## Last changed: 2016-03-26 01:37:02 CET version 14.1X53-D16.2; groups { SET_AE_DEFAULTS { interfaces { { aggregated-ether-options { lacp { active; } } } } } SET_OSPF_DEFAULTS { protocols { ospf { reference-bandwidth 1000g; area <*> { interface { bfd-liveness-detection { minimum-interval 100; multiplier 3; } } } } ospf3 { reference-bandwidth 1000g; area <*> { interface { bfd-liveness-detection { minimum-interval 100; multiplier 3; } } } } } } SET_RA_DEFAULTS { protocols { router-advertisement { interface <*> { max-advertisement-interval 15; managed-configuration; } } } } } system { host-name nocgw; domain-name infra.gathering.org; time-zone Europe/Oslo; arp { aging-timer 5; } authentication-order tacplus; root-authentication { encrypted-password ""; } name-server { 185.110.149.2; 185.110.148.2; } tacplus-server { 134.90.150.164 { secret ""; source-address 185.110.148.65; } } login { user technet { uid 2000; class super-user; authentication { encrypted-password ""; } } } services { ssh { root-login deny; } } syslog { file messages { any notice; authorization notice; } } commit synchronize; processes { dhcp-service { traceoptions { file JDHCPDEBUG size 20m files 5; flag all; } } } ntp { server 2001:700:100:2::6; } } chassis { aggregated-devices { ethernet { device-count 32; } } } interfaces { apply-groups SET_AE_DEFAULTS; interface-range CREW_CLIENTS_APS { member-range ge-2/0/10 to ge-2/0/12; description "Fragleberg Access Points"; unit 0 { family ethernet-switching { interface-mode access; vlan { members CREW_CLIENTS; } } } } ge-0/0/3 { description "ae3 fugleberg"; ether-options { 802.3ad ae3; } } ge-0/0/4 { description "ae4 fugleberg"; ether-options { 802.3ad ae4; } } ge-0/0/5 { description "ae5 fugleberg"; ether-options { 802.3ad ae5; } } ge-0/0/6 { description "Trunk mot SEC"; unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ Klientnett_security mgmt security ]; } } } } ge-0/0/7 { description "Trunk mot SEC:Video"; unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ mgmt Klientnett_security_video security ]; } } } } ge-0/0/8 { unit 0 { family ethernet-switching { interface-mode access; vlan { members CREW_CLIENTS; } } } } ge-0/0/12 { description CREWSW1; ether-options { 802.3ad ae12; } } ge-0/0/13 { description CREWSW2; ether-options { 802.3ad ae13; } } ge-0/0/14 { description CREWSW3; ether-options { 802.3ad ae14; } } ge-0/0/15 { description CREWSW4; ether-options { 802.3ad ae15; } } ge-0/0/16 { description CREWSW5; ether-options { 802.3ad ae16; } } ge-0/0/23 { description "Presserom - EX2200"; unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ klientnett_presse mgmt ]; } } } } et-0/1/0 { description "ae31 mot telegw"; ether-options { 802.3ad ae31; } } et-0/1/1 { description "40G mot standgw"; unit 0 { family inet { address 185.110.148.132/31; } family inet6; } } xe-0/2/0 { description GAMEGW; ether-options { 802.3ad ae26; } } et-0/2/1 { description "40G mot standgw"; } ge-1/0/1 { description "ae1 mot nocsw1"; ether-options { 802.3ad ae1; } } ge-1/0/2 { description "ae2 mot nocsw2"; ether-options { 802.3ad ae2; } } ge-1/0/3 { description "ae3 fugleberg"; ether-options { 802.3ad ae3; } } ge-1/0/4 { description "ae4 fugleberg"; ether-options { 802.3ad ae4; } } ge-1/0/5 { description "ae5 fugleberg"; ether-options { 802.3ad ae5; } } ge-1/0/12 { description CREWSW1; ether-options { 802.3ad ae12; } } ge-1/0/13 { description CREWSW2; ether-options { 802.3ad ae13; } } ge-1/0/14 { description CREWSW3; ether-options { 802.3ad ae14; } } ge-1/0/15 { description CREWSW4; ether-options { 802.3ad ae15; } } ge-1/0/16 { description CREWSW5; ether-options { 802.3ad ae16; } } ge-1/0/23 { description klientnett_noc; unit 0 { family ethernet-switching { interface-mode access; vlan { members klientnett_noc; } } } } et-1/1/0 { description "ae31 mot telegw"; ether-options { 802.3ad ae31; } } et-1/1/1 { description "ae30 mot coregw"; ether-options { 802.3ad ae30; } } ge-2/0/1 { description "ae1 mot nocsw1"; ether-options { 802.3ad ae1; } } ge-2/0/2 { description "ae2 mot nocsw2"; ether-options { 802.3ad ae2; } } ge-2/0/23 { description servernett_stand; unit 0 { family ethernet-switching { interface-mode access; vlan { members servernett_stand; } } } } et-2/1/0 { description "ae30 mot coregw"; ether-options { 802.3ad ae30; } } xe-2/2/0 { description "link mot northgw"; ether-options { 802.3ad ae28; } } ge-3/0/1 { description "ae1 mot nocsw1"; ether-options { 802.3ad ae1; } } ge-3/0/2 { description "ae2 mot nocsw2"; ether-options { 802.3ad ae2; } } ae1 { description nocsw1; unit 0 { family ethernet-switching { interface-mode trunk; vlan { members klientnett_noc; } } } } ae2 { description nocsw2; unit 0 { family ethernet-switching { interface-mode trunk; vlan { members klientnett_noc; } } } } ae3 { description "mot fugleberget 3"; aggregated-ether-options { lacp { active; } } unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ klientnett_fugleberget mgmt ]; } } } } ae4 { description "mot fugleberget 2"; aggregated-ether-options { lacp { active; } } unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ klientnett_fugleberget mgmt ]; } } } } ae5 { description "mot fugleberget 1"; aggregated-ether-options { lacp { active; } } unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ klientnett_fugleberget mgmt ]; } } } } ae12 { description CREWSW1; aggregated-ether-options { lacp { active; } } unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ CREW_CLIENTS mgmt ]; } } } } ae13 { description CREWSW2; aggregated-ether-options { lacp { active; } } unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ CREW_CLIENTS mgmt ]; } } } } ae14 { description CREWSW3; aggregated-ether-options { lacp { active; } } unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ CREW_CLIENTS mgmt ]; } } } } ae15 { description CREWSW4; aggregated-ether-options { lacp { active; } } unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ CREW_CLIENTS mgmt ]; } } } } ae16 { description CREWSW5; aggregated-ether-options { lacp { active; } } unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ CREW_CLIENTS mgmt ]; } } } } ae26 { unit 0 { family inet { address 185.110.148.185/31; } family inet6; } } ae27 { unit 0 { description "link to stand"; } } ae28 { description "mot northgw ae31"; unit 0 { family inet { address 185.110.148.138/31; } } } ae30 { description "80G mot coregw"; unit 0 { family inet { address 185.110.148.136/31; } family inet6; } } ae31 { description "80G mot telegw"; unit 0 { family inet { address 185.110.148.131/31; } family inet6; } } irb { unit 239 { description "Klientnett Fugleberget"; family inet { address 88.92.65.1/24; } family inet6 { address 2a06:5840:65::1/64; } } unit 240 { description CREW_CLIENTS; family inet { address 88.92.66.1/24; } family inet6 { address 2a06:5840:66::1/66; } } unit 247 { family inet { address 88.92.73.1/24; } family inet6 { address 2a06:5840:73::1/64; } } unit 248 { family inet { address 88.92.74.1/24; } family inet6 { address 2a06:5840:74::1/64; } } unit 249 { family inet { address 88.92.75.1/24; } family inet6 { address 2a06:5840:75::1/64; } } unit 1220 { description mgmt; family inet { address 88.92.57.1/27; } family inet6 { address 2a06:5840:570::1/64; } } unit 1481 { description "Servernett Stand"; } unit 1501 { description "Klientnett NOC"; family inet { address 185.110.150.1/25; } family inet6 { address 2a06:5841:150a::1/64; } } unit 3000 { description Security; family inet { filter { input v4-security; output v4-security; } address 10.30.10.1/24; } } } lo0 { unit 0 { family inet { filter { input protect-mgmt-v4; } address 185.110.148.65/32; } family inet6 { filter { input protect-mgmt-v6; } address 2a06:5841:148b::65/128; } } } } snmp { community { authorization read-only; client-list-name mgmt; } community { authorization read-only; client-list-name mgmt-nms; } } forwarding-options { dhcp-relay { dhcpv6 { group all { interface irb.239; interface irb.240; interface irb.247; interface irb.248; interface irb.249; interface irb.1481; interface irb.1501; } server-group { v6-dhcp { 2a06:5841:149a::2; 2a06:5841:1337::2; } } active-server-group v6-dhcp; } server-group { v4-dhcp { 185.110.149.2; 185.110.148.2; } } active-server-group v4-dhcp; group all { overrides { trust-option-82; } interface irb.239; interface irb.240; interface irb.247; interface irb.248; interface irb.249; interface irb.1481; interface irb.1501; } } } protocols { apply-groups [ SET_OSPF_DEFAULTS SET_RA_DEFAULTS ]; router-advertisement { interface irb.1501; interface irb.240; interface irb.248; interface irb.249; interface irb.239; interface irb.247; interface irb.1481; } ospf { export [ redistribute-direct redistribute-static ]; reference-bandwidth 1000g; area 0.0.0.0 { interface ae31.0; interface ae30.0; interface xe-0/2/0.0; interface et-0/1/1.0 { bfd-liveness-detection { minimum-interval 100; multiplier 3; } } interface ae28.0; interface ae26.0; } } ospf3 { export [ redistribute-direct redistribute-static ]; reference-bandwidth 1000g; area 0.0.0.0 { interface ae31.0; interface ae30.0; interface xe-0/2/0.0; interface et-0/1/1.0 { bfd-liveness-detection { minimum-interval 100; multiplier 3; } } } } lacp { traceoptions { file log-lacp size 100k files 2; flag all; } } lldp { interface all; } lldp-med { interface all; } igmp-snooping { vlan default; } } policy-options { prefix-list mgmt-v4 { /* KANDU PA-nett (brukt på servere, infra etc) */ 185.110.148.0/22; } prefix-list mgmt-v6 { /* KANDU PA-nett (den delen som er brukt på servere, infra etc) */ 2a06:5841::/32; } /* sammenslått av separate v4- og v6-lister */ prefix-list mgmt { 185.110.148.0/22; 2a06:5841::/32; } /* NMS boxes - separate list to give full speed to SNMP read */ prefix-list mgmt-v4-nms { 185.110.148.11/32; 185.110.148.12/32; } /* NMS boxes - separate list to give full speed to SNMP read */ prefix-list mgmt-v6-nms { 2a06:5841:1337::11/128; 2a06:5841:1337::12/128; } /* NMS boxes - separate list to give full speed to SNMP read */ prefix-list mgmt-nms { 185.110.148.11/32; 185.110.148.12/32; 185.110.150.10/32; 2a06:5841:1337::11/128; 2a06:5841:1337::12/128; } prefix-list icmp_unthrottled-v4 { 185.110.148.0/22; 193.212.22.0/30; } prefix-list icmp_unthrottled-v6 { 2001:4600:9:300::290/126; 2a06:5841::/32; } policy-statement redistribute-direct { from protocol direct; then { external { type 1; } accept; } } policy-statement redistribute-static { from protocol static; then { external { type 1; } accept; } } } firewall { family inet { filter protect-mgmt-v4 { term accept-ssh { from { source-prefix-list { mgmt-v4; } destination-port 22; } then { count accept-ssh; accept; } } term reject-ssh { from { destination-port 22; } then { count reject-ssh; reject; } } term snmp-nms { from { source-prefix-list { mgmt-v4-nms; } destination-port snmp; } then { count snmp-nms; accept; } } term snmp-throttle { from { source-prefix-list { mgmt-v4; } destination-port snmp; } then { policer policer-1Mbit; count snmp-throttle; accept; } } term icmp-trusted { from { source-prefix-list { icmp_unthrottled-v4; } protocol icmp; } then { count icmp-trusted; accept; } } term icmp-throttled { from { protocol icmp; } then { policer policer-1Mbit; accept; } } term accept-all { then { count accept-all; accept; } } } filter v4-security { term accept-security { from { source-address { 10.30.0.0/16; } destination-address { 10.30.0.0/16; } } then accept; } term discard-all { then { discard; } } } } family inet6 { filter protect-mgmt-v6 { term accept-ssh { from { source-prefix-list { inactive: mgmt-v6; } destination-port 22; } then { count accept-ssh; accept; } } term reject-ssh { from { destination-port 22; } then { count reject-ssh; reject; } } term snmp-nms { from { source-prefix-list { mgmt-v6-nms; } destination-port snmp; } then { count snmp-nms; accept; } } term snmp-throttle { from { source-prefix-list { mgmt-v6; } destination-port snmp; } then { policer policer-1Mbit; count snmp-throttle; accept; } } term icmp-trusted { from { source-prefix-list { icmp_unthrottled-v6; } next-header icmp6; } then { count icmp-trusted; accept; } } term icmp-throttled { from { next-header icmp6; } then { policer policer-1Mbit; accept; } } term accept-all { then { count accept-all; accept; } } } } policer policer-1Mbit { if-exceeding { bandwidth-limit 1m; burst-size-limit 500k; } then discard; } policer policer-slowest { if-exceeding { bandwidth-limit 32k; burst-size-limit 32k; } then discard; } } access { address-assignment { pool sec_lukket { family inet { network 10.30.10.0/24; } } } } virtual-chassis { preprovisioned; member 0 { role routing-engine; serial-number ; } member 1 { role routing-engine; serial-number ; } member 2 { role line-card; serial-number ; } } vlans { CREW_CLIENTS { vlan-id 240; l3-interface irb.240; } Klientnett_security { vlan-id 248; l3-interface irb.248; } Klientnett_security_video { vlan-id 249; l3-interface irb.249; } klientnett_fugleberget { vlan-id 239; l3-interface irb.239; } klientnett_noc { vlan-id 1501; l3-interface irb.1501; } klientnett_presse { vlan-id 247; l3-interface irb.247; } mgmt { vlan-id 1220; l3-interface irb.1220; } security { vlan-id 3000; l3-interface irb.3000; } servernett_stand { vlan-id 1481; l3-interface irb.1481; } } poe;