[Nocrancid] autopop-onenet.net router config diffs
rancid at rancid.noc.onenet.net
rancid at rancid.noc.onenet.net
Mon Aug 28 22:04:46 CDT 2017
Index: configs/core2.dc.onenet.net
===================================================================
--- configs/core2.dc.onenet.net (revision 156158)
+++ configs/core2.dc.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at MX480_DC_02_RE0> show system commit
+# 2017-08-28 21:58:54 CDT by andrew via cli commit synchronize
+# 2017-08-28 21:30:56 CDT by andrew via cli commit confirmed, rollback in 3mins synchronize
# 2017-08-28 12:52:54 CDT by andrew via cli commit synchronize
# 2017-08-28 12:49:32 CDT by andrew via cli commit synchronize
# 2017-08-28 12:30:18 CDT by andrew via cli commit synchronize
# 2017-08-10 17:16:49 CDT by andrew via cli commit confirmed, rollback in 3mins synchronize
-# 2017-08-02 18:31:10 CDT by andrew via cli commit synchronize
-# 2017-07-31 17:43:59 CDT by andrew via cli commit synchronize
# grnoc-mon at MX480_DC_02_RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -421,7 +421,7 @@
# grnoc-mon at MX480_DC_02_RE0> show system uptime
# System booted: 2016-09-03 21:49 CDT
# Protocols started: 2016-09-03 21:51 CDT
-# Last configured: 2017-08-28 12:52 CDT by andrew
+# Last configured: 2017-08-28 21:58 CDT by andrew
#
# {master}
# grnoc-mon at MX480_DC_02_RE0> show interface terse
@@ -510,6 +510,7 @@
#xe-2/1/1.2531 up up
#xe-2/1/1.2533 up up
#xe-2/1/1.2540 up up
+#xe-2/1/1.2543 up up
#xe-2/1/1.2550 up up
#xe-2/1/1.2559 up up
#xe-2/1/1.32767 up up
@@ -661,6 +662,7 @@
#irb.4031 up up
#irb.4032 up up
#irb.4033 up up
+#irb.4034 up up
#irb.4036 up up
#irb.4037 up up
#irb.4038 up up
@@ -680,7 +682,7 @@
#pp0 up up
#tap up up
# grnoc-mon at MX480_DC_02_RE0> show configuration
-## Last commit: 2017-08-28 12:52:54 CDT by andrew
+## Last commit: 2017-08-28 21:58:54 CDT by andrew
version 12.3R7.7;
groups {
re0 {
@@ -1078,6 +1080,14 @@
address 10.119.254.67/31;
}
}
+ unit 2543 {
+ description "CORE2-DC-TO-ONENET-MGMT [ORDERED]";
+ vlan-id 2543;
+ family inet {
+ mtu 9000;
+ address 10.199.208.253/31;
+ }
+ }
unit 2550 {
description "CORE2-DC-TO-OMES-MGMT [ORDERED]";
vlan-id 2550;
@@ -1901,6 +1911,12 @@
address 10.197.9.2/29;
}
}
+ unit 4034 {
+ description "onenet_mgmt [ORDERED]";
+ family inet {
+ address 10.197.8.194/29;
+ }
+ }
unit 4036 {
description "MX to SRX VLAN40356";
family inet {
@@ -2350,6 +2366,28 @@
then reject;
}
}
+ policy-statement EBGP-ONENET-DC-ONENET-MGMT-V4-EXPORT {
+ term ACCEPT-DEFAULT {
+ from {
+ route-filter 0.0.0.0/0 exact;
+ }
+ then accept;
+ }
+ term REJECT-ALL-ELSE {
+ then reject;
+ }
+ }
+ policy-statement EBGP-ONENET-DC-ONENET-MGMT-V4-IMPORT {
+ term REJECT-DEFAULT {
+ from {
+ route-filter 0.0.0.0/0 exact;
+ }
+ then reject;
+ }
+ term ACCEPT-ALL-ELSE {
+ then accept;
+ }
+ }
policy-statement EBGP-ONENET-DC-SEPLS-V4-EXPORT {
term SEND-ONENET-MGMT {
from {
@@ -2504,6 +2542,17 @@
}
}
}
+ policy-statement REDISTRIBUTE-BGP-OSPF {
+ term accept {
+ from protocol bgp;
+ then {
+ external {
+ type 1;
+ }
+ accept;
+ }
+ }
+ }
policy-statement REDISTRIBUTE-DIRECTS {
term 1 {
from {
@@ -3438,6 +3487,39 @@
}
}
}
+ onenet_mgmt {
+ apply-groups OSPF-RI;
+ instance-type virtual-router;
+ interface irb.4034;
+ routing-options {
+ router-id 10.197.8.194;
+ autonomous-system 64595;
+ }
+ protocols {
+ bgp {
+ group EBGP-ONENET-MGMT {
+ type external;
+ family inet {
+ unicast;
+ }
+ as-override;
+ neighbor 10.199.208.252 {
+ description "ONENET-DC-TO-ONENET-MGMT [ORDERED]";
+ import EBGP-ONENET-DC-ONENET-MGMT-V4-IMPORT;
+# authentication-#key <removed>;
+ export EBGP-ONENET-DC-ONENET-MGMT-V4-EXPORT;
+ peer-as 5078;
+ }
+ }
+ }
+ ospf {
+ export [ REDISTRIBUTE-BGP-OSPF REDISTRIBUTE-STATICS-OSPF ];
+ area 0.0.0.0 {
+ interface irb.4034;
+ }
+ }
+ }
+ }
trust_netgrp {
apply-groups OSPF-RI;
instance-type virtual-router;
@@ -3836,6 +3918,10 @@
vlan-id 300;
routing-interface irb.300;
}
+ onenet_mgmt-srx-01-4034 {
+ vlan-id 4034;
+ routing-interface irb.4034;
+ }
optical___-01-0810 {
vlan-id 810;
routing-interface irb.810;
Index: configs/core2-okc-mx960.onenet.net
===================================================================
--- configs/core2-okc-mx960.onenet.net (revision 155884)
+++ configs/core2-okc-mx960.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at OKC-CORE2-MX960-RE0> show system commit
+# 2017-08-28 22:00:08 CDT by andrew via cli commit synchronize
+# 2017-08-28 21:56:49 CDT by andrew via cli commit synchronize
# 2017-08-01 10:39:50 CDT by joel via cli commit synchronize
# 2017-07-30 13:04:26 CDT by andrew via cli commit synchronize
# 2017-07-29 20:55:55 CDT by andrew via cli commit confirmed, rollback in 3mins synchronize
# 2017-07-28 20:39:57 CDT by andrew via cli commit confirmed, rollback in 3mins synchronize
-# 2017-07-26 19:56:42 CDT by andrew via cli commit synchronize
-# 2017-07-22 11:21:20 CDT by andrew via cli commit confirmed, rollback in 3mins synchronize
# grnoc-mon at OKC-CORE2-MX960-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -533,7 +533,7 @@
# grnoc-mon at OKC-CORE2-MX960-RE0> show system uptime
# System booted: 2016-10-12 08:15 CDT
# Protocols started: 2016-10-12 08:18 CDT
-# Last configured: 2017-08-01 10:39 CDT by joel
+# Last configured: 2017-08-28 22:00 CDT by andrew
#
# {master}
# grnoc-mon at OKC-CORE2-MX960-RE0> show interface terse
@@ -555,6 +555,7 @@
#xe-0/1/0.2531 up up
#xe-0/1/0.2533 up up
#xe-0/1/0.2540 up up
+#xe-0/1/0.2543 up up
#xe-0/1/0.2550 up up
#xe-0/1/0.2559 up up
#xe-0/1/0.32767 up up
@@ -711,6 +712,7 @@
#lsi.2 up up
#lsi.3 up up
#lsi.4 up up
+#lsi.5 up up
#mtun up up
#pimd up up
#pime up up
@@ -718,7 +720,7 @@
#pp0 up up
#tap up up
# grnoc-mon at OKC-CORE2-MX960-RE0> show configuration
-## Last commit: 2017-08-01 10:39:50 CDT by joel
+## Last commit: 2017-08-28 22:00:08 CDT by andrew
version 13.3R8.7;
groups {
re0 {
@@ -1084,6 +1086,18 @@
address 10.119.254.66/31;
}
}
+ unit 2543 {
+ description "ONENET-MGMT-TO-CORE2-DC [ORDERED]";
+ vlan-id 2543;
+ family inet {
+ mtu 9000;
+ sampling {
+ input;
+ output;
+ }
+ address 10.199.208.252/31;
+ }
+ }
unit 2550 {
description "OMES-MGMT-TO-CORE2-DC [ORDERED]";
vlan-id 2550;
@@ -12588,6 +12602,28 @@
then reject;
}
}
+ policy-statement EBGP-ONENET-MGMT-ONENET-DC-EXPORT {
+ term REJECT-DEFAULT {
+ from {
+ route-filter 0.0.0.0/0 exact;
+ }
+ then reject;
+ }
+ term ALLOW-ALL-ELSE {
+ then accept;
+ }
+ }
+ policy-statement EBGP-ONENET-MGMT-ONENET-DC-IMPORT {
+ term ACCEPT-DEFAULT {
+ from {
+ route-filter 0.0.0.0/0 exact;
+ }
+ then accept;
+ }
+ term REJECT-ALL-ELSE {
+ then reject;
+ }
+ }
policy-statement EBGP-SEPLS-ONENET-DC-V4-EXPORT {
term SEND-LINKS {
from {
@@ -12721,6 +12757,48 @@
then reject;
}
}
+ policy-statement ONENET-MGMT-VRF-EXPORT {
+ term 1 {
+ from protocol static;
+ then {
+ community add ONENET-MGMT-VPN;
+ accept;
+ }
+ }
+ term 2 {
+ from protocol direct;
+ then {
+ community add ONENET-MGMT-VPN;
+ accept;
+ }
+ }
+ term 3 {
+ from protocol ospf;
+ then {
+ community add ONENET-MGMT-VPN;
+ accept;
+ }
+ }
+ term 4 {
+ from protocol bgp;
+ then {
+ community add ONENET-MGMT-VPN;
+ accept;
+ }
+ }
+ }
+ policy-statement ONENET-MGMT-VRF-IMPORT {
+ term 1 {
+ from {
+ protocol bgp;
+ community ONENET-MGMT-VPN;
+ }
+ then accept;
+ }
+ term 2 {
+ then reject;
+ }
+ }
policy-statement ONENET-UPS-VRF-EXPORT {
term 1 {
from protocol static;
@@ -12871,6 +12949,7 @@
community ODMHSAS-VPN members target:5078:2559;
community OKCCORE2 members 5078:212;
community OMES-MGMT-VPN members target:5078:2550;
+ community ONENET-MGMT-VPN members target:5078:2543;
community ONET-UPS-VPN members target:5078:100;
community SEPLS-VPN members target:5078:2533;
community TAGNET-VPN members target:5078:2531;
@@ -13423,6 +13502,33 @@
}
}
}
+ ONENET-MGMT-L3VPN {
+ description ONENET-MGMT-L3VPN;
+ instance-type vrf;
+ interface xe-0/1/0.2543;
+ route-distinguisher 164.58.199.212:2543;
+ vrf-import ONENET-MGMT-VRF-IMPORT;
+ vrf-export ONENET-MGMT-VRF-EXPORT;
+ vrf-target target:5078:2543;
+ vrf-table-label;
+ protocols {
+ bgp {
+ group EBGP-ONENET-MGMT-ONENET-DC {
+ type external;
+ family inet {
+ unicast;
+ }
+ neighbor 10.199.208.253 {
+ description "ONENET-MGMT-TO-CORE1-DC [ORDERED]";
+ import EBGP-ONENET-MGMT-ONENET-DC-IMPORT;
+# authentication-#key <removed>;
+ export EBGP-ONENET-MGMT-ONENET-DC-EXPORT;
+ peer-as 64595;
+ }
+ }
+ }
+ }
+ }
SEPLS-L3VPN {
description SEPLS-L3VPN;
instance-type vrf;
Index: configs/core4.okc.onenet.net
===================================================================
--- configs/core4.okc.onenet.net (revision 156165)
+++ configs/core4.okc.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at OKC-CORE4-MX480-RE0> show system commit
+# 2017-08-28 21:50:56 CDT by andrew via cli commit synchronize
+# 2017-08-28 21:49:53 CDT by andrew via cli commit synchronize
+# 2017-08-28 21:39:35 CDT by andrew via cli commit synchronize
# 2017-08-28 18:33:09 CDT by andrew via cli commit synchronize
# 2017-08-28 17:04:08 CDT by andrew via cli commit synchronize
# 2017-08-26 14:23:40 CDT by andrew via cli commit synchronize
-# 2017-08-26 14:02:28 CDT by andrew via cli commit synchronize
-# 2017-08-26 12:36:53 CDT by andrew via cli commit synchronize
-# 2017-08-25 15:11:19 CDT by sky via cli commit synchronize
# grnoc-mon at OKC-CORE4-MX480-RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -549,7 +549,7 @@
# grnoc-mon at OKC-CORE4-MX480-RE0> show system uptime
# System booted: 2016-10-12 18:12 CDT
# Protocols started: 2016-10-12 18:14 CDT
-# Last configured: 2017-08-28 18:33 CDT by andrew
+# Last configured: 2017-08-28 21:50 CDT by andrew
#
# {master}
# grnoc-mon at OKC-CORE4-MX480-RE0> show interface terse
@@ -1209,6 +1209,7 @@
#xe-3/0/3.2531 up up
#xe-3/0/3.2533 up up
#xe-3/0/3.2540 up up
+#xe-3/0/3.2543 up up
#xe-3/0/3.2550 up up
#xe-3/0/3.2559 up up
#xe-3/0/3.2600 up up
@@ -1488,7 +1489,7 @@
#pp0 up up
#tap up up
# grnoc-mon at OKC-CORE4-MX480-RE0> show configuration
-## Last commit: 2017-08-28 18:33:09 CDT by andrew
+## Last commit: 2017-08-28 21:50:56 CDT by andrew
version 13.3R9.13;
groups {
re0 {
@@ -7859,6 +7860,18 @@
address 10.119.254.64/31;
}
}
+ unit 2543 {
+ description "ONENET-MGMT-TO-CORE1-DC [ORDERED]";
+ vlan-id 2543;
+ family inet {
+ mtu 9000;
+ sampling {
+ input;
+ output;
+ }
+ address 10.199.208.254/31;
+ }
+ }
unit 2550 {
description "OMES-MGMT-TO-CORE1-DC [ORDERED]";
vlan-id 2550;
@@ -12519,6 +12532,28 @@
then reject;
}
}
+ policy-statement EBGP-ONENET-MGMT-ONENET-DC-EXPORT {
+ term REJECT-DEFAULT {
+ from {
+ route-filter 0.0.0.0/0 exact;
+ }
+ then reject;
+ }
+ term ALLOW-ALL-ELSE {
+ then accept;
+ }
+ }
+ policy-statement EBGP-ONENET-MGMT-ONENET-DC-IMPORT {
+ term ACCEPT-DEFAULT {
+ from {
+ route-filter 0.0.0.0/0 exact;
+ }
+ then accept;
+ }
+ term REJECT-ALL-ELSE {
+ then reject;
+ }
+ }
policy-statement EBGP-OTRD-DATA-CORE-EXPORT {
term REJECT-DEFAULT {
from {
@@ -13449,6 +13484,13 @@
accept;
}
}
+ term 4 {
+ from protocol bgp;
+ then {
+ community add ONENET-MGMT-VPN;
+ accept;
+ }
+ }
}
policy-statement ONENET-MGMT-VRF-IMPORT {
term 1 {
@@ -16865,6 +16907,7 @@
interface xe-2/3/0.3703;
interface xe-2/3/0.3704;
interface xe-3/0/1.80;
+ interface xe-3/0/3.2543;
interface xe-3/3/2.3414;
interface xe-3/3/2.3416;
interface xe-3/3/2.3429;
@@ -16885,6 +16928,23 @@
route 10.197.0.0/16 next-hop 10.197.255.255;
}
}
+ protocols {
+ bgp {
+ group EBGP-ONENET-MGMT-ONENET-DC {
+ type external;
+ family inet {
+ unicast;
+ }
+ neighbor 10.199.208.255 {
+ description "ONENET-MGMT-TO-CORE1-DC [ORDERED]";
+ import EBGP-ONENET-MGMT-ONENET-DC-IMPORT;
+# authentication-#key <removed>;
+ export EBGP-ONENET-MGMT-ONENET-DC-EXPORT;
+ peer-as 64595;
+ }
+ }
+ }
+ }
}
ONENET-POP-APPLIANCES-L3VPN {
description ONENET-POP-APPLIANCES-L3VPN;
Index: configs/oja-sw-youth-academy-manitou.client.onenet.net
===================================================================
--- configs/oja-sw-youth-academy-manitou.client.onenet.net (revision 156152)
+++ configs/oja-sw-youth-academy-manitou.client.onenet.net (working copy)
@@ -150,7 +150,7 @@
#ppd0 up up
#ppe0 up up
#st0 up up
-#st0.1 up up
+#st0.1 up down
#tap up up
#vlan up up
#vlan.3 up up
Index: configs/lavern-public-schools.client.onenet.net
===================================================================
--- configs/lavern-public-schools.client.onenet.net (revision 156167)
+++ configs/lavern-public-schools.client.onenet.net (working copy)
@@ -110,7 +110,7 @@
#
# grnoc-mon at LAVERN-PUBLIC-SCHOOLS-TAG-004351> show interface terse
#Interface Admin Link
-#ge-0/0/0 down up
+#ge-0/0/0 down down
#gr-0/0/0 up up
#ip-0/0/0 up up
#lsq-0/0/0 up up
Index: configs/city-of-lawton.client.onenet.net
===================================================================
--- configs/city-of-lawton.client.onenet.net (revision 156167)
+++ configs/city-of-lawton.client.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at CITY-OF-LAWTON-TAG-005231> show system commit
-# 2017-08-28 20:54:01 CDT by joel via cli
-# 2017-08-28 20:49:49 CDT by joel via cli
-# 2017-08-28 20:36:55 CDT by joel via cli commit confirmed, rollback in 5mins
-# 2017-08-28 18:42:15 CDT by joel via cli
-# 2017-08-28 18:40:46 CDT by joel via cli
-# 2017-08-28 18:36:29 CDT by joel via cli commit confirmed, rollback in 5mins
+# 2017-08-28 21:58:42 CDT by joel via cli
+# 2017-08-28 21:53:33 CDT by joel via cli
+# 2017-08-28 21:48:20 CDT by joel via cli
+# 2017-08-28 21:46:52 CDT by joel via cli
+# 2017-08-28 21:31:47 CDT by joel via cli
+# 2017-08-28 21:30:07 CDT by joel via cli
# grnoc-mon at CITY-OF-LAWTON-TAG-005231> show chassis environment
# Class Item Status Measurement
# Temp Routing Engine OK
@@ -134,7 +134,7 @@
# Time Source: NTP CLOCK
# System booted: 2017-08-25 14:03 CDT
# Protocols started: 2017-08-25 14:03 CDT
-# Last configured: 2017-08-28 20:54 CDT by joel
+# Last configured: 2017-08-28 21:58 CDT by joel
#
# grnoc-mon at CITY-OF-LAWTON-TAG-005231> show interface terse
#Interface Admin Link
@@ -209,9 +209,188 @@
#vlan up down
#vtep up up
# grnoc-mon at CITY-OF-LAWTON-TAG-005231> show configuration
-## Last commit: 2017-08-28 20:54:01 CDT by joel
+## Last commit: 2017-08-28 21:58:42 CDT by joel
version 15.1X49-D90.7;
groups {
+ SERVICES-TO-SERVERS {
+ security {
+ policies {
+ from-zone <*> to-zone TRUST {
+ policy SERVICES-TO-SERVERS {
+ match {
+ source-address <*>;
+ destination-address any;
+ application [ junos-dns-udp junos-telnet junos-ssh ];
+ }
+ then {
+ permit;
+ log {
+ session-init;
+ session-close;
+ }
+ }
+ }
+ }
+ from-zone <*> to-zone TR-2000-SERVERS {
+ policy SERVICES-TO-SERVERS {
+ match {
+ source-address <*>;
+ destination-address any;
+ application junos-dns-udp;
+ }
+ then {
+ permit;
+ log {
+ session-init;
+ session-close;
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ SERVICES-FROM-SERVERS {
+ security {
+ policies {
+ from-zone TRUST to-zone <*> {
+ policy SERVICES-FROM-SERVERS {
+ match {
+ source-address any;
+ destination-address <*>;
+ application junos-dns-udp;
+ }
+ then {
+ permit;
+ log {
+ session-init;
+ session-close;
+ }
+ }
+ }
+ }
+ from-zone TR-2000-SERVERS to-zone <*> {
+ policy SERVICES-FROM-SERVERS {
+ match {
+ source-address any;
+ destination-address <*>;
+ application junos-dns-udp;
+ }
+ then {
+ permit;
+ log {
+ session-init;
+ session-close;
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ ALLOW-PRINTING {
+ security {
+ policies {
+ from-zone <*> to-zone TR-0300-PRINTERS_SCANNERS {
+ policy ALLOW-PRINTING {
+ match {
+ source-address <*>;
+ destination-address TR-0300-PRINTERS_SCANNERS-10.3.0.0/16;
+ application PRINTERS;
+ }
+ then {
+ permit;
+ log {
+ session-init;
+ session-close;
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ QUASAR-ACCESS {
+ security {
+ policies {
+ from-zone <*> to-zone QUASAR {
+ policy <*> {
+ match {
+ source-address <*>;
+ destination-address [ QUASAR-VCENTER-ENV-192.168.11.0 QUASAR-VCENTER-ENV-LINK ];
+ application [ junos-https junos-ping junos-icmp-all junos-http VM-CONSOLE ];
+ }
+ then {
+ permit;
+ log {
+ session-init;
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ COMMON-APPLICATIONS {
+ security {
+ policies {
+ from-zone <*> to-zone UNTRUST {
+ policy COMMON-APPLICATIONS {
+ match {
+ source-address <*>;
+ destination-address any;
+ application [ junos-icmp-all junos-http junos-https junos-dns-udp ];
+ }
+ then {
+ permit;
+ log {
+ session-init;
+ session-close;
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ INSIDE-COMMON-APPLICATIONS {
+ security {
+ policies {
+ from-zone <*> to-zone TRUST {
+ policy INSIDE-COMMON-APPLICATIONS {
+ match {
+ source-address <*>;
+ destination-address TRUST-172.16.0.0/12;
+ application any;
+ }
+ then {
+ permit;
+ log {
+ session-init;
+ session-close;
+ }
+ }
+ }
+ }
+ from-zone <*> to-zone TR-2000-SERVERS {
+ policy INSIDE-COMMON-APPLICATIONS {
+ match {
+ source-address <*>;
+ destination-address TR-2000-SERVERS-10.16.0.0/16;
+ application [ junos-icmp-all junos-http junos-https ];
+ }
+ then {
+ permit;
+ log {
+ session-init;
+ session-close;
+ }
+ }
+ }
+ }
+ }
+ }
+ }
DENY-ALL-ELSE {
security {
policies {
@@ -250,7 +429,7 @@
}
}
}
-apply-groups [ DENY-ALL-ELSE LOG-TRAFFIC ];
+apply-groups LOG-TRAFFIC;
system {
host-name CITY-OF-LAWTON-TAG-005231;
auto-snapshot;
@@ -1846,7 +2025,7 @@
}
}
}
- from-zone TRUST to-zone TRUST {
+ inactive: from-zone TRUST to-zone TRUST {
policy TRUST-TO-TRUST {
match {
source-address any;
@@ -1862,116 +2041,102 @@
}
}
}
- from-zone TRUST to-zone UNTRUST {
- policy TRUST-TO-LAWTON-DC {
+ from-zone TR-0100-USERS to-zone UNTRUST {
+ apply-groups COMMON-APPLICATIONS;
+ policy COMMON-APPLICATIONS {
match {
- source-address [ SERVER-DC1-172.16.1.3 SERVER-DC2-172.16.1.4 ];
- destination-address NAT-EXEMPT-ACTIVE-DIRECTORY-164.58.2.192/28;
- application any;
+ source-address TR-0100-USERS-10.1.0.0/16;
}
- then {
- permit;
- log {
- session-init;
- session-close;
- }
+ }
+ }
+ from-zone TR-0100-USERS to-zone TRUST {
+ apply-groups [ SERVICES-TO-SERVERS INSIDE-COMMON-APPLICATIONS ];
+ policy SERVICES-TO-SERVERS {
+ match {
+ source-address TR-0100-USERS-10.1.0.0/16;
}
}
- policy TRUST-TO-UNTRUST {
+ policy INSIDE-COMMON-APPLICATIONS {
match {
- source-address any;
- destination-address any;
- application any;
+ source-address TR-0100-USERS-10.1.0.0/16;
}
- then {
- permit;
- log {
- session-init;
- }
+ }
+ }
+ from-zone TR-0100-USERS to-zone QUASAR {
+ policy TR-0100-USERS-TO-QUASAR {
+ apply-groups QUASAR-ACCESS;
+ match {
+ source-address TR-0100-USERS-10.1.0.0/16;
}
}
}
- from-zone TR-0100-USERS to-zone UNTRUST {
- policy USERS-TO-UNTRUST {
+ from-zone TR-0100-USERS to-zone TR-0300-PRINTERS_SCANNERS {
+ apply-groups ALLOW-PRINTING;
+ policy ALLOW-PRINTING {
match {
- source-address any;
- destination-address any;
- application any;
+ source-address TR-0100-USERS-10.1.0.0/16;
}
- then {
- permit;
- }
}
}
- from-zone TR-0100-USERS to-zone TRUST {
- policy USERS-TO-TRUST {
+ from-zone TRUST to-zone TR-0100-USERS {
+ apply-groups SERVICES-FROM-SERVERS;
+ policy SERVICES-FROM-SERVERS {
match {
- source-address any;
- destination-address any;
- application any;
+ destination-address TR-0100-USERS-10.1.0.0/16;
}
- then {
- permit;
- }
}
}
- from-zone TR-0100-USERS to-zone QUASAR {
- policy USERS-TO-QUASAR {
+ from-zone TRUST to-zone QUASAR {
+ policy TRUST-TO-QUASAR {
+ apply-groups QUASAR-ACCESS;
match {
- source-address any;
- destination-address any;
- application any;
+ source-address TRUST-172.16.0.0/12;
}
- then {
- permit;
- }
}
}
- from-zone TR-0100-USERS to-zone TR-0300-PRINTERS_SCANNERS {
- policy USERS-TO-PRINTERS_SCANNERS {
+ from-zone TRUST to-zone TR-0300-PRINTERS_SCANNERS {
+ apply-groups ALLOW-PRINTING;
+ policy ALLOW-PRINTING {
match {
- source-address any;
- destination-address any;
- application any;
+ source-address TRUST-172.16.0.0/12;
}
- then {
- permit;
- }
}
}
- from-zone TRUST to-zone TR-0100-USERS {
- policy TRUST-TO-USERS {
+ from-zone TR-2000-SERVERS to-zone QUASAR {
+ policy TR-2000-SERVERS-TO-QUASAR {
+ apply-groups QUASAR-ACCESS;
match {
- source-address any;
- destination-address any;
- application any;
+ source-address TR-2000-SERVERS-10.16.0.0/16;
}
- then {
- permit;
- }
}
}
- from-zone TRUST to-zone QUASAR {
- policy TRUST-TO-QUASAR {
+ from-zone TRUST to-zone UNTRUST {
+ policy TRUST-TO-UNTRUST-DNS {
match {
- source-address any;
+ source-address [ SERVER-DC1-172.16.1.3 SERVER-DC2-172.16.1.4 ];
destination-address any;
- application any;
+ application junos-dns-udp;
}
then {
permit;
+ log {
+ session-init;
+ session-close;
+ }
}
}
- }
- from-zone TRUST to-zone TR-0300-PRINTERS_SCANNERS {
- policy TRUST-TO-PRINTERS_SCANNERS {
+ policy TRUST-TO-LAWTON-DC {
match {
- source-address any;
- destination-address any;
+ source-address [ SERVER-DC1-172.16.1.3 SERVER-DC2-172.16.1.4 ];
+ destination-address NAT-EXEMPT-ACTIVE-DIRECTORY-164.58.2.192/28;
application any;
}
then {
permit;
+ log {
+ session-init;
+ session-close;
+ }
}
}
}
@@ -2053,6 +2218,7 @@
system-services {
ping;
traceroute;
+ dhcp;
}
}
}
@@ -2421,11 +2587,12 @@
DHCP-SERVERS {
172.16.1.3;
172.16.1.4;
+ 10.16.0.3;
+ 10.16.0.4;
}
}
active-server-group DHCP-SERVERS;
group CLIENTS {
- interface ge-0/0/7.0;
interface irb.5;
interface irb.100;
interface irb.200;
@@ -2558,6 +2725,21 @@
term tcp-80 protocol tcp destination-port 80;
term tcp-443 protocol tcp destination-port 443;
}
+ application VM-CONSOLE {
+ term tcp-9443 protocol tcp destination-port 9443;
+ }
+ application SQL-PORTS {
+ term tcp-1433 protocol tcp destination-port 1433;
+ }
+ application UNISYS-PORTS {
+ term tcp-1444 protocol tcp destination-port 1444;
+ }
+ application RUNTIME-PORTS {
+ term tcp-2870 protocol tcp destination-port 2870;
+ }
+ application EOM-PORTS {
+ term tcp-515 protocol tcp destination-port 515;
+ }
}
vlans {
DMZ-0400-HVAC {
Index: configs/core1.dc.onenet.net
===================================================================
--- configs/core1.dc.onenet.net (revision 156158)
+++ configs/core1.dc.onenet.net (working copy)
@@ -1,12 +1,12 @@
# RANCID-CONTENT-TYPE: juniper
#
# grnoc-mon at MX480_DC_01_RE0> show system commit
+# 2017-08-28 21:53:10 CDT by andrew via cli commit synchronize
+# 2017-08-28 21:49:04 CDT by andrew via cli commit synchronize
+# 2017-08-28 21:40:32 CDT by andrew via cli commit synchronize
+# 2017-08-28 21:30:53 CDT by andrew via cli commit confirmed, rollback in 3mins synchronize
# 2017-08-28 12:52:57 CDT by andrew via cli commit synchronize
# 2017-08-28 12:49:38 CDT by andrew via cli commit synchronize
-# 2017-08-28 12:29:20 CDT by andrew via cli commit synchronize
-# 2017-08-21 17:50:52 CDT by andrew via cli commit synchronize
-# 2017-08-10 17:16:45 CDT by andrew via cli commit confirmed, rollback in 3mins synchronize
-# 2017-08-03 10:57:03 CDT by andrew via cli commit synchronize
# grnoc-mon at MX480_DC_01_RE0> show chassis environment
# Class Item Status Measurement
# Temp PEM 0 OK
@@ -435,7 +435,7 @@
# grnoc-mon at MX480_DC_01_RE0> show system uptime
# System booted: 2014-08-25 20:38 CDT
# Protocols started: 2014-08-25 20:39 CDT
-# Last configured: 2017-08-28 12:52 CDT by andrew
+# Last configured: 2017-08-28 21:53 CDT by andrew
#
# {master}
# grnoc-mon at MX480_DC_01_RE0> show interface terse
@@ -515,6 +515,7 @@
#xe-1/1/1.2531 up up
#xe-1/1/1.2533 up up
#xe-1/1/1.2540 up up
+#xe-1/1/1.2543 up up
#xe-1/1/1.2550 up up
#xe-1/1/1.2559 up up
#xe-1/1/1.2600 up up
@@ -711,6 +712,7 @@
#irb.4031 up up
#irb.4032 up up
#irb.4033 up up
+#irb.4034 up up
#irb.4036 up up
#irb.4037 up up
#irb.4038 up up
@@ -730,7 +732,7 @@
#pp0 up up
#tap up up
# grnoc-mon at MX480_DC_01_RE0> show configuration
-## Last commit: 2017-08-28 12:52:57 CDT by andrew
+## Last commit: 2017-08-28 21:53:10 CDT by andrew
version 12.3R7.7;
groups {
re0 {
@@ -1211,6 +1213,17 @@
address 10.119.254.65/31;
}
}
+ unit 2543 {
+ description "CORE1-DC-TO-ONENET-MGMT [ORDERED]";
+ vlan-id 2543;
+ family inet {
+ mtu 9000;
+ sampling {
+ input;
+ }
+ address 10.199.208.255/31;
+ }
+ }
unit 2550 {
description "CORE1-DC-TO-OMES-MGMT [ORDERED]";
vlan-id 2550;
@@ -2171,6 +2184,12 @@
address 10.197.9.1/29;
}
}
+ unit 4034 {
+ description "onenet_mgmt [ORDERED]";
+ family inet {
+ address 10.197.8.193/29;
+ }
+ }
unit 4036 {
description "MX to SRX VLAN40356";
family inet {
@@ -2698,6 +2717,28 @@
then reject;
}
}
+ policy-statement EBGP-ONENET-DC-ONENET-MGMT-V4-EXPORT {
+ term ACCEPT-DEFAULT {
+ from {
+ route-filter 0.0.0.0/0 exact;
+ }
+ then accept;
+ }
+ term REJECT-ALL-ELSE {
+ then reject;
+ }
+ }
+ policy-statement EBGP-ONENET-DC-ONENET-MGMT-V4-IMPORT {
+ term REJECT-DEFAULT {
+ from {
+ route-filter 0.0.0.0/0 exact;
+ }
+ then reject;
+ }
+ term ACCEPT-ALL-ELSE {
+ then accept;
+ }
+ }
policy-statement EBGP-ONENET-DC-SEPLS-V4-EXPORT {
term SEND-ONENET-MGMT {
from {
@@ -2880,6 +2921,17 @@
}
}
}
+ policy-statement REDISTRIBUTE-BGP-OSPF {
+ term accept {
+ from protocol bgp;
+ then {
+ external {
+ type 1;
+ }
+ accept;
+ }
+ }
+ }
policy-statement REDISTRIBUTE-DIRECTS {
term 1 {
from {
@@ -3869,6 +3921,40 @@
}
}
}
+ onenet_mgmt {
+ apply-groups OSPF-RI;
+ instance-type virtual-router;
+ interface xe-1/1/1.2543;
+ interface irb.4034;
+ routing-options {
+ router-id 10.197.8.193;
+ autonomous-system 64595;
+ }
+ protocols {
+ bgp {
+ group EBGP-ONENET-MGMT {
+ type external;
+ family inet {
+ unicast;
+ }
+ as-override;
+ neighbor 10.199.208.254 {
+ description "ONENET-DC-TO-ONENET-MGMT [ORDERED]";
+ import EBGP-ONENET-DC-ONENET-MGMT-V4-IMPORT;
+# authentication-#key <removed>;
+ export EBGP-ONENET-DC-ONENET-MGMT-V4-EXPORT;
+ peer-as 5078;
+ }
+ }
+ }
+ ospf {
+ export [ REDISTRIBUTE-BGP-OSPF REDISTRIBUTE-STATICS-OSPF ];
+ area 0.0.0.0 {
+ interface irb.4034;
+ }
+ }
+ }
+ }
trust_netgrp {
apply-groups OSPF-RI;
instance-type virtual-router;
@@ -4270,6 +4356,10 @@
vlan-id 300;
routing-interface irb.300;
}
+ onenet_mgmt-srx-01-4034 {
+ vlan-id 4034;
+ routing-interface irb.4034;
+ }
optical___-01-0810 {
vlan-id 810;
routing-interface irb.810;
Index: configs/opt.sti.onenet.net
===================================================================
--- configs/opt.sti.onenet.net (revision 156089)
+++ configs/opt.sti.onenet.net (working copy)
@@ -86,7 +86,6 @@
<interface name="PCHAN-6-25-TX" abbr_name="PCHAN-6-25-TX" admin_state="up" spanning_tree_metric="" description="" type="PDMX" monitoring_state="monitor"></interface>
<interface name="PCHAN-6-25-RX" abbr_name="PCHAN-6-25-RX" admin_state="up" spanning_tree_metric="" description="" type="PMUX" monitoring_state="monitor"></interface>
<interface name="PCHAN-6-26-TX" abbr_name="PCHAN-6-26-TX" admin_state="up" spanning_tree_metric="" description="" type="PDMX" monitoring_state="monitor"></interface>
- <interface name="PCHAN-6-26-RX" abbr_name="PCHAN-6-26-RX" admin_state="up" spanning_tree_metric="" description="" type="PMUX" monitoring_state="monitor"></interface>
<interface name="PCHAN-6-27-TX" abbr_name="PCHAN-6-27-TX" admin_state="up" spanning_tree_metric="" description="" type="PDMX" monitoring_state="monitor"></interface>
<interface name="PCHAN-6-27-RX" abbr_name="PCHAN-6-27-RX" admin_state="up" spanning_tree_metric="" description="" type="PMUX" monitoring_state="monitor"></interface>
<interface name="PCHAN-6-28-TX" abbr_name="PCHAN-6-28-TX" admin_state="up" spanning_tree_metric="" description="" type="PDMX" monitoring_state="monitor"></interface>
More information about the Nocrancid
mailing list