## Last changed: 2016-03-26 13:25:28 CET version 14.1X53-D15.2; groups { SET_AE_DEFAULTS { interfaces { { aggregated-ether-options { lacp { active; } } } } } SET_OSPF_DEFAULTS { protocols { ospf { reference-bandwidth 1000g; area <*> { interface ; } } ospf3 { reference-bandwidth 1000g; area <*> { interface ; } } } } SET_RA_DEFAULTS { protocols { router-advertisement { interface <*> { max-advertisement-interval 15; managed-configuration; } } } } } system { host-name loggw; auto-snapshot; time-zone Europe/Oslo; authentication-order tacplus; root-authentication { encrypted-password ""; } name-server { 185.110.149.2; 185.110.148.2; 2a06:5841:149a::2; 2a06:5841:1337::2; } tacplus-server { 134.90.150.164 { secret ""; source-address 185.110.148.72; } } login { user lars { uid 2003; class super-user; authentication { encrypted-password ""; } } user technet { uid 2000; class super-user; authentication { encrypted-password ""; } } } services { ssh { root-login deny; no-tcp-forwarding; client-alive-count-max 2; client-alive-interval 300; connection-limit 5; rate-limit 5; } netconf { ssh { connection-limit 3; rate-limit 3; } } } syslog { user * { any emergency; } host 185.110.148.17 { any info; authorization info; port 515; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } archival { configuration { transfer-on-commit; archive-sites { "scp://user@host/some/folder/" password ""; } } } commit synchronize; processes { dhcp-service { traceoptions { file JDHCPDEBUG size 20m files 5; flag all; } } } ntp { server 2001:700:100:2::6; } } chassis { aggregated-devices { ethernet { device-count 32; } } alarm { management-ethernet { link-down ignore; } } auto-image-upgrade; } security { ssh-known-hosts { host 134.90.150.164 { ecdsa-sha2-nistp256-key ; } } } interfaces { apply-groups SET_AE_DEFAULTS; interface-range edge-ports { member ge-0/0/0; member-range ge-0/0/3 to ge-0/0/29; member-range ge-0/0/31 to ge-0/0/42; description "Direkteterminerte klienter"; unit 0 { family ethernet-switching { port-mode access; vlan { members log_clients; } } } } ge-0/0/1 { description sw2-flankesor; ether-options { 802.3ad ae26; } } ge-0/0/2 { description sw2-flankesor; ether-options { 802.3ad ae26; } } ge-0/0/30 { unit 0 { family ethernet-switching; } } ge-0/0/44 { description eventsw1; ether-options { 802.3ad ae27; } } ge-0/0/45 { description eventsw1; ether-options { 802.3ad ae27; } } ge-0/0/46 { description logsw; ether-options { 802.3ad ae28; } } ge-0/0/47 { description logsw; ether-options { 802.3ad ae28; } } xe-0/1/0 { description swinggw; ether-options { 802.3ad ae30; } } xe-0/1/1 { description southgw; ether-options { 802.3ad ae31; } } xe-0/1/2 { description stagegw; ether-options { 802.3ad ae29; } } ae26 { description sw2-flankesor; aggregated-ether-options { lacp { active; } } unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ mgmt FLANKESOR_CLIENTS ]; } } } } ae27 { description event_clients; unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ event_clients mgmt ]; } } } } ae28 { description log_clients; unit 0 { family ethernet-switching { port-mode trunk; vlan { members [ log_clients mgmt ]; } } } } ae29 { description "mot stagegw ae31"; unit 0 { family inet { address 185.110.148.175/31; } family inet6; } } ae30 { description "mot swinggw ae31"; unit 0 { family inet { address 185.110.148.142/31; } family inet6; } } ae31 { description "mot southgw ae31"; unit 0 { family inet { address 185.110.148.144/31; } family inet6; } } lo0 { unit 0 { family inet { address 185.110.148.72/32; } family inet6 { address 2a06:5841:148b::72/128; } } } vlan { unit 0 { family inet { filter { input protect-mgmt-v4; } address 185.110.148.72/32; } family inet6 { filter { input protect-mgmt-v6; } address 2a06:5841:148b::72/128; } } unit 224 { description event_clients; family inet { address 88.92.59.1/24; } family inet6 { address 2a06:5840:59::1/64; } } unit 234 { description log_clients; family inet { address 88.92.60.1/24; } family inet6 { address 2a06:5840:60::1/64; } } unit 1224 { description mgmt; family inet { address 88.92.57.65/28; } family inet6 { address 2a06:5840:572::65/64; } } /* Klient-VLAN */ unit 2007 { description "FLANKESOR CLIENTS"; family inet { address 88.92.41.129/26; } family inet6 { address 2a06:5840:41c::1/64; } } } } snmp { community { authorization read-only; client-list-name mgmt; } community { authorization read-only; client-list-name mgmt-nms; } } forwarding-options { dhcp-relay { dhcpv6 { group edge-switches { active-server-group v6-edge-switches; overrides; interface vlan.224; interface vlan.234; interface vlan.1224; interface vlan.2007; } server-group { v6-edge-switches { 2a02:ed02:1ee7::66; } } } server-group { v4-edge-switches { 185.110.149.2; 185.110.148.2; } inactive: v4-autoconfig { 1.1.1.1; } } group edge-switches { active-server-group v4-edge-switches; overrides { trust-option-82; } interface vlan.224; interface vlan.234; interface vlan.1224; interface vlan.2007; } inactive: group autoconfig { active-server-group v4-autoconfig; relay-option-82 { circuit-id { prefix { host-name; } include-irb-and-l2; } } interface vlan.666; } } } protocols { apply-groups [ SET_OSPF_DEFAULTS SET_RA_DEFAULTS ]; mld; router-advertisement { interface vlan.224; interface vlan.234; interface vlan.1224; interface vlan.2007; } ospf { export [ static-to-ospf direct-to-ospf ]; area 0.0.0.0 { interface ae29.0; interface ae30.0; interface ae31.0; } } ospf3 { export [ static-to-ospf direct-to-ospf ]; area 0.0.0.0 { interface ae29.0; interface ae30.0; interface ae31.0; } } pim { rp { static { address 2a06:5841:148b::65; address 185.110.148.65; } } } igmp-snooping { vlan all { version 3; immediate-leave; } } mld-snooping { vlan all { version 2; immediate-leave; } } stp { disable; } rstp { bridge-priority 8k; interface edge-ports { edge; no-root-port; } } lldp { management-address 185.110.148.72; interface all; } lldp-med { interface all; } } policy-options { prefix-list mgmt-v4 { /* KANDU PA-nett (brukt på servere, infra etc) */ 185.110.148.0/22; } prefix-list mgmt-v6 { /* KANDU PA-nett (den delen som er brukt på servere, infra etc) */ 2a06:5841::/32; } prefix-list mgmt { 185.110.148.0/22; 2a06:5841::/32; } prefix-list mgmt-v4-nms { 185.110.148.11/32; 185.110.148.12/32; } prefix-list mgmt-v6-nms { 2a06:5841:1337::11/128; 2a06:5841:1337::12/128; } prefix-list mgmt-nms { 185.110.148.11/32; 185.110.148.12/32; 185.110.150.10/32; 2a06:5841:1337::11/128; 2a06:5841:1337::12/128; } prefix-list icmp_unthrottled-v4 { 185.110.148.0/22; 193.212.22.0/30; } prefix-list icmp_unthrottled-v6 { 2001:4600:9:300::290/126; 2a06:5841::/32; } policy-statement direct-to-ospf { from protocol direct; then { external { type 1; } accept; } } policy-statement static-to-ospf { from protocol static; then { external { type 1; } accept; } } } firewall { family inet { filter protect-mgmt-v4 { term accept-ssh { from { source-prefix-list { mgmt-v4; } destination-port 22; } then accept; } term discard-ssh { from { destination-port 22; } then { discard; } } term snmp-nms { from { source-prefix-list { mgmt-v4-nms; } destination-port snmp; } then accept; } term snmp-throttle { from { source-prefix-list { mgmt-v4; } destination-port snmp; } then accept; } term icmp-trusted { from { source-prefix-list { icmp_unthrottled-v4; } protocol icmp; } then accept; } term icmp-throttled { from { protocol icmp; } then accept; } term accept-all { then accept; } } } family inet6 { filter protect-mgmt-v6 { term accept-ssh { from { source-prefix-list { inactive: mgmt-v6; } destination-port 22; } then accept; } term discard-ssh { from { destination-port 22; } then discard; } term snmp-nms { from { source-prefix-list { mgmt-v6-nms; } destination-port snmp; } then accept; } term snmp-throttle { from { source-prefix-list { mgmt-v6; } destination-port snmp; } then accept; } term icmp-trusted { from { source-prefix-list { icmp_unthrottled-v6; } next-header icmp6; } then accept; } term icmp-throttled { from { next-header icmp6; } then accept; } term accept-all { then accept; } } } } ethernet-switching-options { secure-access-port { interface edge-ports { inactive: no-dhcp-trusted; } inactive: vlan event_clients { arp-inspection; examine-dhcp; examine-dhcpv6; neighbor-discovery-inspection; ip-source-guard; ipv6-source-guard; dhcp-option82; dhcpv6-option18 { use-option-82; } } inactive: vlan log_clients { arp-inspection; examine-dhcp; examine-dhcpv6; neighbor-discovery-inspection; ip-source-guard; ipv6-source-guard; dhcp-option82; dhcpv6-option18 { use-option-82; } } ipv6-source-guard-sessions { max-number 128; } } storm-control { interface all; } } vlans { FLANKESOR_CLIENTS { description "FLANKESOR CLIENTS"; vlan-id 2007; l3-interface vlan.2007; } event_clients { description event_clients; vlan-id 234; l3-interface vlan.234; } log_clients { description log_clients; vlan-id 224; l3-interface vlan.224; } mgmt { description mgmt; vlan-id 1224; l3-interface vlan.1224; } } poe { interface all; }