aboutsummaryrefslogtreecommitdiffstats
path: root/examples/tg16/netconf/ex2200_secure.conf
diff options
context:
space:
mode:
Diffstat (limited to 'examples/tg16/netconf/ex2200_secure.conf')
-rwxr-xr-xexamples/tg16/netconf/ex2200_secure.conf332
1 files changed, 332 insertions, 0 deletions
diff --git a/examples/tg16/netconf/ex2200_secure.conf b/examples/tg16/netconf/ex2200_secure.conf
new file mode 100755
index 0000000..7a00479
--- /dev/null
+++ b/examples/tg16/netconf/ex2200_secure.conf
@@ -0,0 +1,332 @@
+system {
+ host-name <?php echo $c['sysname']; ?>;
+ domain-name infra.gathering.org;
+ auto-snapshot;
+ time-zone Europe/Oslo;
+ authentication-order [ tacplus ];
+ root-authentication {
+ encrypted-password "<removed>";
+ }
+ name-server {
+ 185.110.149.2;
+ 185.110.148.2;
+ 2a06:5841:149a::2;
+ 2a06:5841:1337::2;
+ }
+ tacplus-server {
+ <removed> {
+ secret "<removed>";
+ source-address <?php echo $c['mgmt_v4_addr']; ?>;
+ }
+ }
+ login {
+ user technet {
+ uid 2000;
+ class super-user;
+ authentication {
+ encrypted-password "<removed>";
+ }
+ }
+ }
+ services {
+ ssh {
+ root-login deny;
+ no-tcp-forwarding;
+ client-alive-count-max 2;
+ client-alive-interval 300;
+ connection-limit 5;
+ rate-limit 5;
+ }
+ netconf {
+ ssh {
+ connection-limit 3;
+ rate-limit 3;
+ }
+ }
+ }
+ syslog {
+ user * {
+ any emergency;
+ }
+ host 185.110.148.17 {
+ any info;
+ authorization info;
+ port 515;
+ }
+ file messages {
+ any notice;
+ authorization info;
+ }
+ file interactive-commands {
+ interactive-commands any;
+ }
+ }
+
+ /* Save changes to central site */
+ archival {
+ configuration {
+ transfer-on-commit;
+ archive-sites {
+ "scp://<removed>@<removed>/home/tgconfig/configs/" password "<removed>";
+ }
+ }
+ }
+ commit synchronize;
+ ntp {
+ server 2001:700:100:2::6;
+ }
+}
+
+chassis {
+ aggregated-devices {
+ ethernet {
+ device-count 1;
+ }
+ }
+ alarm {
+ management-ethernet {
+ link-down ignore;
+ }
+ }
+}
+
+interfaces {
+ interface-range edge-ports {
+ description "Clients";
+ member-range ge-0/0/0 to ge-0/0/43;
+ unit 0 {
+ family ethernet-switching {
+ port-mode access;
+ vlan {
+ members clients;
+ }
+ }
+ }
+ }
+ interface-range core-ports {
+ description "<?php echo $c['distro_name']; ?> <?php echo $c['distro_phy_port']; ?>";
+ member-range ge-0/0/44 to ge-0/0/47;
+ ether-options {
+ 802.3ad ae0;
+ }
+ }
+ ae0 {
+ description "<?php echo $c['distro_name']; ?> <?php echo $c['distro_phy_port']; ?>";
+ aggregated-ether-options {
+ lacp {
+ active;
+ }
+ }
+ unit 0 {
+ family ethernet-switching {
+ port-mode trunk;
+ vlan {
+ members [clients mgmt];
+ }
+ }
+ }
+ }
+ vlan {
+ unit <?php echo $c['mgmt_vlan']; ?> {
+ description "MGMT L3 interface";
+ family inet {
+ filter {
+ input v4-mgmt;
+ }
+ address <?php echo $c['mgmt_v4_addr']; ?>/26;
+ }
+ inactive: family inet6 {
+ filter {
+ input v6-mgmt;
+ }
+ address <?php echo $c['mgmt_v6_addr']; ?>/64;
+ }
+ }
+ }
+}
+
+snmp {
+ community <removed> {
+ authorization read-only;
+ client-list-name mgmt;
+ }
+ community <removed> {
+ authorization read-only;
+ client-list-name mgmt-nms;
+ }
+}
+
+policy-options {
+ prefix-list mgmt-v4 {
+ <removed>
+ /* Kandu PA-nett */
+ 185.110.148.0/22;
+ }
+ prefix-list mgmt-v6 {
+ <removed>
+ /* Den delen av v6-nett som er satt av til infra, tech o.l. */
+ 2a06:5841::/32;
+ }
+ /* Merged separate v4- og v6-lister */
+ prefix-list mgmt {
+ <removed>
+ 2a06:5841::/32;
+ }
+ /* NMS boxes - separate list to give full speed to SNMP read */
+ prefix-list mgmt-v4-nms {
+ 185.110.148.11/32;
+ 185.110.148.12/32;
+ }
+ /* NMS boxes - separate list to give full speed to SNMP read */
+ prefix-list mgmt-v6-nms {
+ 2a06:5841:1337::11/128;
+ 2a06:5841:1337::12/128;
+ }
+ /* NMS boxes - separate list to give full speed to SNMP read */
+ prefix-list mgmt-nms {
+ 185.110.148.11/32;
+ 185.110.148.12/32;
+ 185.110.150.10/32;
+ 2a06:5841:1337::11/128;
+ 2a06:5841:1337::12/128;
+ }
+}
+
+ethernet-switching-options {
+ secure-access-port {
+ interface edge-ports {
+ no-dhcp-trusted;
+ }
+ vlan clients {
+ arp-inspection;
+ examine-dhcp;
+ examine-dhcpv6;
+ neighbor-discovery-inspection;
+ ip-source-guard;
+ ipv6-source-guard;
+ dhcp-option82;
+ dhcpv6-option18 {
+ use-option-82;
+ }
+ }
+ ipv6-source-guard-sessions {
+ max-number 128;
+ }
+ }
+ storm-control {
+ interface all;
+ }
+}
+
+firewall {
+ family inet {
+ filter v4-mgmt {
+ term accept-ssh {
+ from {
+ source-prefix-list {
+ mgmt-v4;
+ }
+ destination-port 22;
+ }
+ then {
+ accept;
+ }
+ }
+ term discard-ssh {
+ from {
+ destination-port 22;
+ }
+ then {
+ discard;
+ }
+ }
+ term accept-all {
+ then {
+ accept;
+ }
+ }
+ }
+ }
+ family inet6 {
+ filter v6-mgmt {
+ term accept-ssh {
+ from {
+ source-prefix-list {
+ mgmt-v6;
+ }
+ destination-port 22;
+ }
+ then {
+ accept;
+ }
+ }
+ term discard-ssh {
+ from {
+ destination-port 22;
+ }
+ then {
+ discard;
+ }
+ }
+ term accept-all {
+ then {
+
+ accept;
+ }
+ }
+ }
+ }
+}
+
+protocols {
+ sflow {
+ sample-rate {
+ ingress 10000;
+ egress 10000;
+ }
+ interfaces edge-ports;
+ interfaces core-ports;
+ source-ip <?php echo $c['mgmt_v4_addr']; ?>;
+ collector 185.110.148.12;
+ collector 185.110.148.11;
+ }
+ igmp-snooping {
+ vlan all {
+ version 3;
+ immediate-leave;
+ }
+ }
+ rstp {
+ bridge-priority 8k;
+ interface edge-ports {
+ edge;
+ no-root-port;
+ }
+ }
+ lldp {
+ interface ae0.0;
+ management-address <?php echo $c['mgmt_v4_addr']; ?>;
+ }
+}
+
+vlans {
+ clients {
+ vlan-id <?php echo $c['traffic_vlan']; ?>;
+ }
+ mgmt {
+ vlan-id <?php echo $c['mgmt_vlan']; ?>;
+ l3-interface vlan.<?php echo $c['mgmt_vlan']; ?>;
+ }
+}
+
+routing-options {
+ rib inet.0 {
+ static {
+ route 0.0.0.0/0 {
+ next-hop <?php echo $c['mgmt_v4_gw']; ?>;
+ }
+ }
+ }
+}
+
+
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-26 15:42:38 +0000