Protocols started: 2017-07-23 13:51 CDT
-# Last configured: 2017-07-23 13:50 CDT by root
+# System booted: 2017-08-05 20:54 CDT
+# Protocols started: 2017-08-05 20:59 CDT
+# Last configured: 2017-08-05 20:57 CDT by root
#
# grnoc-mon at CHOCTAW-INTERLOCAL-SRX240-004878-LR> show interface terse
#Interface Admin Link
@@ -180,8 +185,8 @@
#vlan.3 up up
#vlan.999 up down
# grnoc-mon at CHOCTAW-INTERLOCAL-SRX240-004878-LR> show configuration
-## Last commit: 2017-07-23 13:50:25 CDT by root
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 20:57:40 CDT by root
+version 12.3X48-D40.5;
system {
host-name CHOCTAW-INTERLOCAL-SRX240-004878-LR;
domain-name onenet.net;
@@ -313,6 +318,111 @@
server 164.58.3.98 prefer;
}
}
+security {
+ screen {
+ ids-option UNTRUST-SCREEN {
+ icmp {
+ ping-death;
+ }
+ ip {
+ source-route-option;
+ tear-drop;
+ }
+ tcp {
+ syn-flood {
+ alarm-threshold 1024;
+ attack-threshold 200;
+ source-threshold 1024;
+ destination-threshold 2048;
+ timeout 20;
+ }
+ land;
+ }
+ }
+ }
+ nat {
+ source {
+ rule-set TEST-TO-UNTRUST-NAT {
+ from zone TEST;
+ to zone UNTRUST;
+ rule NAT-TEST-TO-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ interface;
+ }
+ }
+ }
+ }
+ }
+ }
+ policies {
+ from-zone UNTRUST to-zone UNTRUST {
+ policy UNTRUST-TO-UNTRUST {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone TEST to-zone UNTRUST {
+ policy ALLOW-ALL-OUT {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ }
+ zones {
+ security-zone UNTRUST {
+ screen UNTRUST-SCREEN;
+ interfaces {
+ vlan.3 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ traceroute;
+ }
+ }
+ }
+ ge-0/0/0.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ snmp;
+ ssh;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ security-zone TEST {
+ interfaces {
+ vlan.999 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ }
+}
interfaces {
ge-0/0/0 {
description "L3 INTERFACE - UNTRUST-WAN - 156.110.58.250/30";
@@ -447,111 +557,6 @@
apply-path "interfaces <*> unit <*> family inet address <*>";
}
}
-security {
- screen {
- ids-option UNTRUST-SCREEN {
- icmp {
- ping-death;
- }
- ip {
- source-route-option;
- tear-drop;
- }
- tcp {
- syn-flood {
- alarm-threshold 1024;
- attack-threshold 200;
- source-threshold 1024;
- destination-threshold 2048;
- timeout 20;
- }
- land;
- }
- }
- }
- nat {
- source {
- rule-set TEST-TO-UNTRUST-NAT {
- from zone TEST;
- to zone UNTRUST;
- rule NAT-TEST-TO-UNTRUST {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- }
- policies {
- from-zone UNTRUST to-zone UNTRUST {
- policy UNTRUST-TO-UNTRUST {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone TEST to-zone UNTRUST {
- policy ALLOW-ALL-OUT {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone UNTRUST {
- screen UNTRUST-SCREEN;
- interfaces {
- vlan.3 {
- host-inbound-traffic {
- system-services {
- ping;
- traceroute;
- }
- }
- }
- ge-0/0/0.0 {
- host-inbound-traffic {
- system-services {
- ping;
- snmp;
- ssh;
- traceroute;
- }
- }
- }
- }
- }
- security-zone TEST {
- interfaces {
- vlan.999 {
- host-inbound-traffic {
- system-services {
- dhcp;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- }
-}
firewall {
family inet {
filter PROTECT-RE {
Index: configs/kiamichi-fmc-battiest.client.onenet.net
===================================================================
--- configs/kiamichi-fmc-battiest.client.onenet.net (revision 155532)
+++ configs/kiamichi-fmc-battiest.client.onenet.net (working copy)
@@ -130,7 +130,7 @@
# total files: 1
#
# grnoc-mon at KIAMICHI-FMC-BATTIEST-LR-5230> show system uptime
-# Time Source: LOCAL CLOCK
+# Time Source: NTP CLOCK
# System booted: 2017-07-07 18:44 CDT
# Protocols started: 2017-07-07 18:44 CDT
# Last configured: 2017-07-07 18:47 CDT by root
Index: configs/canadian-ps.client.onenet.net
===================================================================
--- configs/canadian-ps.client.onenet.net (revision 155441)
+++ configs/canadian-ps.client.onenet.net (working copy)
@@ -1,8 +1,9 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at CANADIAN-PS-SRX240-LR-004907> show system commit
+# 2017-08-05 20:57:43 CDT by root via other
# 2017-08-02 23:12:43 CDT by root via other
-# rescue 2017-08-02 23:16:03 CDT by andrew via cli
+# rescue 2017-08-05 20:37:47 CDT by andrew via cli
#
# grnoc-mon at CANADIAN-PS-SRX240-LR-004907> show chassis environment
# Class Item Status Measurement
@@ -18,8 +19,8 @@
#
# grnoc-mon at CANADIAN-PS-SRX240-LR-004907> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at CANADIAN-PS-SRX240-LR-004907> show chassis fpc detail
# Slot 0 information:
@@ -51,8 +52,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -103,26 +107,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s1a
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s2a
#
# grnoc-mon at CANADIAN-PS-SRX240-LR-004907> show version
# Hostname: CANADIAN-PS-SRX240-LR-004907
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at CANADIAN-PS-SRX240-LR-004907> show version invoke-on all-routing-engines
# Hostname: CANADIAN-PS-SRX240-LR-004907
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at CANADIAN-PS-SRX240-LR-004907> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at CANADIAN-PS-SRX240-LR-004907> show system uptime
-# System booted: 2017-08-02 23:10 CDT
-# Protocols started: 2017-08-02 23:14 CDT
-# Last configured: 2017-08-02 23:12 CDT by root
+# System booted: 2017-08-05 20:54 CDT
+# Protocols started: 2017-08-05 20:59 CDT
+# Last configured: 2017-08-05 20:57 CDT by root
#
# grnoc-mon at CANADIAN-PS-SRX240-LR-004907> show interface terse
#Interface Admin Link
@@ -176,8 +181,8 @@
#vlan.3 up up
#vlan.999 up down
# grnoc-mon at CANADIAN-PS-SRX240-LR-004907> show configuration
-## Last commit: 2017-08-02 23:12:43 CDT by root
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 20:57:43 CDT by root
+version 12.3X48-D40.5;
system {
host-name CANADIAN-PS-SRX240-LR-004907;
auto-snapshot;
@@ -310,6 +315,111 @@
server 164.58.3.98 prefer;
}
}
+security {
+ screen {
+ ids-option UNTRUST-SCREEN {
+ icmp {
+ ping-death;
+ }
+ ip {
+ source-route-option;
+ tear-drop;
+ }
+ tcp {
+ syn-flood {
+ alarm-threshold 1024;
+ attack-threshold 200;
+ source-threshold 1024;
+ destination-threshold 2048;
+ timeout 20;
+ }
+ land;
+ }
+ }
+ }
+ nat {
+ source {
+ rule-set TEST-TO-UNTRUST-NAT {
+ from zone TEST;
+ to zone UNTRUST;
+ rule NAT-TEST-TO-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ interface;
+ }
+ }
+ }
+ }
+ }
+ }
+ policies {
+ from-zone UNTRUST to-zone UNTRUST {
+ policy UNTRUST-TO-UNTRUST {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone TEST to-zone UNTRUST {
+ policy ALLOW-ALL-OUT {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ }
+ zones {
+ security-zone UNTRUST {
+ screen UNTRUST-SCREEN;
+ interfaces {
+ vlan.3 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ traceroute;
+ }
+ }
+ }
+ ge-0/0/0.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ snmp;
+ ssh;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ security-zone TEST {
+ interfaces {
+ vlan.999 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ }
+}
interfaces {
ge-0/0/0 {
description "L3 INTERFACE - UNTRUST-WAN - 164.58.12.18/30";
@@ -438,111 +548,6 @@
apply-path "interfaces <*> unit <*> family inet address <*>";
}
}
-security {
- screen {
- ids-option UNTRUST-SCREEN {
- icmp {
- ping-death;
- }
- ip {
- source-route-option;
- tear-drop;
- }
- tcp {
- syn-flood {
- alarm-threshold 1024;
- attack-threshold 200;
- source-threshold 1024;
- destination-threshold 2048;
- timeout 20;
- }
- land;
- }
- }
- }
- nat {
- source {
- rule-set TEST-TO-UNTRUST-NAT {
- from zone TEST;
- to zone UNTRUST;
- rule NAT-TEST-TO-UNTRUST {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- }
- policies {
- from-zone UNTRUST to-zone UNTRUST {
- policy UNTRUST-TO-UNTRUST {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone TEST to-zone UNTRUST {
- policy ALLOW-ALL-OUT {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone UNTRUST {
- screen UNTRUST-SCREEN;
- interfaces {
- vlan.3 {
- host-inbound-traffic {
- system-services {
- ping;
- traceroute;
- }
- }
- }
- ge-0/0/0.0 {
- host-inbound-traffic {
- system-services {
- ping;
- snmp;
- ssh;
- traceroute;
- }
- }
- }
- }
- }
- security-zone TEST {
- interfaces {
- vlan.999 {
- host-inbound-traffic {
- system-services {
- dhcp;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- }
-}
firewall {
family inet {
filter PROTECT-RE {
Index: configs/core3.okc-m120.onenet.net
===================================================================
--- configs/core3.okc-m120.onenet.net (revision 155532)
+++ configs/core3.okc-m120.onenet.net (working copy)
@@ -752,8 +752,8 @@
#coc1-2/3/0:6 up up
#ct3-2/3/0:6 up up
#t1-2/3/0:6:1 down down
-#t1-2/3/0:6:2 up down
-#t1-2/3/0:6:2.0 up down
+#t1-2/3/0:6:2 up up
+#t1-2/3/0:6:2.0 up up
#t1-2/3/0:6:3 up up
#t1-2/3/0:6:3.16 up up
#t1-2/3/0:6:3.17 up up
Index: configs/ada-hs-srx240.client.onenet.net
===================================================================
--- configs/ada-hs-srx240.client.onenet.net (revision 155126)
+++ configs/ada-hs-srx240.client.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at ADA-HS-LR-004894> show system commit
+# 2017-08-05 20:18:11 CDT by root via other
# 2017-07-22 13:43:23 CDT by root via other
# 2017-01-13 21:12:23 CST by joel via cli
# 2016-02-15 14:13:16 CST by andrew via cli
# 2016-02-15 14:10:33 CST by andrew via cli
# 2016-02-12 12:37:47 CST by andrew via cli
-# 2016-02-12 12:30:22 CST by andrew via cli commit confirmed, rollback in 3mins
# grnoc-mon at ADA-HS-LR-004894> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -21,8 +21,8 @@
#
# grnoc-mon at ADA-HS-LR-004894> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at ADA-HS-LR-004894> show chassis fpc detail
# Slot 0 information:
@@ -54,8 +54,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -106,26 +109,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s2a
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s1a
#
# grnoc-mon at ADA-HS-LR-004894> show version
# Hostname: ADA-HS-LR-004894
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at ADA-HS-LR-004894> show version invoke-on all-routing-engines
# Hostname: ADA-HS-LR-004894
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at ADA-HS-LR-004894> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at ADA-HS-LR-004894> show system uptime
-# System booted: 2017-07-22 13:40 CDT
-# Protocols started: 2017-07-22 13:44 CDT
-# Last configured: 2017-07-22 13:43 CDT by root
+# System booted: 2017-08-05 20:15 CDT
+# Protocols started: 2017-08-05 20:19 CDT
+# Last configured: 2017-08-05 20:18 CDT by root
#
# grnoc-mon at ADA-HS-LR-004894> show interface terse
#Interface Admin Link
@@ -183,8 +187,8 @@
#vlan.4 up up
#vlan.999 up down
# grnoc-mon at ADA-HS-LR-004894> show configuration
-## Last commit: 2017-07-22 13:43:23 CDT by root
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 20:18:11 CDT by root
+version 12.3X48-D40.5;
system {
host-name ADA-HS-LR-004894;
domain-name onenet.net;
@@ -323,162 +327,6 @@
server 164.58.3.98 prefer;
}
}
-interfaces {
- ge-0/0/0 {
- description "UNTRUST WAN Interface - 156.110.34.94/30";
- unit 0 {
- family inet {
- address 156.110.34.94/30;
- }
- }
- }
- ge-0/0/1 {
- unit 0 {
- description TEST-INTERFACE;
- family ethernet-switching {
- vlan {
- members TEST-VLAN;
- }
- }
- }
- }
- ge-0/0/2 {
- disable;
- }
- ge-0/0/3 {
- disable;
- }
- ge-0/0/4 {
- disable;
- }
- ge-0/0/5 {
- disable;
- }
- ge-0/0/6 {
- disable;
- }
- ge-0/0/7 {
- disable;
- }
- ge-0/0/8 {
- disable;
- }
- ge-0/0/9 {
- disable;
- }
- ge-0/0/10 {
- disable;
- }
- ge-0/0/11 {
- disable;
- }
- ge-0/0/12 {
- description "PIX VPN - OUTSIDE";
- unit 0 {
- family inet {
- address 192.168.253.253/30;
- }
- }
- }
- ge-0/0/13 {
- description "PIX VPN - INSIDE";
- unit 0 {
- family inet {
- address 192.168.253.249/30;
- }
- }
- }
- ge-0/0/14 {
- description "L2 - DMZ INTERACE";
- unit 0 {
- family ethernet-switching {
- port-mode access;
- vlan {
- members 4;
- }
- }
- }
- }
- ge-0/0/15 {
- description "L2 - LAN INTERFACE";
- unit 0 {
- family ethernet-switching {
- port-mode access;
- vlan {
- members 3;
- }
- }
- }
- }
- lo0 {
- unit 0 {
- family inet {
- filter {
- input PROTECT-RE;
- }
- }
- }
- }
- vlan {
- unit 3 {
- description "LAN INTERFACE - 172.16.20.1/22";
- family inet {
- address 172.16.20.1/22;
- }
- }
- unit 4 {
- description "DMZ INTERFACE - 192.168.254.253/30";
- family inet {
- address 192.168.254.253/30;
- }
- }
- unit 999 {
- description "L3 INTERFACE - TEST-VLAN - 10.1.0.1/24";
- family inet {
- address 10.1.0.1/24;
- }
- }
- }
-}
-snmp {
- description OneNet;
- contact "Net Group";
- community "<removed>" {
- authorization read-only;
- }
- community "<removed>" {
- authorization read-only;
- }
- community "<removed>" {
- authorization read-write;
- }
-}
-routing-options {
- static {
- route 0.0.0.0/0 next-hop 156.110.34.93;
- route 10.0.0.0/8 next-hop 192.168.254.254;
- route 172.16.0.0/12 next-hop 192.168.254.254;
- route 192.168.0.0/16 next-hop 192.168.254.254;
- route 10.10.50.0/24 next-hop 192.168.253.250;
- route 10.10.100.0/24 next-hop 192.168.253.250;
- }
-}
-protocols {
- lldp {
- interface all;
- }
- stp;
-}
-policy-options {
- prefix-list PRE-MGMT-SOURCES {
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.253.0/24;
- }
- prefix-list PRE-LOCALIPv4-SOURCES {
- apply-path "interfaces <*> unit <*> family inet address <*>";
- }
-}
security {
address-book {
global {
@@ -597,7 +445,9 @@
rule 164_058_028_066_80 {
match {
destination-address 164.58.28.66/32;
- destination-port 80;
+ destination-port {
+ 80;
+ }
}
then {
destination-nat {
@@ -610,7 +460,9 @@
rule 164_058_028_066_443 {
match {
destination-address 164.58.28.66/32;
- destination-port 443;
+ destination-port {
+ 443;
+ }
}
then {
destination-nat {
@@ -623,7 +475,9 @@
rule 164_058_028_067_25 {
match {
destination-address 164.58.28.67/32;
- destination-port 25;
+ destination-port {
+ 25;
+ }
}
then {
destination-nat {
@@ -636,7 +490,9 @@
rule 164_058_028_067_22 {
match {
destination-address 164.58.28.67/32;
- destination-port 22;
+ destination-port {
+ 22;
+ }
}
then {
destination-nat {
@@ -649,7 +505,9 @@
rule 164_058_028_067_443 {
match {
destination-address 164.58.28.67/32;
- destination-port 443;
+ destination-port {
+ 443;
+ }
}
then {
destination-nat {
@@ -662,7 +520,9 @@
rule 164_058_028_067_80 {
match {
destination-address 164.58.28.67/32;
- destination-port 80;
+ destination-port {
+ 80;
+ }
}
then {
destination-nat {
@@ -675,7 +535,9 @@
rule 164_058_028_067_23 {
match {
destination-address 164.58.28.67/32;
- destination-port 23;
+ destination-port {
+ 23;
+ }
}
then {
destination-nat {
@@ -1075,6 +937,162 @@
}
}
}
+interfaces {
+ ge-0/0/0 {
+ description "UNTRUST WAN Interface - 156.110.34.94/30";
+ unit 0 {
+ family inet {
+ address 156.110.34.94/30;
+ }
+ }
+ }
+ ge-0/0/1 {
+ unit 0 {
+ description TEST-INTERFACE;
+ family ethernet-switching {
+ vlan {
+ members TEST-VLAN;
+ }
+ }
+ }
+ }
+ ge-0/0/2 {
+ disable;
+ }
+ ge-0/0/3 {
+ disable;
+ }
+ ge-0/0/4 {
+ disable;
+ }
+ ge-0/0/5 {
+ disable;
+ }
+ ge-0/0/6 {
+ disable;
+ }
+ ge-0/0/7 {
+ disable;
+ }
+ ge-0/0/8 {
+ disable;
+ }
+ ge-0/0/9 {
+ disable;
+ }
+ ge-0/0/10 {
+ disable;
+ }
+ ge-0/0/11 {
+ disable;
+ }
+ ge-0/0/12 {
+ description "PIX VPN - OUTSIDE";
+ unit 0 {
+ family inet {
+ address 192.168.253.253/30;
+ }
+ }
+ }
+ ge-0/0/13 {
+ description "PIX VPN - INSIDE";
+ unit 0 {
+ family inet {
+ address 192.168.253.249/30;
+ }
+ }
+ }
+ ge-0/0/14 {
+ description "L2 - DMZ INTERACE";
+ unit 0 {
+ family ethernet-switching {
+ port-mode access;
+ vlan {
+ members 4;
+ }
+ }
+ }
+ }
+ ge-0/0/15 {
+ description "L2 - LAN INTERFACE";
+ unit 0 {
+ family ethernet-switching {
+ port-mode access;
+ vlan {
+ members 3;
+ }
+ }
+ }
+ }
+ lo0 {
+ unit 0 {
+ family inet {
+ filter {
+ input PROTECT-RE;
+ }
+ }
+ }
+ }
+ vlan {
+ unit 3 {
+ description "LAN INTERFACE - 172.16.20.1/22";
+ family inet {
+ address 172.16.20.1/22;
+ }
+ }
+ unit 4 {
+ description "DMZ INTERFACE - 192.168.254.253/30";
+ family inet {
+ address 192.168.254.253/30;
+ }
+ }
+ unit 999 {
+ description "L3 INTERFACE - TEST-VLAN - 10.1.0.1/24";
+ family inet {
+ address 10.1.0.1/24;
+ }
+ }
+ }
+}
+snmp {
+ description OneNet;
+ contact "Net Group";
+ community "<removed>" {
+ authorization read-only;
+ }
+ community "<removed>" {
+ authorization read-only;
+ }
+ community "<removed>" {
+ authorization read-write;
+ }
+}
+routing-options {
+ static {
+ route 0.0.0.0/0 next-hop 156.110.34.93;
+ route 10.0.0.0/8 next-hop 192.168.254.254;
+ route 172.16.0.0/12 next-hop 192.168.254.254;
+ route 192.168.0.0/16 next-hop 192.168.254.254;
+ route 10.10.50.0/24 next-hop 192.168.253.250;
+ route 10.10.100.0/24 next-hop 192.168.253.250;
+ }
+}
+protocols {
+ lldp {
+ interface all;
+ }
+ stp;
+}
+policy-options {
+ prefix-list PRE-MGMT-SOURCES {
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+}
firewall {
family inet {
filter PROTECT-RE {
Index: configs/oja-cojc-tecumseh-srx240.client.onenet.net
===================================================================
--- configs/oja-cojc-tecumseh-srx240.client.onenet.net (revision 155532)
+++ configs/oja-cojc-tecumseh-srx240.client.onenet.net (working copy)
@@ -1,9 +1,10 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at OJA-COJC-TECUMSEH-LR-00004951> show system commit
+# 2017-08-05 20:17:19 CDT by root via other
# 2017-08-04 20:49:30 CDT by root via other
# 2017-08-04 20:30:43 CDT by andrew via cli
-# rescue 2017-08-05 19:50:14 CDT by andrew via cli
+# rescue 2017-08-05 20:23:05 CDT by andrew via cli
#
# grnoc-mon at OJA-COJC-TECUMSEH-LR-00004951> show chassis environment
# Class Item Status Measurement
@@ -19,8 +20,8 @@
#
# grnoc-mon at OJA-COJC-TECUMSEH-LR-00004951> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at OJA-COJC-TECUMSEH-LR-00004951> show chassis fpc detail
# Slot 0 information:
@@ -52,8 +53,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -104,26 +108,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s1a
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s2a
#
# grnoc-mon at OJA-COJC-TECUMSEH-LR-00004951> show version
# Hostname: OJA-COJC-TECUMSEH-LR-00004951
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at OJA-COJC-TECUMSEH-LR-00004951> show version invoke-on all-routing-engines
# Hostname: OJA-COJC-TECUMSEH-LR-00004951
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at OJA-COJC-TECUMSEH-LR-00004951> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at OJA-COJC-TECUMSEH-LR-00004951> show system uptime
-# System booted: 2017-08-04 20:47 CDT
-# Protocols started: 2017-08-04 20:50 CDT
-# Last configured: 2017-08-04 20:49 CDT by root
+# System booted: 2017-08-05 20:14 CDT
+# Protocols started: 2017-08-05 20:19 CDT
+# Last configured: 2017-08-05 20:17 CDT by root
#
# grnoc-mon at OJA-COJC-TECUMSEH-LR-00004951> show interface terse
#Interface Admin Link
@@ -177,8 +182,8 @@
#vlan up up
#vlan.999 up down
# grnoc-mon at OJA-COJC-TECUMSEH-LR-00004951> show configuration
-## Last commit: 2017-08-04 20:49:30 CDT by root
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 20:17:19 CDT by root
+version 12.3X48-D40.5;
system {
host-name OJA-COJC-TECUMSEH-LR-00004951;
auto-snapshot;
@@ -324,130 +329,6 @@
server 164.58.3.98 prefer;
}
}
-interfaces {
- ge-0/0/0 {
- description "UNTRUST WAN Interface - 164.58.63.82/30";
- unit 0 {
- family inet {
- address 164.58.63.82/30;
- }
- }
- }
- ge-0/0/1 {
- unit 0 {
- description TEST-INTERFACE;
- family ethernet-switching {
- vlan {
- members TEST-VLAN;
- }
- }
- }
- }
- ge-0/0/2 {
- disable;
- }
- ge-0/0/3 {
- disable;
- }
- ge-0/0/4 {
- disable;
- }
- ge-0/0/5 {
- disable;
- }
- ge-0/0/6 {
- disable;
- }
- ge-0/0/7 {
- disable;
- }
- ge-0/0/8 {
- disable;
- }
- ge-0/0/9 {
- disable;
- }
- ge-0/0/10 {
- disable;
- }
- ge-0/0/11 {
- disable;
- }
- ge-0/0/12 {
- disable;
- }
- ge-0/0/13 {
- disable;
- }
- ge-0/0/14 {
- disable;
- }
- ge-0/0/15 {
- description "TRUST LAN Interface - 10.1.163.1/24";
- unit 0 {
- family inet {
- address 10.1.163.1/24;
- }
- }
- }
- lo0 {
- unit 0 {
- family inet {
- filter {
- input PROTECT-RE;
- }
- }
- }
- }
- st0 {
- unit 1 {
- description "IPSEC VPN TO OJA NETWORK";
- family inet;
- }
- }
- vlan {
- unit 999 {
- description "L3 INTERFACE - TEST-VLAN - 10.1.0.1/24";
- family inet {
- address 10.1.0.1/24;
- }
- }
- }
-}
-snmp {
- description OneNet;
- contact "Net Group";
- community "<removed>" {
- authorization read-only;
- }
- community "<removed>" {
- authorization read-only;
- }
- community "<removed>" {
- authorization read-write;
- }
-}
-routing-options {
- static {
- route 0.0.0.0/0 next-hop 164.58.63.81;
- }
-}
-protocols {
- lldp {
- interface all;
- }
- stp;
-}
-policy-options {
- prefix-list PRE-MGMT-SOURCES {
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.253.0/24;
- }
- prefix-list PRE-LOCALIPv4-SOURCES {
- apply-path "interfaces <*> unit <*> family inet address <*>";
- }
-}
security {
ike {
traceoptions {
@@ -674,6 +555,130 @@
}
}
}
+interfaces {
+ ge-0/0/0 {
+ description "UNTRUST WAN Interface - 164.58.63.82/30";
+ unit 0 {
+ family inet {
+ address 164.58.63.82/30;
+ }
+ }
+ }
+ ge-0/0/1 {
+ unit 0 {
+ description TEST-INTERFACE;
+ family ethernet-switching {
+ vlan {
+ members TEST-VLAN;
+ }
+ }
+ }
+ }
+ ge-0/0/2 {
+ disable;
+ }
+ ge-0/0/3 {
+ disable;
+ }
+ ge-0/0/4 {
+ disable;
+ }
+ ge-0/0/5 {
+ disable;
+ }
+ ge-0/0/6 {
+ disable;
+ }
+ ge-0/0/7 {
+ disable;
+ }
+ ge-0/0/8 {
+ disable;
+ }
+ ge-0/0/9 {
+ disable;
+ }
+ ge-0/0/10 {
+ disable;
+ }
+ ge-0/0/11 {
+ disable;
+ }
+ ge-0/0/12 {
+ disable;
+ }
+ ge-0/0/13 {
+ disable;
+ }
+ ge-0/0/14 {
+ disable;
+ }
+ ge-0/0/15 {
+ description "TRUST LAN Interface - 10.1.163.1/24";
+ unit 0 {
+ family inet {
+ address 10.1.163.1/24;
+ }
+ }
+ }
+ lo0 {
+ unit 0 {
+ family inet {
+ filter {
+ input PROTECT-RE;
+ }
+ }
+ }
+ }
+ st0 {
+ unit 1 {
+ description "IPSEC VPN TO OJA NETWORK";
+ family inet;
+ }
+ }
+ vlan {
+ unit 999 {
+ description "L3 INTERFACE - TEST-VLAN - 10.1.0.1/24";
+ family inet {
+ address 10.1.0.1/24;
+ }
+ }
+ }
+}
+snmp {
+ description OneNet;
+ contact "Net Group";
+ community "<removed>" {
+ authorization read-only;
+ }
+ community "<removed>" {
+ authorization read-only;
+ }
+ community "<removed>" {
+ authorization read-write;
+ }
+}
+routing-options {
+ static {
+ route 0.0.0.0/0 next-hop 164.58.63.81;
+ }
+}
+protocols {
+ lldp {
+ interface all;
+ }
+ stp;
+}
+policy-options {
+ prefix-list PRE-MGMT-SOURCES {
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+}
firewall {
family inet {
filter PROTECT-RE {
Index: configs/alex-ps.client.onenet.net
===================================================================
--- configs/alex-ps.client.onenet.net (revision 155126)
+++ configs/alex-ps.client.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at ALEX-PS-LR-004908> show system commit
+# 2017-08-05 20:18:03 CDT by root via other
# 2017-07-22 12:58:46 CDT by root via other
# 2016-12-08 15:05:19 CST by sky via cli
# 2016-01-14 13:34:09 CST by sean via cli
# 2016-01-14 11:46:37 CST by andrew via cli
# 2016-01-14 11:45:37 CST by andrew via cli commit confirmed, rollback in 3mins
-# 2016-01-13 15:38:34 CST by admin via cli
# grnoc-mon at ALEX-PS-LR-004908> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -21,8 +21,8 @@
#
# grnoc-mon at ALEX-PS-LR-004908> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at ALEX-PS-LR-004908> show chassis fpc detail
# Slot 0 information:
@@ -54,8 +54,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -106,26 +109,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s2a
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s1a
#
# grnoc-mon at ALEX-PS-LR-004908> show version
# Hostname: ALEX-PS-LR-004908
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at ALEX-PS-LR-004908> show version invoke-on all-routing-engines
# Hostname: ALEX-PS-LR-004908
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at ALEX-PS-LR-004908> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at ALEX-PS-LR-004908> show system uptime
-# System booted: 2017-07-22 12:55 CDT
-# Protocols started: 2017-07-22 13:00 CDT
-# Last configured: 2017-07-22 12:58 CDT by root
+# System booted: 2017-08-05 20:15 CDT
+# Protocols started: 2017-08-05 20:19 CDT
+# Last configured: 2017-08-05 20:18 CDT by root
#
# grnoc-mon at ALEX-PS-LR-004908> show interface terse
#Interface Admin Link
@@ -182,8 +186,8 @@
#vlan.5 up down
#vlan.999 up down
# grnoc-mon at ALEX-PS-LR-004908> show configuration
-## Last commit: 2017-07-22 12:58:46 CDT by root
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 20:18:03 CDT by root
+version 12.3X48-D40.5;
system {
host-name ALEX-PS-LR-004908;
domain-name onenet.net;
@@ -326,154 +330,6 @@
server 164.58.3.98 prefer;
}
}
-interfaces {
- ge-0/0/0 {
- description "UNTRUST WAN Interface";
- unit 0 {
- family ethernet-switching {
- vlan {
- members UNTRUST-WAN-VLAN;
- }
- }
- }
- }
- ge-0/0/1 {
- unit 0 {
- description TEST-INTERFACE;
- family ethernet-switching {
- vlan {
- members TEST-VLAN;
- }
- }
- }
- }
- ge-0/0/2 {
- disable;
- }
- ge-0/0/3 {
- disable;
- }
- ge-0/0/4 {
- disable;
- }
- ge-0/0/5 {
- disable;
- }
- ge-0/0/6 {
- disable;
- }
- ge-0/0/7 {
- disable;
- }
- ge-0/0/8 {
- disable;
- }
- ge-0/0/9 {
- disable;
- }
- ge-0/0/10 {
- disable;
- }
- ge-0/0/11 {
- disable;
- }
- ge-0/0/12 {
- disable;
- }
- ge-0/0/13 {
- disable;
- }
- ge-0/0/14 {
- description "VOIP LAN Interface";
- unit 0 {
- family ethernet-switching {
- port-mode access;
- vlan {
- members 5;
- }
- }
- }
- }
- ge-0/0/15 {
- description "UNTRUST LAN Interface";
- unit 0 {
- family ethernet-switching {
- vlan {
- members UNTRUST-LAN-VLAN;
- }
- }
- }
- }
- lo0 {
- unit 0 {
- family inet {
- filter {
- input PROTECT-RE;
- }
- }
- }
- }
- vlan {
- unit 3 {
- description "L3 INTERFACE - UNTRUST-WAN-VLAN - 164.58.58.82/30";
- family inet {
- address 164.58.58.82/30;
- }
- }
- unit 4 {
- description "L3 INTERFACE - UNTRUST-LAN-VLAN - 156.110.42.113/28";
- family inet {
- address 156.110.42.113/28;
- }
- }
- unit 5 {
- description "L3 INTERFACE - VOIP - 192.168.42.1/24";
- family inet {
- address 192.168.42.1/24;
- }
- }
- unit 999 {
- description "L3 INTERFACE - TEST-VLAN - 10.1.0.1/24";
- family inet {
- address 10.1.0.1/24;
- }
- }
- }
-}
-snmp {
- description OneNet;
- contact "Net Group";
- community "<removed>" {
- authorization read-only;
- }
- community "<removed>" {
- authorization read-only;
- }
- community "<removed>" {
- authorization read-write;
- }
-}
-routing-options {
- static {
- route 0.0.0.0/0 next-hop 164.58.58.81;
- }
-}
-protocols {
- lldp {
- interface all;
- }
- stp;
-}
-policy-options {
- prefix-list PRE-MGMT-SOURCES {
- 156.110.31.0/27;
- 156.110.31.32/28;
- 164.58.253.0/24;
- }
- prefix-list PRE-LOCALIPv4-SOURCES {
- apply-path "interfaces <*> unit <*> family inet address <*>";
- }
-}
security {
address-book {
global {
@@ -657,6 +513,154 @@
}
}
}
+interfaces {
+ ge-0/0/0 {
+ description "UNTRUST WAN Interface";
+ unit 0 {
+ family ethernet-switching {
+ vlan {
+ members UNTRUST-WAN-VLAN;
+ }
+ }
+ }
+ }
+ ge-0/0/1 {
+ unit 0 {
+ description TEST-INTERFACE;
+ family ethernet-switching {
+ vlan {
+ members TEST-VLAN;
+ }
+ }
+ }
+ }
+ ge-0/0/2 {
+ disable;
+ }
+ ge-0/0/3 {
+ disable;
+ }
+ ge-0/0/4 {
+ disable;
+ }
+ ge-0/0/5 {
+ disable;
+ }
+ ge-0/0/6 {
+ disable;
+ }
+ ge-0/0/7 {
+ disable;
+ }
+ ge-0/0/8 {
+ disable;
+ }
+ ge-0/0/9 {
+ disable;
+ }
+ ge-0/0/10 {
+ disable;
+ }
+ ge-0/0/11 {
+ disable;
+ }
+ ge-0/0/12 {
+ disable;
+ }
+ ge-0/0/13 {
+ disable;
+ }
+ ge-0/0/14 {
+ description "VOIP LAN Interface";
+ unit 0 {
+ family ethernet-switching {
+ port-mode access;
+ vlan {
+ members 5;
+ }
+ }
+ }
+ }
+ ge-0/0/15 {
+ description "UNTRUST LAN Interface";
+ unit 0 {
+ family ethernet-switching {
+ vlan {
+ members UNTRUST-LAN-VLAN;
+ }
+ }
+ }
+ }
+ lo0 {
+ unit 0 {
+ family inet {
+ filter {
+ input PROTECT-RE;
+ }
+ }
+ }
+ }
+ vlan {
+ unit 3 {
+ description "L3 INTERFACE - UNTRUST-WAN-VLAN - 164.58.58.82/30";
+ family inet {
+ address 164.58.58.82/30;
+ }
+ }
+ unit 4 {
+ description "L3 INTERFACE - UNTRUST-LAN-VLAN - 156.110.42.113/28";
+ family inet {
+ address 156.110.42.113/28;
+ }
+ }
+ unit 5 {
+ description "L3 INTERFACE - VOIP - 192.168.42.1/24";
+ family inet {
+ address 192.168.42.1/24;
+ }
+ }
+ unit 999 {
+ description "L3 INTERFACE - TEST-VLAN - 10.1.0.1/24";
+ family inet {
+ address 10.1.0.1/24;
+ }
+ }
+ }
+}
+snmp {
+ description OneNet;
+ contact "Net Group";
+ community "<removed>" {
+ authorization read-only;
+ }
+ community "<removed>" {
+ authorization read-only;
+ }
+ community "<removed>" {
+ authorization read-write;
+ }
+}
+routing-options {
+ static {
+ route 0.0.0.0/0 next-hop 164.58.58.81;
+ }
+}
+protocols {
+ lldp {
+ interface all;
+ }
+ stp;
+}
+policy-options {
+ prefix-list PRE-MGMT-SOURCES {
+ 156.110.31.0/27;
+ 156.110.31.32/28;
+ 164.58.253.0/24;
+ }
+ prefix-list PRE-LOCALIPv4-SOURCES {
+ apply-path "interfaces <*> unit <*> family inet address <*>";
+ }
+}
firewall {
family inet {
filter PROTECT-RE {
Index: configs/vici-public-schools.client.onenet.net
===================================================================
--- configs/vici-public-schools.client.onenet.net (revision 155155)
+++ configs/vici-public-schools.client.onenet.net (working copy)
@@ -88,6 +88,9 @@
# ad0: Device does not support APM
# ad0: 2000MB <CF 2GB 20100924> at ata2-master WDMA2
# Trying to mount root from ufs:/dev/ad0s1a
+# WARNING: / was not properly dismounted
+# WARNING: / was not properly dismounted
+# WARNING: R/W mount of /cf/var denied. Filesystem is not clean - run fsck
#
# grnoc-mon at VICI-PUBLIC-SCHOOLS-TAG-004342> show version
# Hostname: VICI-PUBLIC-SCHOOLS-TAG-004342
@@ -104,8 +107,8 @@
# total files: 1
#
# grnoc-mon at VICI-PUBLIC-SCHOOLS-TAG-004342> show system uptime
-# System booted: 2017-07-23 16:36 CDT
-# Protocols started: 2017-07-23 16:38 CDT
+# System booted: 2017-08-05 20:11 CDT
+# Protocols started: 2017-08-05 20:13 CDT
# Last configured: 2017-07-23 16:37 CDT by root
#
# grnoc-mon at VICI-PUBLIC-SCHOOLS-TAG-004342> show interface terse
Index: configs/wilburton-ps.client.onenet.net
===================================================================
--- configs/wilburton-ps.client.onenet.net (revision 155506)
+++ configs/wilburton-ps.client.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at WILBURTON-PS-LR-ASSET-004948> show system commit
+# 2017-08-05 20:16:05 CDT by root via other
# 2017-08-04 20:51:08 CDT by root via other
# 2016-01-11 14:59:43 CST by sky via cli
# 2016-01-11 14:57:31 CST by sky via cli
# 2016-01-11 13:32:50 CST by admin via cli
# 2016-01-11 13:27:04 CST by admin via cli
-# 2015-11-12 15:43:08 CST by onenet via cli commit confirmed, rollback in 2mins
# grnoc-mon at WILBURTON-PS-LR-ASSET-004948> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -21,9 +21,9 @@
#
# grnoc-mon at WILBURTON-PS-LR-ASSET-004948> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FPC 1 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FPC 1 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at WILBURTON-PS-LR-ASSET-004948> show chassis fpc detail
# Slot 0 information:
@@ -61,8 +61,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -113,26 +116,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s2a
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s1a
#
# grnoc-mon at WILBURTON-PS-LR-ASSET-004948> show version
# Hostname: WILBURTON-PS-LR-ASSET-004948
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at WILBURTON-PS-LR-ASSET-004948> show version invoke-on all-routing-engines
# Hostname: WILBURTON-PS-LR-ASSET-004948
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at WILBURTON-PS-LR-ASSET-004948> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at WILBURTON-PS-LR-ASSET-004948> show system uptime
-# System booted: 2017-08-04 20:48 CDT
-# Protocols started: 2017-08-04 20:52 CDT
-# Last configured: 2017-08-04 20:51 CDT by root
+# System booted: 2017-08-05 20:13 CDT
+# Protocols started: 2017-08-05 20:17 CDT
+# Last configured: 2017-08-05 20:16 CDT by root
#
# grnoc-mon at WILBURTON-PS-LR-ASSET-004948> show interface terse
#Interface Admin Link
@@ -189,8 +193,8 @@
#vlan.3 up up
#vlan.999 up down
# grnoc-mon at WILBURTON-PS-LR-ASSET-004948> show configuration
-## Last commit: 2017-08-04 20:51:08 CDT by root
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 20:16:05 CDT by root
+version 12.3X48-D40.5;
system {
host-name WILBURTON-PS-LR-ASSET-004948;
domain-name onenet.net;
@@ -319,6 +323,119 @@
server 164.58.3.98 prefer;
}
}
+security {
+ screen {
+ ids-option UNTRUST-SCREEN {
+ icmp {
+ ping-death;
+ }
+ ip {
+ source-route-option;
+ tear-drop;
+ }
+ tcp {
+ syn-flood {
+ alarm-threshold 1024;
+ attack-threshold 200;
+ source-threshold 1024;
+ destination-threshold 2048;
+ timeout 20;
+ }
+ land;
+ }
+ }
+ }
+ nat {
+ source {
+ rule-set TEST-TO-UNTRUST-NAT {
+ from zone TEST;
+ to zone UNTRUST;
+ rule NAT-TEST-TO-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ interface;
+ }
+ }
+ }
+ }
+ }
+ }
+ policies {
+ from-zone UNTRUST to-zone UNTRUST {
+ policy UNTRUST-TO-UNTRUST {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone TEST to-zone UNTRUST {
+ policy ALLOW-ALL-OUT {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ }
+ zones {
+ security-zone UNTRUST {
+ screen UNTRUST-SCREEN;
+ interfaces {
+ vlan.3 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ traceroute;
+ }
+ }
+ }
+ ge-1/0/0.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ snmp;
+ ssh;
+ traceroute;
+ }
+ }
+ }
+ ge-0/0/14.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ security-zone TEST {
+ interfaces {
+ vlan.999 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ }
+}
interfaces {
ge-0/0/1 {
description "L2 INTERFACE - TEST-VLAN";
@@ -454,119 +571,6 @@
apply-path "interfaces <*> unit <*> family inet address <*>";
}
}
-security {
- screen {
- ids-option UNTRUST-SCREEN {
- icmp {
- ping-death;
- }
- ip {
- source-route-option;
- tear-drop;
- }
- tcp {
- syn-flood {
- alarm-threshold 1024;
- attack-threshold 200;
- source-threshold 1024;
- destination-threshold 2048;
- timeout 20;
- }
- land;
- }
- }
- }
- nat {
- source {
- rule-set TEST-TO-UNTRUST-NAT {
- from zone TEST;
- to zone UNTRUST;
- rule NAT-TEST-TO-UNTRUST {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- }
- policies {
- from-zone UNTRUST to-zone UNTRUST {
- policy UNTRUST-TO-UNTRUST {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone TEST to-zone UNTRUST {
- policy ALLOW-ALL-OUT {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone UNTRUST {
- screen UNTRUST-SCREEN;
- interfaces {
- vlan.3 {
- host-inbound-traffic {
- system-services {
- ping;
- traceroute;
- }
- }
- }
- ge-1/0/0.0 {
- host-inbound-traffic {
- system-services {
- ping;
- snmp;
- ssh;
- traceroute;
- }
- }
- }
- ge-0/0/14.0 {
- host-inbound-traffic {
- system-services {
- ping;
- traceroute;
- }
- }
- }
- }
- }
- security-zone TEST {
- interfaces {
- vlan.999 {
- host-inbound-traffic {
- system-services {
- dhcp;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- }
-}
firewall {
family inet {
filter PROTECT-RE {
Index: configs/durant-head-start.client.onenet.net
===================================================================
--- configs/durant-head-start.client.onenet.net (revision 155126)
+++ configs/durant-head-start.client.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at CHOC-DURANT-HEAD-START-LR-004936> show system commit
+# 2017-08-05 20:58:18 CDT by root via other
# 2017-07-22 13:22:41 CDT by root via other
# 2016-01-19 15:58:14 CST by admin via cli
# 2016-01-19 15:44:33 CST by admin via cli
# 2016-01-19 15:33:59 CST by admin via cli
# 2016-01-19 23:19:11 CST by admin via cli commit confirmed, rollback in 3mins
-# 2016-01-19 16:43:57 CST by root via cli
# grnoc-mon at CHOC-DURANT-HEAD-START-LR-004936> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -21,8 +21,8 @@
#
# grnoc-mon at CHOC-DURANT-HEAD-START-LR-004936> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at CHOC-DURANT-HEAD-START-LR-004936> show chassis fpc detail
# Slot 0 information:
@@ -54,8 +54,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -106,26 +109,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s2a
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s1a
#
# grnoc-mon at CHOC-DURANT-HEAD-START-LR-004936> show version
# Hostname: CHOC-DURANT-HEAD-START-LR-004936
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at CHOC-DURANT-HEAD-START-LR-004936> show version invoke-on all-routing-engines
# Hostname: CHOC-DURANT-HEAD-START-LR-004936
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at CHOC-DURANT-HEAD-START-LR-004936> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at CHOC-DURANT-HEAD-START-LR-004936> show system uptime
-# System booted: 2017-07-22 13:19 CDT
-# Protocols started: 2017-07-22 13:24 CDT
-# Last configured: 2017-07-22 13:22 CDT by root
+# System booted: 2017-08-05 20:55 CDT
+# Protocols started: 2017-08-05 21:00 CDT
+# Last configured: 2017-08-05 20:58 CDT by root
#
# grnoc-mon at CHOC-DURANT-HEAD-START-LR-004936> show interface terse
#Interface Admin Link
@@ -179,8 +183,8 @@
#vlan.3 up up
#vlan.999 up down
# grnoc-mon at CHOC-DURANT-HEAD-START-LR-004936> show configuration
-## Last commit: 2017-07-22 13:22:41 CDT by root
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 20:58:18 CDT by root
+version 12.3X48-D40.5;
system {
host-name CHOC-DURANT-HEAD-START-LR-004936;
domain-name onenet.net;
@@ -323,6 +327,112 @@
server 164.58.3.98 prefer;
}
}
+security {
+ screen {
+ ids-option UNTRUST-SCREEN {
+ icmp {
+ ping-death;
+ }
+ ip {
+ source-route-option;
+ tear-drop;
+ }
+ tcp {
+ syn-flood {
+ alarm-threshold 1024;
+ attack-threshold 200;
+ source-threshold 1024;
+ destination-threshold 2048;
+ timeout 20;
+ }
+ land;
+ }
+ }
+ }
+ nat {
+ source {
+ rule-set TEST-TO-UNTRUST-NAT {
+ from zone TEST;
+ to zone UNTRUST;
+ rule NAT-TEST-TO-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ interface;
+ }
+ }
+ }
+ }
+ }
+ }
+ policies {
+ from-zone UNTRUST to-zone UNTRUST {
+ policy UNTRUST-TO-UNTRUST {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone TEST to-zone UNTRUST {
+ policy ALLOW-ALL-OUT {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ }
+ zones {
+ security-zone UNTRUST {
+ screen UNTRUST-SCREEN;
+ interfaces {
+ vlan.3 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ ge-0/0/0.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ snmp;
+ ssh;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ security-zone TEST {
+ interfaces {
+ vlan.999 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ }
+}
interfaces {
ge-0/0/0 {
description "L3 INTERFACE - UNTRUST-WAN - 164.58.22.238/30";
@@ -456,112 +566,6 @@
apply-path "interfaces <*> unit <*> family inet address <*>";
}
}
-security {
- screen {
- ids-option UNTRUST-SCREEN {
- icmp {
- ping-death;
- }
- ip {
- source-route-option;
- tear-drop;
- }
- tcp {
- syn-flood {
- alarm-threshold 1024;
- attack-threshold 200;
- source-threshold 1024;
- destination-threshold 2048;
- timeout 20;
- }
- land;
- }
- }
- }
- nat {
- source {
- rule-set TEST-TO-UNTRUST-NAT {
- from zone TEST;
- to zone UNTRUST;
- rule NAT-TEST-TO-UNTRUST {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- }
- policies {
- from-zone UNTRUST to-zone UNTRUST {
- policy UNTRUST-TO-UNTRUST {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone TEST to-zone UNTRUST {
- policy ALLOW-ALL-OUT {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone UNTRUST {
- screen UNTRUST-SCREEN;
- interfaces {
- vlan.3 {
- host-inbound-traffic {
- system-services {
- dhcp;
- ping;
- traceroute;
- }
- }
- }
- ge-0/0/0.0 {
- host-inbound-traffic {
- system-services {
- ping;
- snmp;
- ssh;
- traceroute;
- }
- }
- }
- }
- }
- security-zone TEST {
- interfaces {
- vlan.999 {
- host-inbound-traffic {
- system-services {
- dhcp;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- }
-}
firewall {
family inet {
filter PROTECT-RE {
Index: configs/stringtown-high-school.client.onenet.net
===================================================================
--- configs/stringtown-high-school.client.onenet.net (revision 155532)
+++ configs/stringtown-high-school.client.onenet.net (working copy)
@@ -691,7 +691,6 @@
# OSPF instance is not running
#
# grnoc-mon at STRINGTOWN-HIGH-SCHOOL-TAG-004909> show bfd session
-quit
0 sessions, 0 clients
Cumulative transmit rate 0.0 pps, cumulative receive rate 0.0 pps
Index: configs/maysville-hs.client.onenet.net
===================================================================
--- configs/maysville-hs.client.onenet.net (revision 155508)
+++ configs/maysville-hs.client.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at MAYSVILLE-HS-LEASED-ASSET-TAG-004887> show system commit
+# 2017-08-05 20:15:05 CDT by root via other
# 2017-08-04 21:13:22 CDT by root via other
# 2016-01-27 15:43:17 CST by joel via cli commit confirmed, rollback in 5mins
# 2015-10-26 14:44:11 CDT by admin via cli
# 2015-10-26 18:25:25 CDT by root via cli
# 2015-10-26 18:10:08 CDT by root via cli
-# 2015-10-26 18:00:59 CDT by root via other
# grnoc-mon at MAYSVILLE-HS-LEASED-ASSET-TAG-004887> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -21,8 +21,8 @@
#
# grnoc-mon at MAYSVILLE-HS-LEASED-ASSET-TAG-004887> show chassis firmware
# Part Type Version
-# FPC 0 O/S Version 12.1X46-D65.4 by builder on 2016-12
-# FWDD O/S Version 12.1X46-D65.4 by builder on 2016-12
+# FPC 0 O/S Version 12.3X48-D40.5 by builder on 2016-10
+# FWDD O/S Version 12.3X48-D40.5 by builder on 2016-10
#
# grnoc-mon at MAYSVILLE-HS-LEASED-ASSET-TAG-004887> show chassis fpc detail
# Slot 0 information:
@@ -54,8 +54,11 @@
# Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
# The Regents of the University of California. All rights reserved.
# FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
+# Security policy loaded: Junos MAC/veriexec (mac_veriexec)
# Security policy loaded: JUNOS MAC/pcap (mac_pcap)
# Security policy loaded: JUNOS MAC/runasnonroot (mac_runasnonroot)
+# MAC/veriexec fingerprint module loaded: SHA256
+# MAC/veriexec fingerprint module loaded: SHA1
# netisr_init: !debug_mpsafenet, forcing maxthreads from 4 to 1
# cpu0 on motherboard
# : CAVIUM's OCTEON 52XX CPU Rev. 0.8 with no FPU implemented
@@ -106,26 +109,27 @@
# da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
# da0: 40.000MB/s transfers
# da0: 2000MB (4096000 512 byte sectors: 255H 63S/T 254C)
-# Trying to mount root from ufs:/dev/da0s1a
+# Kernel thread "wkupdaemon" (pid 48) exited prematurely.
+# Trying to mount root from ufs:/dev/da0s2a
#
# grnoc-mon at MAYSVILLE-HS-LEASED-ASSET-TAG-004887> show version
# Hostname: MAYSVILLE-HS-LEASED-ASSET-TAG-004887
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at MAYSVILLE-HS-LEASED-ASSET-TAG-004887> show version invoke-on all-routing-engines
# Hostname: MAYSVILLE-HS-LEASED-ASSET-TAG-004887
# Model: srx240h2
-# JUNOS Software Release [12.1X46-D65.4]
+# JUNOS Software Release [12.3X48-D40.5]
#
# grnoc-mon at MAYSVILLE-HS-LEASED-ASSET-TAG-004887> file list /var/tmp detail
-# lrw-r--r-- 1 root wheel 11 Dec 29 2016 /var/tmp@ -> /cf/var/tmp
+# lrw-r--r-- 1 root wheel 11 Oct 27 2016 /var/tmp@ -> /cf/var/tmp
# total files: 1
#
# grnoc-mon at MAYSVILLE-HS-LEASED-ASSET-TAG-004887> show system uptime
-# System booted: 2017-08-04 21:10 CDT
-# Protocols started: 2017-08-04 21:14 CDT
-# Last configured: 2017-08-04 21:13 CDT by root
+# System booted: 2017-08-05 20:12 CDT
+# Protocols started: 2017-08-05 20:16 CDT
+# Last configured: 2017-08-05 20:15 CDT by root
#
# grnoc-mon at MAYSVILLE-HS-LEASED-ASSET-TAG-004887> show interface terse
#Interface Admin Link
@@ -178,8 +182,8 @@
#vlan up up
#vlan.999 up down
# grnoc-mon at MAYSVILLE-HS-LEASED-ASSET-TAG-004887> show configuration
-## Last commit: 2017-08-04 21:13:22 CDT by root
-version 12.1X46-D65.4;
+## Last commit: 2017-08-05 20:15:05 CDT by root
+version 12.3X48-D40.5;
system {
host-name MAYSVILLE-HS-LEASED-ASSET-TAG-004887;
domain-name onenet.net;
@@ -311,6 +315,111 @@
server 164.58.3.98 prefer;
}
}
+security {
+ screen {
+ ids-option UNTRUST-SCREEN {
+ icmp {
+ ping-death;
+ }
+ ip {
+ source-route-option;
+ tear-drop;
+ }
+ tcp {
+ syn-flood {
+ alarm-threshold 1024;
+ attack-threshold 200;
+ source-threshold 1024;
+ destination-threshold 2048;
+ timeout 20;
+ }
+ land;
+ }
+ }
+ }
+ nat {
+ source {
+ rule-set TEST-TO-UNTRUST-NAT {
+ from zone TEST;
+ to zone UNTRUST;
+ rule NAT-TEST-TO-UNTRUST {
+ match {
+ source-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ interface;
+ }
+ }
+ }
+ }
+ }
+ }
+ policies {
+ from-zone UNTRUST to-zone UNTRUST {
+ policy UNTRUST-TO-UNTRUST {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone TEST to-zone UNTRUST {
+ policy ALLOW-ALL-OUT {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ }
+ zones {
+ security-zone TEST {
+ interfaces {
+ vlan.999 {
+ host-inbound-traffic {
+ system-services {
+ dhcp;
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ security-zone UNTRUST {
+ screen UNTRUST-SCREEN;
+ interfaces {
+ ge-0/0/0.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ snmp;
+ ssh;
+ traceroute;
+ }
+ }
+ }
+ ge-0/0/15.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ traceroute;
+ }
+ }
+ }
+ }
+ }
+ }
+}
interfaces {
ge-0/0/0 {
description "L3 INTERFACE - UNTRUST-WAN - 164.58.58.90/30";
@@ -430,111 +539,6 @@
apply-path "interfaces <*> unit <*> family inet address <*>";
}
}
-security {
- screen {
- ids-option UNTRUST-SCREEN {
- icmp {
- ping-death;
- }
- ip {
- source-route-option;
- tear-drop;
- }
- tcp {
- syn-flood {
- alarm-threshold 1024;
- attack-threshold 200;
- source-threshold 1024;
- destination-threshold 2048;
- timeout 20;
- }
- land;
- }
- }
- }
- nat {
- source {
- rule-set TEST-TO-UNTRUST-NAT {
- from zone TEST;
- to zone UNTRUST;
- rule NAT-TEST-TO-UNTRUST {
- match {
- source-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- }
- policies {
- from-zone UNTRUST to-zone UNTRUST {
- policy UNTRUST-TO-UNTRUST {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone TEST to-zone UNTRUST {
- policy ALLOW-ALL-OUT {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- }
- zones {
- security-zone TEST {
- interfaces {
- vlan.999 {
- host-inbound-traffic {
- system-services {
- dhcp;
- ping;
- traceroute;
- }
- }
- }
- }
- }
- security-zone UNTRUST {
- screen UNTRUST-SCREEN;
- interfaces {
- ge-0/0/0.0 {
- host-inbound-traffic {
- system-services {
- ping;
- snmp;
- ssh;
- traceroute;
- }
- }
- }
- ge-0/0/15.0 {
- host-inbound-traffic {
- system-services {
- ping;
- traceroute;
- }
- }
- }
- }
- }
- }
-}
firewall {
family inet {
filter PROTECT-RE {
More information about the Nocrancid
mailing list