aboutsummaryrefslogtreecommitdiffstats
path: root/examples/tg16/netconf/telegw.conf
diff options
context:
space:
mode:
Diffstat (limited to 'examples/tg16/netconf/telegw.conf')
-rw-r--r--examples/tg16/netconf/telegw.conf1034
1 files changed, 1034 insertions, 0 deletions
diff --git a/examples/tg16/netconf/telegw.conf b/examples/tg16/netconf/telegw.conf
new file mode 100644
index 0000000..aaa8e11
--- /dev/null
+++ b/examples/tg16/netconf/telegw.conf
@@ -0,0 +1,1034 @@
+## Last changed: 2016-03-25 01:21:51 CET
+version 14.1X53-D35.3;
+groups {
+ SET_AE_DEFAULTS {
+ interfaces {
+ <ae*> {
+ aggregated-ether-options {
+ lacp {
+ active;
+ }
+ }
+ }
+ }
+ }
+ SET_OSPF_DEFAULTS {
+ protocols {
+ ospf {
+ reference-bandwidth 1000g;
+ area <*> {
+ interface <ae*> {
+ bfd-liveness-detection {
+ minimum-interval 100;
+ multiplier 3;
+ }
+ }
+ }
+ }
+ ospf3 {
+ reference-bandwidth 1000g;
+ area <*> {
+ interface <ae*> {
+ bfd-liveness-detection {
+ minimum-interval 100;
+ multiplier 3;
+ }
+ }
+ }
+ }
+ }
+ }
+ SET_RA_DEFAULTS {
+ protocols {
+ router-advertisement {
+ interface <*> {
+ max-advertisement-interval 15;
+ managed-configuration;
+ }
+ }
+ }
+ }
+}
+system {
+ host-name telegw;
+ auto-snapshot;
+ domain-name infra.gathering.org;
+ time-zone Europe/Oslo;
+ authentication-order tacplus;
+ root-authentication {
+ encrypted-password "<removed>";
+ }
+ name-server {
+ 185.110.149.2;
+ 185.110.148.2;
+ 2a06:5841:149a::2;
+ 2a06:5841:1337::2;
+ }
+ tacplus-server {
+ 134.90.150.164 {
+ secret "<removed>";
+ source-address 185.110.148.64;
+ }
+ }
+ login {
+ user technet {
+ uid 2000;
+ class super-user;
+ authentication {
+ encrypted-password "<removed>";
+ }
+ }
+ }
+ services {
+ ssh {
+ root-login deny;
+ no-tcp-forwarding;
+ client-alive-count-max 2;
+ client-alive-interval 300;
+ connection-limit 10;
+ rate-limit 10;
+ }
+ netconf {
+ ssh {
+ connection-limit 3;
+ rate-limit 3;
+ }
+ }
+ }
+ syslog {
+ user * {
+ any emergency;
+ }
+ host 185.110.148.17 {
+ any info;
+ authorization info;
+ port 515;
+ }
+ file messages {
+ any notice;
+ authorization info;
+ }
+ file interactive-commands {
+ interactive-commands any;
+ }
+ }
+ /* Save changes to central site */
+ archival {
+ configuration {
+ transfer-on-commit;
+ archive-sites {
+ "scp://user@host/some/folder/" password "<removed>";
+ }
+ }
+ }
+ commit synchronize;
+ ntp {
+ server 2001:700:100:2::6;
+ }
+}
+chassis {
+ redundancy {
+ graceful-switchover;
+ }
+ aggregated-devices {
+ ethernet {
+ device-count 10;
+ }
+ }
+ fpc 0 {
+ pic 0 {
+ port 50 {
+ channel-speed disable-auto-speed-detection;
+ }
+ }
+ }
+ fpc 1 {
+ pic 0 {
+ port 50 {
+ channel-speed disable-auto-speed-detection;
+ }
+ }
+ }
+ alarm {
+ management-ethernet {
+ link-down ignore;
+ }
+ }
+}
+security {
+ ssh-known-hosts {
+ host 134.90.150.164 {
+ ecdsa-sha2-nistp256-key <removed>;
+ }
+ }
+}
+interfaces {
+ apply-groups SET_AE_DEFAULTS;
+ interface-range sflow-inet {
+ member xe-0/0/0;
+ member xe-0/0/1;
+ member xe-1/0/1;
+ member xe-1/0/0;
+ }
+ interface-range forbikobling-telefw-inside {
+ member-range xe-0/0/34 to xe-0/0/35;
+ member-range xe-1/0/34 to xe-1/0/35;
+ description "INSIDE for forbikobling telefw";
+ ether-options {
+ 802.3ad ae6;
+ }
+ }
+ interface-range forbikobling-telefw-outside {
+ member-range xe-1/0/36 to xe-1/0/37;
+ member-range xe-0/0/36 to xe-0/0/37;
+ description "OUTSIDE for forbikobling telefw";
+ ether-options {
+ 802.3ad ae7;
+ }
+ }
+ xe-0/0/0 {
+ description "ae0 - Telenor - LU1337 / SB1337 / PE slot 11 / ODF 11/12";
+ ether-options {
+ 802.3ad ae0;
+ }
+ }
+ xe-0/0/1 {
+ description "ae0 - Telenor - LU1337 / SB1337 / PE slot 0 / ODF 7/8";
+ ether-options {
+ 802.3ad ae0;
+ }
+ }
+ xe-0/0/10 {
+ description "Extensionswitch for Kobber";
+ unit 0 {
+ family ethernet-switching {
+ interface-mode trunk;
+ vlan {
+ members [ security Klientnett_innsjekk ];
+ }
+ }
+ }
+ }
+ xe-0/0/16 {
+ description "ae3 - link mot creativiagw";
+ ether-options {
+ 802.3ad ae3;
+ }
+ }
+ xe-0/0/17 {
+ description "ae4 - link mot southgw";
+ ether-options {
+ 802.3ad ae4;
+ }
+ }
+ xe-0/0/25 {
+ description "Fortigate FAN uplink";
+ unit 0 {
+ family ethernet-switching {
+ vlan {
+ members tele_servers;
+ }
+ }
+ }
+ }
+ xe-0/0/26 {
+ description "FortiAnalyzer Uplink";
+ unit 0 {
+ family ethernet-switching {
+ vlan {
+ members tele_servers;
+ }
+ }
+ }
+ }
+ ge-0/0/32 {
+ description "Tele servers";
+ unit 0 {
+ family ethernet-switching {
+ vlan {
+ members tele_servers;
+ }
+ }
+ }
+ }
+ et-0/0/48 {
+ description "ae1 - link mot nocgw";
+ ether-options {
+ 802.3ad ae1;
+ }
+ }
+ et-0/0/49 {
+ description "ae2 - link mot coregw";
+ ether-options {
+ 802.3ad ae2;
+ }
+ }
+ et-0/0/50 {
+ description "Trunk til FW";
+ unit 0 {
+ family ethernet-switching {
+ interface-mode trunk;
+ vlan {
+ members [ OUTSIDE_TO_FW INSIDE_TO_FW ];
+ }
+ }
+ }
+ }
+ et-0/0/51 {
+ description "Monitoreringsport for Fortigate";
+ }
+ xe-1/0/0 {
+ description "ae0 - Telenor - LU1337 / SB1337 / PE slot 11 / ODF 9/10";
+ ether-options {
+ 802.3ad ae0;
+ }
+ }
+ xe-1/0/1 {
+ description "ae0 - Telenor - LU1337 / SB1337 / PE slot 0 / ODF 5/6";
+ ether-options {
+ 802.3ad ae0;
+ }
+ }
+ xe-1/0/10 {
+ description "ae5 - link mot creativiagw";
+ ether-options {
+ 802.3ad ae5;
+ }
+ }
+ xe-1/0/16 {
+ description "ae3 - link mot creativiagw";
+ ether-options {
+ 802.3ad ae3;
+ }
+ }
+ xe-1/0/25 {
+ description "Fortigate FAN uplink";
+ unit 0 {
+ family ethernet-switching {
+ vlan {
+ members tele_servers;
+ }
+ }
+ }
+ }
+ et-1/0/48 {
+ description "ae1 - link mot nocgw";
+ ether-options {
+ 802.3ad ae1;
+ }
+ }
+ et-1/0/49 {
+ description "ae2 - link mot coregw";
+ ether-options {
+ 802.3ad ae2;
+ }
+ }
+ et-1/0/50 {
+ description "Trunk til FW";
+ unit 0 {
+ family ethernet-switching {
+ interface-mode trunk;
+ vlan {
+ members [ OUTSIDE_TO_FW INSIDE_TO_FW ];
+ }
+ }
+ }
+ }
+ et-1/0/51 {
+ description "monitoreringsport Fortigate";
+ unit 0 {
+ family ethernet-switching;
+ }
+ }
+ ae0 {
+ description "The Intarwebz - Telenor <3";
+ aggregated-ether-options {
+ lacp {
+ active;
+ }
+ }
+ unit 0 {
+ family inet {
+ address 193.212.22.2/30;
+ }
+ family inet6 {
+ address 2001:4600:9:300::292/126;
+ }
+ }
+ }
+ ae1 {
+ description "Mot nocgw";
+ aggregated-ether-options {
+ lacp {
+ active;
+ }
+ }
+ unit 0 {
+ family inet {
+ address 185.110.148.130/31;
+ }
+ family inet6;
+ }
+ }
+ ae2 {
+ description "Mot coregw";
+ aggregated-ether-options {
+ lacp {
+ active;
+ }
+ }
+ unit 0 {
+ family inet {
+ address 185.110.148.128/31;
+ }
+ family inet6;
+ }
+ }
+ ae4 {
+ description "Mot southgw";
+ aggregated-ether-options {
+ lacp {
+ active;
+ }
+ }
+ unit 0 {
+ family inet {
+ address 185.110.148.147/31;
+ }
+ family inet6;
+ }
+ }
+ ae5 {
+ description "Mot creativiagw";
+ aggregated-ether-options {
+ lacp {
+ active;
+ }
+ }
+ unit 0 {
+ family inet {
+ address 185.110.148.148/31;
+ }
+ family inet6;
+ }
+ }
+ ae6 {
+ apply-groups-except SET_AE_DEFAULTS;
+ description "INSIDE for forbikobling telefw";
+ }
+ ae7 {
+ apply-groups-except SET_AE_DEFAULTS;
+ description "OUTSIDE for forbikobling telefw";
+ }
+ irb {
+ unit 243 {
+ family inet {
+ address 88.92.69.1/24;
+ }
+ family inet6 {
+ address 2a06:5840:69::1/64;
+ }
+ }
+ unit 1491 {
+ description tele_servers;
+ family inet {
+ address 185.110.149.1/26;
+ }
+ family inet6 {
+ address 2a06:5841:149a::1/64;
+ }
+ }
+ unit 3000 {
+ description Security;
+ family inet {
+ address 10.30.20.1/24;
+ }
+ }
+ unit 4000 {
+ description "Outside to fortigate";
+ family inet {
+ address 185.110.148.176/31;
+ }
+ family inet6 {
+ address 2a06:5841:148c:176::2/64;
+ }
+ }
+ unit 4001 {
+ description "Inside to fortigate";
+ family inet {
+ address 185.110.148.178/31;
+ }
+ family inet6 {
+ address 2a06:5841:148c:178::2/64;
+ }
+ }
+ }
+ lo0 {
+ unit 0 {
+ family inet {
+ filter {
+ input protect-mgmt-v4;
+ }
+ address 185.110.148.64/32;
+ }
+ family inet6 {
+ filter {
+ input protect-mgmt-v6;
+ }
+ address 2a06:5841:148b::64/128;
+ }
+ }
+ }
+}
+snmp {
+ community <removed> {
+ authorization read-only;
+ client-list-name mgmt;
+ }
+ community <removed> {
+ authorization read-only;
+ client-list-name mgmt-nms;
+ }
+}
+forwarding-options {
+ storm-control-profiles default {
+ all;
+ }
+ analyzer {
+ inactive: TO_FORTIGATE {
+ input {
+ ingress {
+ interface ae0.0;
+ }
+ egress {
+ interface ae0.0;
+ }
+ }
+ output {
+ interface et-1/0/51.0;
+ }
+ }
+ }
+ dhcp-relay {
+ dhcpv6 {
+ group all {
+ interface irb.243;
+ }
+ server-group {
+ v6-dhcp {
+ 2a06:5841:149a::2;
+ 2a06:5841:1337::2;
+ }
+ }
+ active-server-group v6-dhcp;
+ }
+ server-group {
+ v4-dhcp {
+ 185.110.149.2;
+ 185.110.148.2;
+ }
+ }
+ active-server-group v4-dhcp;
+ group all {
+ overrides {
+ trust-option-82;
+ }
+ interface irb.243;
+ }
+ }
+}
+routing-options {
+ nonstop-routing;
+ rib inet6.0 {
+ static {
+ route 2a06:5840::/30 reject;
+ route 2a06:5844::/30 reject;
+ route ::0/0 next-hop 2a06:5841:148c:178::1;
+ }
+ }
+ rib inet.0 {
+ static {
+ route 0.0.0.0/0 {
+ next-hop 185.110.148.179;
+ metric 10;
+ }
+ }
+ }
+ autonomous-system 21067;
+}
+protocols {
+ apply-groups [ SET_OSPF_DEFAULTS SET_RA_DEFAULTS ];
+ router-advertisement {
+ interface irb.243;
+ }
+ bgp {
+ traceoptions {
+ file bgp-trace size 3m files 7 world-readable;
+ flag state;
+ }
+ log-updown;
+ local-as 21067;
+ inactive: group TN-v4 {
+ type external;
+ local-address 193.212.22.2;
+ import TN-v4-import;
+ authentication-algorithm hmac-sha-1-96;
+ export TN-v4-export;
+ neighbor 193.212.22.1 {
+ authentication-key "<removed>";;
+ peer-as 2119;
+ }
+ }
+ inactive: group TN-v6 {
+ type external;
+ local-address 2001:4600:9:300::292;
+ import TN-v6-import;
+ authentication-algorithm hmac-sha-1-96;
+ export TN-v6-export;
+ neighbor 2001:4600:9:300::291 {
+ authentication-key "<removed>";;
+ peer-as 2119;
+ }
+ }
+ }
+ ospf {
+ export [ STATIC-TO-OSPF redistribute-direct ];
+ reference-bandwidth 1000g;
+ area 0.0.0.0 {
+ interface ae1.0;
+ interface ae2.0;
+ interface ae3.0;
+ interface ae4.0;
+ interface ae5.0;
+ }
+ }
+ ospf3 {
+ export [ STATIC-TO-OSPF redistribute-direct ];
+ reference-bandwidth 1000g;
+ area 0.0.0.0 {
+ interface ae1.0;
+ interface ae2.0;
+ interface ae3.0;
+ interface ae4.0;
+ interface ae5.0;
+ }
+ }
+ lldp {
+ management-address 185.110.148.64;
+ interface all;
+ }
+ lldp-med {
+ interface all;
+ }
+ igmp-snooping {
+ vlan default;
+ }
+ sflow {
+ agent-id 185.110.148.64;
+ polling-interval 20;
+ sample-rate {
+ ingress 3000;
+ egress 3000;
+ }
+ source-ip 185.110.148.64;
+ collector <removed>;
+ collector <removed>;
+ interfaces sflow-inet;
+ }
+}
+policy-options {
+ prefix-list mgmt-v4 {
+ /* KANDU PA-nett (brukt på servere, infra etc) */
+ 185.110.148.0/22;
+ }
+ prefix-list mgmt-v6 {
+ /* KANDU PA-nett (den delen som er brukt på servere, infra etc) */
+ 2a06:5841::/32;
+ }
+ /* sammenslått av separate v4- og v6-lister */
+ prefix-list mgmt {
+ 185.110.148.0/22;
+ 2a06:5841::/32;
+ }
+ /* NMS boxes - separate list to give full speed to SNMP read */
+ prefix-list mgmt-v4-nms {
+ 185.110.148.11/32;
+ 185.110.148.12/32;
+ }
+ /* NMS boxes - separate list to give full speed to SNMP read */
+ prefix-list mgmt-v6-nms {
+ 2a06:5841:1337::11/128;
+ 2a06:5841:1337::12/128;
+ }
+ /* NMS boxes - separate list to give full speed to SNMP read */
+ prefix-list mgmt-nms {
+ 185.110.148.11/32;
+ 185.110.148.12/32;
+ 185.110.150.10/32;
+ 2a06:5841:1337::11/128;
+ 2a06:5841:1337::12/128;
+ }
+ prefix-list icmp_unthrottled-v4 {
+ 185.110.148.0/22;
+ 193.212.22.0/30;
+ }
+ prefix-list icmp_unthrottled-v6 {
+ 2001:4600:9:300::290/126;
+ 2a06:5841::/32;
+ }
+ prefix-list blackhole {
+ 185.110.148.178/32;
+ }
+ policy-statement STATIC-TO-OSPF {
+ from protocol static;
+ then {
+ external {
+ type 1;
+ }
+ accept;
+ }
+ }
+ policy-statement TN-v4-export {
+ term blackhole_export {
+ from tag 995;
+ then {
+ community set blackhole;
+ accept;
+ }
+ }
+ term default_export {
+ from {
+ route-filter 185.110.148.0/22 exact;
+ route-filter 185.110.148.0/24 exact;
+ route-filter 185.110.149.0/24 exact;
+ route-filter 185.110.150.0/24 exact;
+ route-filter 185.110.151.0/24 exact;
+ route-filter 88.92.0.0/17 exact;
+ }
+ then accept;
+ }
+ }
+ policy-statement TN-v4-import {
+ from {
+ route-filter 0.0.0.0/0 exact;
+ }
+ then accept;
+ }
+ policy-statement TN-v6-export {
+ term blackhole_export {
+ from tag 995;
+ then {
+ community set blackhole;
+ accept;
+ }
+ }
+ term default_export {
+ from {
+ route-filter 2a06:5840::/29 exact;
+ route-filter 2a06:5840::/30 exact;
+ route-filter 2a06:5844::/30 exact;
+ }
+ then accept;
+ }
+ }
+ policy-statement TN-v6-import {
+ from {
+ route-filter ::/0 exact;
+ }
+ then accept;
+ }
+ policy-statement redistribute-direct {
+ from protocol direct;
+ then {
+ external {
+ type 1;
+ }
+ accept;
+ }
+ }
+ community blackhole members 2119:995;
+}
+firewall {
+ family inet {
+ filter protect-mgmt-v4 {
+ term accept-ssh {
+ from {
+ source-prefix-list {
+ mgmt-v4;
+ }
+ destination-port 22;
+ }
+ then {
+ count accept-ssh;
+ accept;
+ }
+ }
+ term reject-ssh {
+ from {
+ destination-port 22;
+ }
+ then {
+ count reject-ssh;
+ reject;
+ }
+ }
+ term snmp-nms {
+ from {
+ source-prefix-list {
+ mgmt-v4-nms;
+ }
+ destination-port snmp;
+ }
+ then {
+ count snmp-nms;
+ accept;
+ }
+ }
+ term snmp-throttle {
+ from {
+ source-prefix-list {
+ mgmt-v4;
+ }
+ destination-port snmp;
+ }
+ then {
+ policer policer-1Mbit;
+ count snmp-throttle;
+ accept;
+ }
+ }
+ term icmp-trusted {
+ from {
+ source-prefix-list {
+ icmp_unthrottled-v4;
+ }
+ protocol icmp;
+ }
+ then {
+ count icmp-trusted;
+ accept;
+ }
+ }
+ term icmp-throttled {
+ from {
+ protocol icmp;
+ }
+ then {
+ policer policer-1Mbit;
+ accept;
+ }
+ }
+ term accept-all {
+ then {
+ count accept-all;
+ accept;
+ }
+ }
+ }
+ filter v4-security {
+ term accept-security {
+ from {
+ source-address {
+ 10.30.0.0/16;
+ }
+ destination-address {
+ 10.30.0.0/16;
+ }
+ }
+ then accept;
+ }
+ term discard-all {
+ then {
+ discard;
+ }
+ }
+ }
+ }
+ family inet6 {
+ filter protect-mgmt-v6 {
+ term accept-ssh {
+ from {
+ source-prefix-list {
+ inactive: mgmt-v6;
+ }
+ destination-port 22;
+ }
+ then {
+ count accept-ssh;
+ accept;
+ }
+ }
+ term reject-ssh {
+ from {
+ destination-port 22;
+ }
+ then {
+ count reject-ssh;
+ reject;
+ }
+ }
+ term snmp-nms {
+ from {
+ source-prefix-list {
+ mgmt-v6-nms;
+ }
+ destination-port snmp;
+ }
+ then {
+ count snmp-nms;
+ accept;
+ }
+ }
+ term snmp-throttle {
+ from {
+ source-prefix-list {
+ mgmt-v6;
+ }
+ destination-port snmp;
+ }
+ then {
+ policer policer-1Mbit;
+ count snmp-throttle;
+ accept;
+ }
+ }
+ term icmp-trusted {
+ from {
+ source-prefix-list {
+ icmp_unthrottled-v6;
+ }
+ next-header icmp6;
+ }
+ then {
+ count icmp-trusted;
+ accept;
+ }
+ }
+ term icmp-throttled {
+ from {
+ next-header icmp6;
+ }
+ then {
+ policer policer-1Mbit;
+ accept;
+ }
+ }
+ term accept-all {
+ then {
+ count accept-all;
+ accept;
+ }
+ }
+ }
+ }
+ policer policer-1Mbit {
+ if-exceeding {
+ bandwidth-limit 1m;
+ burst-size-limit 500k;
+ }
+ then discard;
+ }
+ policer policer-slowest {
+ if-exceeding {
+ bandwidth-limit 8k;
+ burst-size-limit 1k;
+ }
+ then discard;
+ }
+}
+routing-instances {
+ OUTSIDE {
+ description "Utside mot Telenor - untrust/internett";
+ instance-type virtual-router;
+ interface xe-0/0/33.0;
+ interface xe-0/0/34.0;
+ interface xe-1/0/33.0;
+ interface xe-1/0/34.0;
+ interface ae0.0;
+ interface ae7.0;
+ interface irb.4000;
+ routing-options {
+ rib OUTSIDE.inet.0 {
+ static {
+ route 185.110.148.0/22 next-hop 185.110.148.177;
+ route 185.110.148.0/24 next-hop 185.110.148.177;
+ route 185.110.149.0/24 next-hop 185.110.148.177;
+ route 185.110.150.0/24 next-hop 185.110.148.177;
+ route 185.110.151.0/24 next-hop 185.110.148.177;
+ route 88.92.0.0/17 next-hop 185.110.148.177;
+ }
+ }
+ rib OUTSIDE.inet6.0 {
+ static {
+ route 2a06:5840::/30 next-hop 2a06:5841:148c:176::1;
+ route 2a06:5844::/30 next-hop 2a06:5841:148c:176::1;
+ }
+ }
+ }
+ protocols {
+ bgp {
+ traceoptions {
+ file bgp-trace-outside size 3m files 7 world-readable;
+ flag state;
+ }
+ log-updown;
+ local-as 21067;
+ group TN-v4 {
+ type external;
+ local-address 193.212.22.2;
+ import TN-v4-import;
+ authentication-algorithm hmac-sha-1-96;
+ export TN-v4-export;
+ neighbor 193.212.22.1 {
+ authentication-key "<removed>";;
+ peer-as 2119;
+ }
+ }
+ group TN-v6 {
+ type external;
+ local-address 2001:4600:9:300::292;
+ import TN-v6-import;
+ authentication-algorithm hmac-sha-1-96;
+ export TN-v6-export;
+ neighbor 2001:4600:9:300::291 {
+ authentication-key "<removed>";;
+ peer-as 2119;
+ }
+ }
+ }
+ }
+ }
+}
+virtual-chassis {
+ preprovisioned;
+ member 0 {
+ role routing-engine;
+ serial-number <removed>;
+ }
+ member 1 {
+ role routing-engine;
+ serial-number <removed>;
+ }
+}
+vlans {
+ INSIDE_TO_FW {
+ vlan-id 4001;
+ l3-interface irb.4001;
+ }
+ Klientnett_innsjekk {
+ vlan-id 243;
+ l3-interface irb.243;
+ }
+ OUTSIDE_TO_FW {
+ vlan-id 4000;
+ l3-interface irb.4000;
+ }
+ security {
+ vlan-id 3000;
+ l3-interface irb.3000;
+ }
+ tele_servers {
+ vlan-id 1491;
+ l3-interface irb.1491;
+ }
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-26 10:23:27 +0000