[Nocrancid] autopop-onenet.net router config diffs
rancid at rancid.noc.onenet.net
rancid at rancid.noc.onenet.net
Sat Aug 19 15:05:39 CDT 2017
Index: configs/olustee-eldorado-ps.client.onenet.net
===================================================================
--- configs/olustee-eldorado-ps.client.onenet.net (revision 155909)
+++ configs/olustee-eldorado-ps.client.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at OLUSTEE-ELDORADO-PS-LR-005451> show system commit
+# 2017-08-19 14:55:12 CDT by joel via cli
+# 2017-08-19 14:48:27 CDT by joel via cli commit confirmed, rollback in 5mins
# 2017-08-19 13:58:00 CDT by joel via cli
# 2017-08-18 14:15:51 CDT by andrew via cli
# 2017-08-18 14:14:06 CDT by andrew via cli
# 2017-08-17 13:52:22 CDT by admin via cli
-# 2017-08-17 13:49:04 CDT by admin via cli
-# 2017-08-17 13:20:28 CDT by admin via cli
# grnoc-mon at OLUSTEE-ELDORADO-PS-LR-005451> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -136,7 +136,7 @@
# Time Source: NTP CLOCK
# System booted: 2017-08-19 12:50 CDT
# Protocols started: 2017-08-19 12:50 CDT
-# Last configured: 2017-08-19 13:58 CDT by joel
+# Last configured: 2017-08-19 14:55 CDT by joel
#
# grnoc-mon at OLUSTEE-ELDORADO-PS-LR-005451> show interface terse
#Interface Admin Link
@@ -157,6 +157,7 @@
#ge-0/0/4 down down
#ge-0/0/5 down down
#ge-0/0/6 down down
+#ge-0/0/6.0 up down
#ge-0/0/7 up up
#ge-0/0/7.0 up up
#ge-0/0/8 down down
@@ -193,7 +194,7 @@
#vlan up down
#vtep up up
# grnoc-mon at OLUSTEE-ELDORADO-PS-LR-005451> show configuration
-## Last commit: 2017-08-19 13:58:00 CDT by joel
+## Last commit: 2017-08-19 14:55:12 CDT by joel
version 15.1X49-D90.7;
system {
host-name OLUSTEE-ELDORADO-PS-LR-005451;
@@ -331,8 +332,7 @@
security {
address-book {
global {
- address NET-156.110.39.136/29 156.110.39.136/29;
- address NET-156.110.39.248/29 156.110.39.248/29;
+ address DOMAIN-CONTROLLER-172.16.1.2 172.16.1.2/32;
}
}
screen {
@@ -358,12 +358,12 @@
}
nat {
source {
- rule-set TRUST-TO-UNTRUST-NAT {
- from zone TRUST;
+ rule-set TEST-TO-UNTRUST-NAT {
+ from zone TEST;
to zone UNTRUST;
- rule NAT-TRUST-TO-UNTRUST {
+ rule NAT-TEST-TO-UNTRUST {
match {
- source-address 172.16.0.0/16;
+ source-address 0.0.0.0/0;
}
then {
source-nat {
@@ -372,12 +372,12 @@
}
}
}
- rule-set TEST-TO-UNTRUST-NAT {
- from zone TEST;
+ rule-set TRUST-TO-UNTRUST-NAT {
+ from zone TRUST;
to zone UNTRUST;
- rule NAT-TEST-TO-UNTRUST {
+ rule NAT-TRUST-TO-UNTRUST {
match {
- source-address 0.0.0.0/0;
+ source-address 172.16.0.0/12;
}
then {
source-nat {
@@ -387,10 +387,27 @@
}
}
}
+ static {
+ rule-set STATIC-NAT {
+ from zone UNTRUST;
+ rule NAT-VPN-TO-DOMAIN-CONTROLLER {
+ match {
+ destination-address 156.110.39.250/32;
+ }
+ then {
+ static-nat {
+ prefix {
+ 172.16.1.2/32;
+ }
+ }
+ }
+ }
+ }
+ }
}
policies {
- from-zone TRUST to-zone UNTRUST {
- policy TRUST-TO-UNTRUST {
+ from-zone TEST to-zone UNTRUST {
+ policy ALLOW-ALL-OUT {
match {
source-address any;
destination-address any;
@@ -401,8 +418,8 @@
}
}
}
- from-zone TEST to-zone UNTRUST {
- policy ALLOW-ALL-OUT {
+ from-zone TRUST to-zone UNTRUST {
+ policy TRUST-TO-UNTRUST {
match {
source-address any;
destination-address any;
@@ -414,10 +431,27 @@
}
}
from-zone UNTRUST to-zone TRUST {
- policy 201708071232 {
+ policy ALLOW-VPN-TO-DOMAIN-CONTROLLER {
+ description "Allow Microsfot L2TP/IPSEC VPN access to Domain Controller";
match {
source-address any;
- destination-address [ NET-156.110.39.136/29 NET-156.110.39.248/29 ];
+ destination-address DOMAIN-CONTROLLER-172.16.1.2;
+ application MICROSOFT-IPSEC-VPN;
+ }
+ then {
+ permit;
+ log {
+ session-init;
+ session-close;
+ }
+ }
+ }
+ }
+ from-zone TRUST to-zone TRUST {
+ policy TRUST-TO-TRUST {
+ match {
+ source-address any;
+ destination-address any;
application any;
}
then {
@@ -427,41 +461,48 @@
}
}
zones {
- security-zone TRUST {
+ security-zone TEST {
interfaces {
- ge-0/0/7.0 {
+ irb.999 {
host-inbound-traffic {
system-services {
+ dhcp;
ping;
traceroute;
- dhcp;
}
}
}
}
}
- security-zone TEST {
+ security-zone UNTRUST {
+ screen UNTRUST-SCREEN;
interfaces {
- irb.999 {
+ ge-0/0/0.0 {
host-inbound-traffic {
system-services {
- dhcp;
ping;
+ snmp;
+ ssh;
traceroute;
}
}
}
+ inactive: ge-0/0/6.0 {
+ host-inbound-traffic {
+ system-services {
+ ping;
+ traceroute;
+ }
+ }
+ }
}
}
- security-zone UNTRUST {
- screen UNTRUST-SCREEN;
+ security-zone TRUST {
interfaces {
- ge-0/0/0.0 {
+ ge-0/0/7.0 {
host-inbound-traffic {
system-services {
ping;
- snmp;
- ssh;
traceroute;
}
}
@@ -503,18 +544,20 @@
disable;
}
ge-0/0/6 {
+ description "L3 INTERFACE - UNTRUST-LAN - 156.110.39.137/29 - 156.110.39.249/29";
disable;
+ unit 0 {
+ family inet {
+ address 156.110.39.137/29;
+ address 156.110.39.249/29;
+ }
+ }
}
ge-0/0/7 {
description "L3 INTERFACE - TRUST-VLAN - 172.16.1.1/16";
unit 0 {
family inet {
- address 172.16.1.1/16 {
- primary;
- preferred;
- }
- address 156.110.39.137/29;
- address 156.110.39.249/29;
+ address 172.16.1.1/16;
}
}
}
@@ -666,25 +709,6 @@
}
}
}
- pool TRUST-POOL {
- family inet {
- network 172.16.0.0/16;
- range ONENET {
- low 172.16.0.10;
- high 172.16.0.250;
- }
- dhcp-attributes {
- domain-name olustee-ps.local;
- name-server {
- 164.58.200.200;
- 156.110.200.200;
- }
- router {
- 172.16.1.1;
- }
- }
- }
- }
}
}
switch-options {
@@ -695,6 +719,13 @@
}
}
}
+applications {
+ application MICROSOFT-IPSEC-VPN {
+ term tcp-50 protocol tcp destination-port 50;
+ term udp-500 protocol udp destination-port 500;
+ term udp-4500 protocol udp destination-port 4500;
+ }
+}
vlans {
TEST-VLAN {
description "Test VLAN 999 for TESTING ONLY";
Index: configs/hub.dur.onenet.net
===================================================================
--- configs/hub.dur.onenet.net (revision 155909)
+++ configs/hub.dur.onenet.net (working copy)
@@ -433,7 +433,7 @@
#fe-2/1/1 up up
#fe-2/1/1.0 up up
#fe-2/1/2 up down
-#fe-2/1/3 down down
+#fe-2/1/3 down up
#ge-2/2/0 up up
#ge-2/2/0.0 up up
#pc-2/2/0 up up
More information about the Nocrancid
mailing list