## Last changed: 2016-03-25 01:21:51 CET version 14.1X53-D35.3; groups { SET_AE_DEFAULTS { interfaces { { aggregated-ether-options { lacp { active; } } } } } SET_OSPF_DEFAULTS { protocols { ospf { reference-bandwidth 1000g; area <*> { interface { bfd-liveness-detection { minimum-interval 100; multiplier 3; } } } } ospf3 { reference-bandwidth 1000g; area <*> { interface { bfd-liveness-detection { minimum-interval 100; multiplier 3; } } } } } } SET_RA_DEFAULTS { protocols { router-advertisement { interface <*> { max-advertisement-interval 15; managed-configuration; } } } } } system { host-name telegw; auto-snapshot; domain-name infra.gathering.org; time-zone Europe/Oslo; authentication-order tacplus; root-authentication { encrypted-password ""; } name-server { 185.110.149.2; 185.110.148.2; 2a06:5841:149a::2; 2a06:5841:1337::2; } tacplus-server { 134.90.150.164 { secret ""; source-address 185.110.148.64; } } login { user technet { uid 2000; class super-user; authentication { encrypted-password ""; } } } services { ssh { root-login deny; no-tcp-forwarding; client-alive-count-max 2; client-alive-interval 300; connection-limit 10; rate-limit 10; } netconf { ssh { connection-limit 3; rate-limit 3; } } } syslog { user * { any emergency; } host 185.110.148.17 { any info; authorization info; port 515; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } /* Save changes to central site */ archival { configuration { transfer-on-commit; archive-sites { "scp://user@host/some/folder/" password ""; } } } commit synchronize; ntp { server 2001:700:100:2::6; } } chassis { redundancy { graceful-switchover; } aggregated-devices { ethernet { device-count 10; } } fpc 0 { pic 0 { port 50 { channel-speed disable-auto-speed-detection; } } } fpc 1 { pic 0 { port 50 { channel-speed disable-auto-speed-detection; } } } alarm { management-ethernet { link-down ignore; } } } security { ssh-known-hosts { host 134.90.150.164 { ecdsa-sha2-nistp256-key ; } } } interfaces { apply-groups SET_AE_DEFAULTS; interface-range sflow-inet { member xe-0/0/0; member xe-0/0/1; member xe-1/0/1; member xe-1/0/0; } interface-range forbikobling-telefw-inside { member-range xe-0/0/34 to xe-0/0/35; member-range xe-1/0/34 to xe-1/0/35; description "INSIDE for forbikobling telefw"; ether-options { 802.3ad ae6; } } interface-range forbikobling-telefw-outside { member-range xe-1/0/36 to xe-1/0/37; member-range xe-0/0/36 to xe-0/0/37; description "OUTSIDE for forbikobling telefw"; ether-options { 802.3ad ae7; } } xe-0/0/0 { description "ae0 - Telenor - LU1337 / SB1337 / PE slot 11 / ODF 11/12"; ether-options { 802.3ad ae0; } } xe-0/0/1 { description "ae0 - Telenor - LU1337 / SB1337 / PE slot 0 / ODF 7/8"; ether-options { 802.3ad ae0; } } xe-0/0/10 { description "Extensionswitch for Kobber"; unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ security Klientnett_innsjekk ]; } } } } xe-0/0/16 { description "ae3 - link mot creativiagw"; ether-options { 802.3ad ae3; } } xe-0/0/17 { description "ae4 - link mot southgw"; ether-options { 802.3ad ae4; } } xe-0/0/25 { description "Fortigate FAN uplink"; unit 0 { family ethernet-switching { vlan { members tele_servers; } } } } xe-0/0/26 { description "FortiAnalyzer Uplink"; unit 0 { family ethernet-switching { vlan { members tele_servers; } } } } ge-0/0/32 { description "Tele servers"; unit 0 { family ethernet-switching { vlan { members tele_servers; } } } } et-0/0/48 { description "ae1 - link mot nocgw"; ether-options { 802.3ad ae1; } } et-0/0/49 { description "ae2 - link mot coregw"; ether-options { 802.3ad ae2; } } et-0/0/50 { description "Trunk til FW"; unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ OUTSIDE_TO_FW INSIDE_TO_FW ]; } } } } et-0/0/51 { description "Monitoreringsport for Fortigate"; } xe-1/0/0 { description "ae0 - Telenor - LU1337 / SB1337 / PE slot 11 / ODF 9/10"; ether-options { 802.3ad ae0; } } xe-1/0/1 { description "ae0 - Telenor - LU1337 / SB1337 / PE slot 0 / ODF 5/6"; ether-options { 802.3ad ae0; } } xe-1/0/10 { description "ae5 - link mot creativiagw"; ether-options { 802.3ad ae5; } } xe-1/0/16 { description "ae3 - link mot creativiagw"; ether-options { 802.3ad ae3; } } xe-1/0/25 { description "Fortigate FAN uplink"; unit 0 { family ethernet-switching { vlan { members tele_servers; } } } } et-1/0/48 { description "ae1 - link mot nocgw"; ether-options { 802.3ad ae1; } } et-1/0/49 { description "ae2 - link mot coregw"; ether-options { 802.3ad ae2; } } et-1/0/50 { description "Trunk til FW"; unit 0 { family ethernet-switching { interface-mode trunk; vlan { members [ OUTSIDE_TO_FW INSIDE_TO_FW ]; } } } } et-1/0/51 { description "monitoreringsport Fortigate"; unit 0 { family ethernet-switching; } } ae0 { description "The Intarwebz - Telenor <3"; aggregated-ether-options { lacp { active; } } unit 0 { family inet { address 193.212.22.2/30; } family inet6 { address 2001:4600:9:300::292/126; } } } ae1 { description "Mot nocgw"; aggregated-ether-options { lacp { active; } } unit 0 { family inet { address 185.110.148.130/31; } family inet6; } } ae2 { description "Mot coregw"; aggregated-ether-options { lacp { active; } } unit 0 { family inet { address 185.110.148.128/31; } family inet6; } } ae4 { description "Mot southgw"; aggregated-ether-options { lacp { active; } } unit 0 { family inet { address 185.110.148.147/31; } family inet6; } } ae5 { description "Mot creativiagw"; aggregated-ether-options { lacp { active; } } unit 0 { family inet { address 185.110.148.148/31; } family inet6; } } ae6 { apply-groups-except SET_AE_DEFAULTS; description "INSIDE for forbikobling telefw"; } ae7 { apply-groups-except SET_AE_DEFAULTS; description "OUTSIDE for forbikobling telefw"; } irb { unit 243 { family inet { address 88.92.69.1/24; } family inet6 { address 2a06:5840:69::1/64; } } unit 1491 { description tele_servers; family inet { address 185.110.149.1/26; } family inet6 { address 2a06:5841:149a::1/64; } } unit 3000 { description Security; family inet { address 10.30.20.1/24; } } unit 4000 { description "Outside to fortigate"; family inet { address 185.110.148.176/31; } family inet6 { address 2a06:5841:148c:176::2/64; } } unit 4001 { description "Inside to fortigate"; family inet { address 185.110.148.178/31; } family inet6 { address 2a06:5841:148c:178::2/64; } } } lo0 { unit 0 { family inet { filter { input protect-mgmt-v4; } address 185.110.148.64/32; } family inet6 { filter { input protect-mgmt-v6; } address 2a06:5841:148b::64/128; } } } } snmp { community { authorization read-only; client-list-name mgmt; } community { authorization read-only; client-list-name mgmt-nms; } } forwarding-options { storm-control-profiles default { all; } analyzer { inactive: TO_FORTIGATE { input { ingress { interface ae0.0; } egress { interface ae0.0; } } output { interface et-1/0/51.0; } } } dhcp-relay { dhcpv6 { group all { interface irb.243; } server-group { v6-dhcp { 2a06:5841:149a::2; 2a06:5841:1337::2; } } active-server-group v6-dhcp; } server-group { v4-dhcp { 185.110.149.2; 185.110.148.2; } } active-server-group v4-dhcp; group all { overrides { trust-option-82; } interface irb.243; } } } routing-options { nonstop-routing; rib inet6.0 { static { route 2a06:5840::/30 reject; route 2a06:5844::/30 reject; route ::0/0 next-hop 2a06:5841:148c:178::1; } } rib inet.0 { static { route 0.0.0.0/0 { next-hop 185.110.148.179; metric 10; } } } autonomous-system 21067; } protocols { apply-groups [ SET_OSPF_DEFAULTS SET_RA_DEFAULTS ]; router-advertisement { interface irb.243; } bgp { traceoptions { file bgp-trace size 3m files 7 world-readable; flag state; } log-updown; local-as 21067; inactive: group TN-v4 { type external; local-address 193.212.22.2; import TN-v4-import; authentication-algorithm hmac-sha-1-96; export TN-v4-export; neighbor 193.212.22.1 { authentication-key "";; peer-as 2119; } } inactive: group TN-v6 { type external; local-address 2001:4600:9:300::292; import TN-v6-import; authentication-algorithm hmac-sha-1-96; export TN-v6-export; neighbor 2001:4600:9:300::291 { authentication-key "";; peer-as 2119; } } } ospf { export [ STATIC-TO-OSPF redistribute-direct ]; reference-bandwidth 1000g; area 0.0.0.0 { interface ae1.0; interface ae2.0; interface ae3.0; interface ae4.0; interface ae5.0; } } ospf3 { export [ STATIC-TO-OSPF redistribute-direct ]; reference-bandwidth 1000g; area 0.0.0.0 { interface ae1.0; interface ae2.0; interface ae3.0; interface ae4.0; interface ae5.0; } } lldp { management-address 185.110.148.64; interface all; } lldp-med { interface all; } igmp-snooping { vlan default; } sflow { agent-id 185.110.148.64; polling-interval 20; sample-rate { ingress 3000; egress 3000; } source-ip 185.110.148.64; collector ; collector ; interfaces sflow-inet; } } policy-options { prefix-list mgmt-v4 { /* KANDU PA-nett (brukt på servere, infra etc) */ 185.110.148.0/22; } prefix-list mgmt-v6 { /* KANDU PA-nett (den delen som er brukt på servere, infra etc) */ 2a06:5841::/32; } /* sammenslått av separate v4- og v6-lister */ prefix-list mgmt { 185.110.148.0/22; 2a06:5841::/32; } /* NMS boxes - separate list to give full speed to SNMP read */ prefix-list mgmt-v4-nms { 185.110.148.11/32; 185.110.148.12/32; } /* NMS boxes - separate list to give full speed to SNMP read */ prefix-list mgmt-v6-nms { 2a06:5841:1337::11/128; 2a06:5841:1337::12/128; } /* NMS boxes - separate list to give full speed to SNMP read */ prefix-list mgmt-nms { 185.110.148.11/32; 185.110.148.12/32; 185.110.150.10/32; 2a06:5841:1337::11/128; 2a06:5841:1337::12/128; } prefix-list icmp_unthrottled-v4 { 185.110.148.0/22; 193.212.22.0/30; } prefix-list icmp_unthrottled-v6 { 2001:4600:9:300::290/126; 2a06:5841::/32; } prefix-list blackhole { 185.110.148.178/32; } policy-statement STATIC-TO-OSPF { from protocol static; then { external { type 1; } accept; } } policy-statement TN-v4-export { term blackhole_export { from tag 995; then { community set blackhole; accept; } } term default_export { from { route-filter 185.110.148.0/22 exact; route-filter 185.110.148.0/24 exact; route-filter 185.110.149.0/24 exact; route-filter 185.110.150.0/24 exact; route-filter 185.110.151.0/24 exact; route-filter 88.92.0.0/17 exact; } then accept; } } policy-statement TN-v4-import { from { route-filter 0.0.0.0/0 exact; } then accept; } policy-statement TN-v6-export { term blackhole_export { from tag 995; then { community set blackhole; accept; } } term default_export { from { route-filter 2a06:5840::/29 exact; route-filter 2a06:5840::/30 exact; route-filter 2a06:5844::/30 exact; } then accept; } } policy-statement TN-v6-import { from { route-filter ::/0 exact; } then accept; } policy-statement redistribute-direct { from protocol direct; then { external { type 1; } accept; } } community blackhole members 2119:995; } firewall { family inet { filter protect-mgmt-v4 { term accept-ssh { from { source-prefix-list { mgmt-v4; } destination-port 22; } then { count accept-ssh; accept; } } term reject-ssh { from { destination-port 22; } then { count reject-ssh; reject; } } term snmp-nms { from { source-prefix-list { mgmt-v4-nms; } destination-port snmp; } then { count snmp-nms; accept; } } term snmp-throttle { from { source-prefix-list { mgmt-v4; } destination-port snmp; } then { policer policer-1Mbit; count snmp-throttle; accept; } } term icmp-trusted { from { source-prefix-list { icmp_unthrottled-v4; } protocol icmp; } then { count icmp-trusted; accept; } } term icmp-throttled { from { protocol icmp; } then { policer policer-1Mbit; accept; } } term accept-all { then { count accept-all; accept; } } } filter v4-security { term accept-security { from { source-address { 10.30.0.0/16; } destination-address { 10.30.0.0/16; } } then accept; } term discard-all { then { discard; } } } } family inet6 { filter protect-mgmt-v6 { term accept-ssh { from { source-prefix-list { inactive: mgmt-v6; } destination-port 22; } then { count accept-ssh; accept; } } term reject-ssh { from { destination-port 22; } then { count reject-ssh; reject; } } term snmp-nms { from { source-prefix-list { mgmt-v6-nms; } destination-port snmp; } then { count snmp-nms; accept; } } term snmp-throttle { from { source-prefix-list { mgmt-v6; } destination-port snmp; } then { policer policer-1Mbit; count snmp-throttle; accept; } } term icmp-trusted { from { source-prefix-list { icmp_unthrottled-v6; } next-header icmp6; } then { count icmp-trusted; accept; } } term icmp-throttled { from { next-header icmp6; } then { policer policer-1Mbit; accept; } } term accept-all { then { count accept-all; accept; } } } } policer policer-1Mbit { if-exceeding { bandwidth-limit 1m; burst-size-limit 500k; } then discard; } policer policer-slowest { if-exceeding { bandwidth-limit 8k; burst-size-limit 1k; } then discard; } } routing-instances { OUTSIDE { description "Utside mot Telenor - untrust/internett"; instance-type virtual-router; interface xe-0/0/33.0; interface xe-0/0/34.0; interface xe-1/0/33.0; interface xe-1/0/34.0; interface ae0.0; interface ae7.0; interface irb.4000; routing-options { rib OUTSIDE.inet.0 { static { route 185.110.148.0/22 next-hop 185.110.148.177; route 185.110.148.0/24 next-hop 185.110.148.177; route 185.110.149.0/24 next-hop 185.110.148.177; route 185.110.150.0/24 next-hop 185.110.148.177; route 185.110.151.0/24 next-hop 185.110.148.177; route 88.92.0.0/17 next-hop 185.110.148.177; } } rib OUTSIDE.inet6.0 { static { route 2a06:5840::/30 next-hop 2a06:5841:148c:176::1; route 2a06:5844::/30 next-hop 2a06:5841:148c:176::1; } } } protocols { bgp { traceoptions { file bgp-trace-outside size 3m files 7 world-readable; flag state; } log-updown; local-as 21067; group TN-v4 { type external; local-address 193.212.22.2; import TN-v4-import; authentication-algorithm hmac-sha-1-96; export TN-v4-export; neighbor 193.212.22.1 { authentication-key "";; peer-as 2119; } } group TN-v6 { type external; local-address 2001:4600:9:300::292; import TN-v6-import; authentication-algorithm hmac-sha-1-96; export TN-v6-export; neighbor 2001:4600:9:300::291 { authentication-key "";; peer-as 2119; } } } } } } virtual-chassis { preprovisioned; member 0 { role routing-engine; serial-number ; } member 1 { role routing-engine; serial-number ; } } vlans { INSIDE_TO_FW { vlan-id 4001; l3-interface irb.4001; } Klientnett_innsjekk { vlan-id 243; l3-interface irb.243; } OUTSIDE_TO_FW { vlan-id 4000; l3-interface irb.4000; } security { vlan-id 3000; l3-interface irb.3000; } tele_servers { vlan-id 1491; l3-interface irb.1491; } }