## Last changed: 2015-05-31 17:36:27 CEST version 14.1X53-D26.2; groups { SET_AE_DEFAULTS { interfaces { { aggregated-ether-options { lacp { active; } } } } } SET_OSPF_DEFAULTS { protocols { ospf { reference-bandwidth 1000g; area 0.0.0.0 { interface { bfd-liveness-detection { minimum-interval 100; multiplier 3; } } } } ospf3 { reference-bandwidth 1000g; area 0.0.0.0 { interface { bfd-liveness-detection { minimum-interval 100; multiplier 3; } } } } } } } system { host-name gamegw; auto-snapshot; time-zone Europe/Oslo; authentication-order [ tacplus password ]; root-authentication { encrypted-password ""; } name-server { 185.110.149.2; 185.110.148.2; 2a06:5841:149a::2; 2a06:5841:1337::2; } tacplus-server { 134.90.150.164 { secret ""; source-address 185.110.148.72; } } login { user technet { uid 2000; class super-user; authentication { encrypted-password ""; } } } services { ssh { root-login deny; no-tcp-forwarding; client-alive-count-max 2; client-alive-interval 300; connection-limit 5; rate-limit 5; } netconf { ssh { connection-limit 3; rate-limit 3; } } dhcp { traceoptions { file dhcp_logfile; level all; flag all; } } } syslog { user * { any emergency; } host 185.110.148.17 { any info; authorization info; port 515; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } /* Save changes to central site */ archival { configuration { transfer-on-commit; archive-sites { "scp://user@host/some/folder/" password ""; } } } commit synchronize; ntp { server 2001:700:100:2::6; } } chassis { aggregated-devices { ethernet { device-count 32; } } auto-image-upgrade; } security { ssh-known-hosts { host 134.90.150.164 { ecdsa-sha2-nistp256-key ; } } } interfaces { apply-groups SET_AE_DEFAULTS; ge-0/0/46 { description "ae30 mot AUDGW"; ether-options { 802.3ad ae30; } } ge-0/0/47 { description "ae30 mot AUDGW"; ether-options { 802.3ad ae30; } } xe-0/1/0 { description "ae28 mot NORTH"; ether-options { 802.3ad ae28; } } ae28 { description "mot NORTH"; unit 0 { family inet { address 185.110.148.184/31; } family inet6; } } ae30 { description "mot AUDGW"; unit 0 { family inet { address 185.110.148.183/31; } family inet6; } } lo0 { unit 0 { family inet { address 185.110.148.78/32; } family inet6 { address 2a06:5841:148b::78/128; } } } } protocols { apply-groups SET_OSPF_DEFAULTS; ospf { export [ redistribute-direct redistribute-static ]; area 0.0.0.0 { interface ae28.0; interface ae30.0; } } ospf3 { export [ redistribute-direct redistribute-static ]; area 0.0.0.0 { interface ae28.0; interface ae30.0; } } rstp; lldp { interface all; } lldp-med { interface all; } } policy-options { prefix-list mgmt-v4 { /* KANDU PA-nett (brukt på servere, infra etc) */ 185.110.148.0/22; } prefix-list mgmt-v6 { /* KANDU PA-nett (den delen som er brukt på servere, infra etc) */ 2a06:5841::/32; } /* sammensl̴tt av separate v4- og v6-lister */ prefix-list mgmt { 185.110.148.0/22; 2a06:5841::/32; } /* NMS boxes - separate list to give full speed to SNMP read */ prefix-list mgmt-v4-nms { 185.110.148.11/32; 185.110.148.12/32; } /* NMS boxes - separate list to give full speed to SNMP read */ prefix-list mgmt-v6-nms { 2a06:5841:1337::11/128; 2a06:5841:1337::12/128; } /* NMS boxes - separate list to give full speed to SNMP read */ prefix-list mgmt-nms { 185.110.148.11/32; 185.110.148.12/32; 185.110.150.10/32; 2a06:5841:1337::11/128; 2a06:5841:1337::12/128; } prefix-list icmp_unthrottled-v4 { 185.110.148.0/22; 193.212.22.0/30; } prefix-list icmp_unthrottled-v6 { 2001:4600:9:300::290/126; 2a06:5841::/32; } policy-statement STATIC-TO-OSPF { from protocol static; then { external { type 1; } accept; } } policy-statement redistribute-direct { from protocol direct; then { external { type 1; } accept; } } policy-statement redistribute-static { from protocol static; then { external { type 1; } accept; } } } firewall { family inet { filter protect-mgmt-v4 { term accept-ssh { from { source-prefix-list { mgmt-v4; } destination-port 22; } then { count accept-ssh; accept; } } term reject-ssh { from { destination-port 22; } then { count reject-ssh; reject; } } term snmp-nms { from { source-prefix-list { mgmt-v4-nms; } destination-port snmp; } then { count snmp-nms; accept; } } term snmp-throttle { from { source-prefix-list { mgmt-v4; } destination-port snmp; } then { policer policer-1Mbit; count snmp-throttle; accept; } } term icmp-trusted { from { source-prefix-list { icmp_unthrottled-v4; } protocol icmp; } then { count icmp-trusted; accept; } } term icmp-throttled { from { protocol icmp; } then { policer policer-1Mbit; accept; } } term accept-all { then { count accept-all; accept; } } } } family inet6 { filter protect-mgmt-v6 { term accept-ssh { from { source-prefix-list { inactive: mgmt-v6; } destination-port 22; } then { count accept-ssh; accept; } } term reject-ssh { from { destination-port 22; } then { count reject-ssh; reject; } } term snmp-nms { from { source-prefix-list { mgmt-v6-nms; } destination-port snmp; } then { count snmp-nms; accept; } } term snmp-throttle { from { source-prefix-list { mgmt-v6; } destination-port snmp; } then { policer policer-1Mbit; count snmp-throttle; accept; } } term icmp-trusted { from { source-prefix-list { icmp_unthrottled-v6; } next-header icmp6; } then { count icmp-trusted; accept; } } term icmp-throttled { from { next-header icmp6; } then { policer policer-1Mbit; accept; } } term accept-all { then { count accept-all; accept; } } } } policer policer-1Mbit { if-exceeding { bandwidth-limit 1m; burst-size-limit 500k; } then discard; } } ethernet-switching-options { storm-control { interface all; } } poe { interface all; }