## Last commit: 2015-04-03 17:44:49 CEST by technet version 14.1X53-D16.2; system { host-name rs1.tele; auto-snapshot; domain-name infra.gathering.org; time-zone Europe/Oslo; root-authentication { } name-server { 8.8.8.8; } login { user technet { uid 2005; class super-user; authentication { } } user tg { uid 2000; class super-user; authentication { } } } services { ssh { root-login deny; } dhcp-local-server { group all { interface irb.10; } } } syslog { user * { any emergency; } host 185.12.59.18 { any info; authorization info; port 515; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; match "UI_CMDLINE_READ_LINE|UI_COMMIT_COMPLETED"; } } commit synchronize; ntp { boot-server 129.240.2.6; server 129.240.2.6; } } chassis { redundancy { graceful-switchover; } aggregated-devices { ethernet { device-count 32; } } alarm { management-ethernet { link-down ignore; } } } interfaces { interface-range sflow { member-range ge-0/0/0 to ge-0/0/23; member-range et-0/1/0 to et-0/1/1; member-range xe-0/2/0 to xe-0/2/3; member-range ge-1/0/0 to ge-1/0/23; member-range et-1/1/0 to et-1/1/1; member-range xe-1/2/0 to xe-1/2/3; member-range ge-2/0/0 to ge-2/0/23; member-range xe-2/2/0 to xe-2/2/3; } interface-range all-ports { member-range ge-0/0/0 to ge-0/0/23; member-range et-0/1/0 to et-0/1/3; member-range xe-0/2/0 to xe-0/2/3; member-range ge-1/0/0 to ge-1/0/23; member-range et-1/1/0 to et-1/1/3; member-range xe-1/2/0 to xe-1/2/3; member-range ge-2/0/0 to ge-2/0/23; member-range et-2/1/0 to et-2/1/3; member-range xe-2/2/0 to xe-2/2/3; description "-- Not in use --"; } ge-0/0/0 { description Event:Studio-link; unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ studio_klient tele_event tele_mgmt ]; } } } } ge-0/0/1 { description "marty - DHCP/DNS"; unit 0 { family ethernet-switching { vlan { members DHCP; } } } } ge-0/0/2 { description "Fortigate management"; unit 0 { family ethernet-switching { vlan { members DHCP; } } } } ge-0/0/3 { unit 0 { family ethernet-switching { vlan { members DHCP; } } } } ge-0/0/4 { description "NFC-station soverom syd"; unit 0 { family ethernet-switching { vlan { members studio_klient; } } } } ge-0/0/5 { description "NFC-station soverom syd"; unit 0 { family ethernet-switching { vlan { members studio_klient; } } } } ge-0/0/6 { unit 0 { family ethernet-switching { vlan { members TELETEMP; } } } } ge-0/0/7 { unit 0 { family ethernet-switching { vlan { members TELETEMP; } } } } ge-0/0/8 { unit 0 { family ethernet-switching { vlan { members TELETEMP; } } } } ge-0/0/9 { unit 0 { family ethernet-switching { vlan { members TELETEMP; } } } } ge-0/0/10 { unit 0 { family ethernet-switching { vlan { members DHCP; } } } } et-0/1/0 { description "rs1.core et-0/0/53"; ether-options { no-auto-negotiation; 802.3ad ae0; } } et-0/1/1 { description "rs1.noc et-2/0/49"; ether-options { 802.3ad ae1; } } et-0/1/2 { description VC; } et-0/1/3 { description VC; } xe-0/2/0 { description "fw2.tele ethernet9"; ether-options { 802.3ad ae3; } } xe-0/2/1 { description "fw1.tele xe-6/0/0"; ether-options { 802.3ad ae2; } } xe-0/2/2 { description "Blix 1470nm"; ether-options { 802.3ad ae5; } } xe-0/2/3 { description "Blix 1510nm"; ether-options { 802.3ad ae5; } } ge-1/0/0 { description "Security Server"; unit 0 { family ethernet-switching { vlan { members tele_security; } } } } et-1/1/0 { description "rs1.core et-1/0/53"; ether-options { 802.3ad ae0; } } et-1/1/1 { description "rs1.noc et-3/0/49"; ether-options { 802.3ad ae1; } } et-1/1/2 { description VC; } et-1/1/3 { description VC; } xe-1/2/0 { description "rs1.south xe-0/1/0"; unit 0 { family inet { filter { input v4-fbf; } address 151.216.128.10/31; } family inet6 { address 2a02:ed02:fffe::10/127; } } } xe-1/2/1 { description "fw1.tele xe-6/0/1"; ether-options { 802.3ad ae2; } } xe-1/2/2 { description "Blix 1530nm"; ether-options { 802.3ad ae5; } } xe-1/2/3 { description "Blix 1610nm"; ether-options { 802.3ad ae5; } } et-2/1/0 { description "Fortigate 1"; ether-options { no-auto-negotiation; } unit 0 { family ethernet-switching { vlan { members default; } } } } et-2/1/2 { description VC; } et-2/1/3 { description VC; } ae0 { description "rs1.core ae1"; aggregated-ether-options { lacp { active; } } unit 0 { family inet { filter { input v4-fbf; } address 151.216.128.0/31; } family inet6 { address 2a02:ed02:fffe::0/127; } } } ae1 { description "rs1.noc ae1"; aggregated-ether-options { lacp { active; } } unit 0 { family inet { mtu 1500; filter { input v4-fbf; } address 151.216.128.2/31; } family inet6 { address 2a02:ed02:fffe::2/127; } } } ae2 { description "fw1.tele ae0"; vlan-tagging; aggregated-ether-options { lacp { active; } } unit 10 { description "fw1.tele pre-nat"; vlan-id 10; family inet { address 151.216.128.6/31; } } unit 20 { description "fw1.tele post-nat"; vlan-id 20; family inet { address 151.216.128.8/31; } } unit 30 { description "fw1.tele firewall for event"; vlan-id 30; family inet { address 151.216.128.44/31; } } } ae3 { description fw2.tele; vlan-tagging; aggregated-ether-options { lacp { active; } } unit 40 { description "fw2.tele pre-nat"; vlan-id 40; family inet { address 151.216.128.46/31; } } unit 50 { description "fw2.tele post-nat"; vlan-id 50; family inet { address 151.216.128.48/31; } } } ae5 { description "Blix internett"; aggregated-ether-options { lacp { active; } } unit 0 { family inet { filter { input v4-internet-ingress; output v4-internet-egress; } address 185.12.58.2/30; } family inet6 { filter { input v6-internet-ingress; output v6-internet-egress; } address 2a02:ed01::2/64; } } } irb { unit 0; unit 66 { family inet { address 185.12.59.65/27; } family inet6 { address 2a02:ed02:1ee7::1/64; } } unit 240 { family inet { address 151.216.240.1/24; } } unit 1831 { family inet { address 151.216.183.33/27; } family inet6 { address 2a02:ed02:1831::33/64; } } unit 2500 { family inet { filter { input v4-fbf; output v4-event; } address 10.20.20.1/24; } } unit 3000 { description "Security spesialnett"; family inet { filter { input v4-security; output v4-security; } address 10.30.20.1/24; } } } lo0 { unit 0 { family inet { filter { input v4-mgmt; } address 151.216.255.0/32; address 185.12.59.0/32; } family inet6 { filter { input v6-mgmt; } address 2a02:ed02:ffff::0/128; } } } vme { unit 0; } } snmp { view safe_poll { oid 1.3.6.1.2.1.1 include; oid 1.3.6.1.2.1.2 include; oid 1.3.6.1.4.1.2636.3.5.2.1 include; oid 1.3.6.1.4.1.2636.3.1.13.1.5 include; } community { client-list-name mgmt; } community { client-list-name mgmt; } } forwarding-options { analyzer { fortigate-1 { input { ingress { interface ae5.0; } egress { interface ae5.0; } } output { interface et-2/1/0.0; } } inactive: fortigate-2 { input { ingress { interface xe-1/2/2.0; interface xe-1/2/3.0; } } output { interface et-2/1/1.0; } } } dhcp-relay { dhcpv6 { group all { interface irb.240; interface irb.2500; } server-group { v6-dhcp { 2a02:ed02:1ee7::66; } } } server-group { v4-dhcp { 185.12.59.66; 185.12.59.2; } } group all { active-server-group v4-dhcp; overrides { trust-option-82; } interface irb.240; interface irb.2500; } } } routing-options { nonstop-routing; rib inet.0 { static { route 151.216.128.0/17 reject; route 185.12.59.0/24 reject; route 185.12.59.96/27 next-hop 151.216.128.9; route 185.12.59.128/25 next-hop 151.216.128.9; } } rib inet6.0 { static { route 2a02:ed02::/32 reject; route 2001:67c:2e44::/48 reject; } } router-id 151.216.255.0; autonomous-system 35642; } protocols { bgp { group v4-blix { import v4-blix-in; export v4-blix-out; neighbor 185.12.58.1 { peer-as 50304; } } group v6-blix { import v6-blix-in; export v6-blix-out; neighbor 2a02:ed01::1 { peer-as 50304; } } } ospf { export [ redistribute-direct redistribute-static redistribute-default ]; reference-bandwidth 1000g; area 0.0.0.0 { interface ae0.0; interface ae1.0; interface xe-1/2/0.0; interface ae2.20; } } ospf3 { export [ redistribute-direct redistribute-static redistribute-default ]; reference-bandwidth 1000g; area 0.0.0.0 { interface ae0.0; interface ae1.0; interface xe-1/2/0.0; interface ae2.20; } } pim { rp { static { address 2a02:ed02:ffff::11; address 151.216.255.11; } } interface ae0.0 { family inet; family inet6; } interface ae1.0 { family inet; family inet6; } interface xe-1/2/0.0 { family inet; family inet6; } } lldp { interface all; } lldp-med { interface all; } igmp-snooping { vlan default; } inactive: sflow { agent-id 151.216.255.0; polling-interval 3600; sample-rate { ingress 10; egress 10; } source-ip 151.216.255.0; collector ; interfaces sflow; } layer2-control { nonstop-bridging; } } policy-options { prefix-list v4-mgmt { /* NOC clients */ 151.216.254.0/24; /* Servers */ 185.12.59.0/26; } prefix-list v6-mgmt { /* NOC clients */ 2a02:ed02:254::/64; /* Servers */ 2a02:ed02:1337::/64; } prefix-list mgmt { /* NOC clients */ 151.216.254.0/24; /* Servers */ 185.12.59.0/26; /* NOC clients */ 2a02:ed02:254::/64; /* Servers */ 2a02:ed02:1337::/64; } prefix-list fbf-steam { 2.16.94.112/32; 2.17.35.235/32; 2.18.192.192/32; 23.10.252.26/32; 23.10.252.51/32; 23.32.105.6/32; 23.62.99.32/32; 23.77.200.247/32; 23.214.66.123/32; 23.214.146.125/32; 23.215.60.219/32; 72.165.61.0/24; 81.171.115.0/24; 87.248.217.0/24; 90.101.0.113/32; 92.122.219.117/32; 95.101.0.0/22; 95.101.248.45/32; 103.28.54.0/23; 146.66.152.0/23; 146.66.156.10/32; 172.229.200.45/32; 195.18.221.144/32; 205.185.220.0/24; 208.64.200.0/24; 209.197.0.0/16; 212.187.201.0/24; } prefix-list fbf-netflix { 23.246.2.0/23; 23.246.4.0/22; 23.246.8.0/21; 23.246.16.0/21; 23.246.24.0/22; 23.246.28.0/23; 23.246.32.0/20; 23.246.48.0/20; 23.246.62.0/24; 23.246.63.0/24; 37.77.184.0/21; 69.53.224.0/19; 108.175.32.0/20; 185.2.220.0/22; 185.9.188.0/23; 185.9.190.0/23; 192.173.64.0/20; 192.173.64.0/24; 192.173.80.0/20; 192.173.96.0/20; 192.173.112.0/20; 198.38.96.0/20; 198.38.112.0/21; 198.38.120.0/22; 198.38.124.0/23; 198.45.48.0/20; 208.75.77.0/24; } prefix-list fbf-twitch { 185.42.204.0/22; 192.16.64.0/21; 199.9.248.0/21; } prefix-list fbf-nrk { 23.8.146.0/24; 46.137.77.0/24; 50.16.209.0/24; 50.16.231.0/24; 50.17.243.0/24; 54.225.239.0/24; 54.243.68.0/24; 54.243.145.0/24; 65.52.155.0/24; 77.88.106.0/24; 82.96.58.0/24; 94.245.71.0/24; 95.101.0.112/32; 160.68.205.0/24; 174.129.219.0/24; 184.28.17.0/24; 184.73.220.0/24; 204.236.234.0/24; 204.245.63.0/24; } prefix-list fbf-spotify { 23.92.96.0/22; 23.92.100.0/22; 23.92.104.0/22; 54.230.97.211/32; 54.230.98.246/32; 54.230.99.207/32; 78.31.8.0/22; 78.31.12.0/22; 192.121.53.0/24; 192.121.132.0/24; 192.121.140.0/24; 192.165.160.0/22; 193.181.4.0/22; 193.181.180.0/22; 193.182.3.0/24; 193.182.7.0/24; 193.182.8.0/21; 193.182.243.0/24; 193.234.240.0/22; 193.235.32.0/24; 193.235.51.0/24; 193.235.203.0/24; 193.235.206.0/24; 193.235.224.0/24; 193.235.232.0/22; 194.14.177.0/24; 194.68.28.0/22; 194.68.116.0/24; 194.68.169.0/24; 194.68.176.0/22; 194.68.181.0/24; 194.68.183.0/24; 194.71.148.0/22; 194.103.10.0/24; 194.103.13.0/24; 194.103.36.0/22; 194.132.152.0/22; 194.132.162.0/24; 194.132.168.0/22; 194.132.176.0/22; 194.132.196.0/22; 194.132.204.0/22; } policy-statement redistribute-default { from protocol bgp; then { external { type 1; } accept; } } policy-statement redistribute-direct { from protocol direct; then { external { type 1; } accept; } } policy-statement redistribute-static { from protocol static; then { external { type 1; } accept; } } policy-statement v4-blix-in { from { route-filter 0.0.0.0/0 exact; } } policy-statement v4-blix-out { from { route-filter 151.216.128.0/17 exact; route-filter 185.12.59.0/24 exact; } then accept; } policy-statement v6-blix-in { from { route-filter ::/0 exact; } } policy-statement v6-blix-out { from { route-filter 2a02:ed02::/32 exact; route-filter 2001:67c:2e44::/48 exact; } then accept; } } firewall { family inet { filter v4-fbf { term fbf-event-nope { from { destination-address { 10.20.0.0/16; } } then { count fbf-event-nope; accept; } } term fbf-event { from { source-address { 10.20.0.0/16; } } then { count fbf-event; routing-instance to-firewall; } } inactive: term fbf-prefix-list { from { source-prefix-list { fbf-netflix; fbf-nrk; fbf-spotify; fbf-steam; fbf-twitch; } } then { routing-instance to-nat; } } inactive: term fbf-blizzard { from { destination-address { 12.129.242.30/32; 12.129.193.242/32; 80.239.186.0/25; 80.239.208.0/25; } } then { count fbf-blizzard; routing-instance to-nat; } } inactive: term fbf-steam { from { destination-address { 92.122.219.117/32; 172.229.200.45/32; 95.101.248.45/32; 23.32.105.6/32; 23.214.66.123/32; 23.214.146.125/32; 2.17.35.235/32; 90.101.0.113/32; 146.66.156.10/32; 23.62.99.32/32; 2.18.192.192/32; 23.10.252.51/32; 23.215.60.219/32; 23.77.200.247/32; 23.10.252.26/32; 2.16.94.112/32; 95.101.0.0/22; 195.18.221.144/32; 72.165.61.0/24; 81.171.115.0/24; 87.248.217.0/24; 103.28.54.0/23; 146.66.152.0/23; 205.185.220.0/24; 208.64.200.0/24; 209.197.0.0/16; 212.187.201.0/24; 23.223.16.0/20; } } then { count fbf-steam; routing-instance to-nat; } } /* League of Legends EU West */ inactive: term fbf-riotgames { from { destination-address { 54.230.99.43/32; 195.18.221.144/32; 23.52.27.27/32; 172.255.83.1/32; 185.40.64.0/22; 178.255.83.1/32; } } then { count fbf-riotgames; routing-instance to-nat; } } inactive: term fbf-spotify { from { destination-address { 54.230.98.246/32; 54.230.97.211/32; 54.230.99.207/32; 23.92.96.0/22; 23.92.100.0/22; 23.92.104.0/22; 78.31.8.0/22; 78.31.12.0/22; 192.121.53.0/24; 192.121.132.0/24; 192.121.140.0/24; 192.165.160.0/22; 193.181.4.0/22; 193.181.180.0/22; 193.182.3.0/24; 193.182.7.0/24; 193.182.8.0/21; 193.182.243.0/24; 193.234.240.0/22; 193.235.32.0/24; 193.235.51.0/24; 193.235.203.0/24; 193.235.206.0/24; 193.235.224.0/24; 193.235.232.0/22; 194.14.177.0/24; 194.68.28.0/22; 194.68.116.0/24; 194.68.169.0/24; 194.68.176.0/22; 194.68.181.0/24; 194.68.183.0/24; 194.71.148.0/22; 194.103.10.0/24; 194.103.13.0/24; 194.103.36.0/22; 194.132.152.0/22; 194.132.162.0/24; 194.132.168.0/22; 194.132.176.0/22; 194.132.196.0/22; 194.132.204.0/22; } } then { count fbf-spotify; routing-instance to-nat; } } inactive: term fbf-origin { from { destination-address { 2.19.187.0/25; 184.86.15.128/25; 54.243.176.0/23; 23.15.8.0/24; 23.21.0.0/16; 23.23.0.0/16; 23.32.241.0/24; 23.46.0.0/16; 50.16.0.0/16; 50.17.0.0/16; 54.225.0.0/16; 81.21.146.0/24; 107.20.244.0/24; 120.29.145.0/24; 124.40.32.0/24; 125.56.200.0/24; 164.177.139.0/24; 184.73.0.0/16; 204.236.239.0/24; 23.54.0.0/20; } } then { count fbf-origin; routing-instance to-nat; } } inactive: term fbf-nrk { from { destination-address { 23.8.146.0/24; 46.137.77.0/24; 50.16.209.0/24; 50.16.231.0/24; 50.17.243.0/24; 54.225.239.0/24; 54.243.145.0/24; 54.243.68.0/24; 65.52.155.0/24; 77.88.106.0/24; 82.96.58.0/24; 94.245.71.0/24; 160.68.205.0/24; 174.129.219.0/24; 184.28.17.0/24; 184.73.220.0/24; 204.245.63.0/24; 204.236.234.0/24; 95.101.0.112/32; } } then { count fbf-nrk; routing-instance to-nat; } } inactive: term fbf-twitch { from { destination-address { 185.42.204.0/22; 199.9.248.0/21; 192.16.64.0/21; } } then { count fbf-twitch; routing-instance to-nat; } } inactive: term fbf-viaplay { from { destination-address { 54.72.0.0/13; 54.80.0.0/12; 54.224.0.0/12; 54.72.0.0/16; 54.144.0.0/14; 54.192.0.0/22; 54.246.173.25/32; 52.16.240.0/20; } } then { count fbf-viaplay; routing-instance to-nat; } } inactive: term fbf-tv2 { from { destination-address { 77.75.208.0/21; 193.227.204.0/23; 193.160.156.0/23; } } then { count fbf-tv2; routing-instance to-nat; } } inactive: term fbf-netflix { from { destination-address { 69.53.224.0/19; 208.75.77.0/24; 23.246.2.0/23; 23.246.4.0/22; 23.246.8.0/21; 23.246.16.0/21; 23.246.24.0/22; 23.246.28.0/23; 23.246.32.0/20; 23.246.48.0/20; 23.246.62.0/24; 23.246.63.0/24; 37.77.184.0/21; 108.175.32.0/20; 185.2.220.0/22; 185.9.188.0/23; 185.9.190.0/23; 192.173.64.0/20; 192.173.64.0/24; 192.173.80.0/20; 192.173.96.0/20; 192.173.112.0/20; 198.38.96.0/20; 198.38.112.0/21; 198.38.120.0/22; 198.38.124.0/23; 198.45.48.0/20; } } then { count fbf-netflix; routing-instance to-nat; } } inactive: term fbf-ubisoft { from { destination-address { 216.98.62.0/23; 216.98.61.0/24; 216.98.59.0/24; 216.98.56.0/24; 216.98.48.0/24; 216.98.48.0/20; 195.88.183.0/24; 195.88.182.0/24; 195.22.144.0/23; 194.2.155.0/24; 194.169.249.0/24; 193.138.66.0/24; 185.38.20.0/22; } } then { count fbf-ubisoft; routing-instance to-nat; } } inactive: term fbf-harald { from { destination-address { 91.209.30.12/32; 91.209.30.134/32; 91.209.30.20/32; } } then { count fbf-harald; routing-instance to-nat; } } inactive: term fbf-google { from { destination-address { 216.58.209.0/24; } } then { count fbf-google; routing-instance to-nat; } } term accept-last { then { count accept-last; accept; } } } filter v4-event { term accept-event { from { source-address { 10.20.0.0/16; } } then { count accept-event; accept; } } term accept-noc { from { source-address { 185.12.59.0/26; 185.12.59.64/27; } } then { count accept-noc; accept; } } term reject-tg { from { source-address { 185.12.59.0/24; 151.216.128.0/17; } } then { count reject-tg; reject; } } term accept-all { then { count accept-all; accept; } } } filter v4-mgmt { term accept-ssh { from { source-prefix-list { v4-mgmt; } destination-port 22; } then { count accept-ssh; accept; } } term reject-ssh { from { destination-port 22; } then { count reject-ssh; reject; } } term accept-all { then { count accept-all; accept; } } } filter v4-internet-ingress { term block-ntp { from { protocol udp; destination-port ntp; } then { count block-ntp; discard; } } term accept-all { then { count accept-all; accept; } } } filter v4-internet-egress { term accept-all { then { count accept-all; accept; } } } filter v4-security { term accept-security { from { source-address { 10.30.0.0/16; } destination-address { 10.30.0.0/16; } } then accept; } term discard-all { then { discard; } } } } family inet6 { filter v6-mgmt { term accept-ssh { from { source-prefix-list { v6-mgmt; } destination-port 22; } then { count accept-ssh; accept; } } term reject-ssh { from { destination-port 22; } then { count reject-ssh; reject; } } term accept-all { then { count accept-all; accept; } } } filter v6-internet-ingress { term accept-all { then { count accept-all; accept; } } } filter v6-internet-egress { term accept-all { then { count accept-all; accept; } } } } } access { address-assignment { pool v4-teletemp { family inet { network 151.216.160.0/24; range v4-teletemp { low 151.216.160.10; high 151.216.160.50; } dhcp-attributes { name-server { 8.8.8.8; } router { 151.216.160.1; } } } } pool event_tele { family inet { network 10.20.20.0/24; range event_tele { low 10.20.20.2; high 10.20.20.254; } dhcp-attributes { name-server { 185.12.59.66; 185.12.59.2; } router { 10.20.20.1; } } } } } } routing-instances { to-firewall { description "For firewalling of event-net"; instance-type virtual-router; interface ae2.30; routing-options { static { route 0.0.0.0/0 next-hop 151.216.128.45; } } } to-nat { description "For NAT av tjenester"; instance-type virtual-router; interface ae2.10; routing-options { static { route 0.0.0.0/0 next-hop 151.216.128.7; } } } } virtual-chassis { preprovisioned; member 0 { role routing-engine; serial-number ; } member 1 { role routing-engine; serial-number ; } member 2 { role line-card; serial-number ; } } vlans { DHCP { vlan-id 66; l3-interface irb.66; } TELETEMP { vlan-id 10; l3-interface irb.10; } default { vlan-id 1; l3-interface irb.0; } studio_klient { vlan-id 240; l3-interface irb.240; } tele_event { vlan-id 2500; l3-interface irb.2500; } tele_mgmt { vlan-id 1831; l3-interface irb.1831; } tele_security { vlan-id 3000; l3-interface irb.3000; } }