From e53266915e093d345a32cc01589f4dbd0ef277b9 Mon Sep 17 00:00:00 2001 From: John Poland Date: Wed, 30 Jul 2025 08:46:36 -0400 Subject: [PATCH] mx/noc-jmx-104-a.set Wed Jul 30 08:46:36 AM EDT 2025 --- configs/mx/noc-jmx-104-a.set | 284 +++++++++++++++++++++++++++++++++++ 1 file changed, 284 insertions(+) create mode 100644 configs/mx/noc-jmx-104-a.set diff --git a/configs/mx/noc-jmx-104-a.set b/configs/mx/noc-jmx-104-a.set new file mode 100644 index 0000000..cd4aaaa --- /dev/null +++ b/configs/mx/noc-jmx-104-a.set @@ -0,0 +1,284 @@ +set version 21.2R3-S5.4 +set groups re0 system host-name noc-jmx-104-a +set groups re0 interfaces fxp0 unit 0 family inet address 192.168.1.11/24 +set groups re0 interfaces fxp0 unit 0 family inet address 192.168.1.10/24 master-only +set groups re1 system host-name noc-jmx-104-a +set groups re1 interfaces fxp0 unit 0 family inet address 192.168.1.12/24 +set groups re1 interfaces fxp0 unit 0 family inet address 192.168.1.10/24 master-only +set apply-groups re0 +set apply-groups re1 +set system host-name noc-jmx104-a +set system root-authentication encrypted-password "$6$sinc1wW1$DyJ1fkTFB0WrbA0h0Gg3NbptROxA8csfu8Jr9.BF74nShAdMMHqGKmFAd.q1lyY3vnZxB19WgZEqJ/fT9uOlY/" +set system commit synchronize +set system login retry-options tries-before-disconnect 3 +set system login retry-options backoff-threshold 1 +set system login retry-options backoff-factor 5 +set system login retry-options lockout-period 120 +set system login class super-user-local idle-timeout 10 +set system login class super-user-local permissions all +set system login class view-config-netbrain permissions view-configuration +set system login user admin uid 2003 +set system login user admin class super-user +set system login user fluffybunny.admin uid 2002 +set system login user fluffybunny.admin class super-user-local +set system login user fluffybunny.admin authentication encrypted-password "$6$2Ou1hIUT$pEBEUW33eJH7XSa5bfyQ3qb/aEYI71dbva4Ehj.mA.fk6BXpw7f58YAmf1mSaEmvK0PsmFSptGm5Kvl0Ansrm1" +set system login user johnp uid 2000 +set system login user johnp class super-user +set system login user johnp authentication ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZ6/zr59xFJ3BUSsQ3iaPmLtSO83p1DPWBSy6lpjWMtcz5MZNn3mKEa+IXOqOKMnv9vAGEAp8BFF3U3XoxTaZbz1lt/L6LzTjwvdjp77iBcH8xzSBZ+A9pJJPLoavGvhjBh2M8gj16ux5m0A3Mhtj5jQRSJeNIMFbvCVz+RxAI/O2Q4iWI6vNz3d2RUGfR2cQ9q4eM+2bUyJZksI4NzyaYMMi1Pfie6JYcXlV8Rn+0/DAQnepx0Om5zV0Yb7W+bAdPyZXhcpFL1vfgVv9A+1DRXW/Jc/WL+GfxtMbH6r45QQT87EbIgoMCA86ccvCHRUOoV+SYPmK9R2BKdSXJI8uF johnp@JP-T480S" +set system login user nbadmin uid 2004 +set system login user nbadmin class super-user-local +set system login user nbadmin authentication encrypted-password "$6$ik6hvWjP$/LcZanFQVHdooG3nApJcnJmZQFlTyukfiNmjTeIMZtu9oHhOki4AazBjSdr2YVmH5QphlztSz/1.O0P0S5UhG1" +set system services ssh root-login allow +set system services ssh protocol-version v2 +set system services ssh sftp-server +set system services ssh client-alive-count-max 5 +set system services ssh client-alive-interval 20 +set system services ssh connection-limit 10 +set system domain-name scsd.us +set system time-zone America/New_York +set system arp aging-timer 5 +set system management-instance +set system name-server 198.36.22.245 +set system syslog user * any emergency +set system syslog host 10.1.48.37 any warning +set system syslog file interactive-commands interactive-commands any +set system syslog file login-attempts authorization any +set system syslog file messages any notice +set system syslog file messages authorization info +set system syslog file messages firewall any +set system syslog source-address 192.168.1.10 +set system processes app-engine-virtual-machine-management-service traceoptions level notice +set system processes app-engine-virtual-machine-management-service traceoptions flag all +set system ntp server 132.236.56.250 +set system ntp server 132.163.97.2 +set system ntp server 132.163.97.4 +set system ntp server 129.6.15.28 routing-instance mgmt_junos +set system ntp server 168.61.215.74 routing-instance mgmt_junos +set system ntp source-address 198.36.24.13 +set chassis redundancy graceful-switchover +set chassis aggregated-devices ethernet device-count 1 +set chassis alarm management-ethernet link-down ignore +set chassis network-services enhanced-ip +set interfaces xe-0/0/0 gigether-options 802.3ad ae191 +set interfaces ge-0/2/0 description "to Nexus-B_Eth2/27" +set interfaces xe-0/2/0 description Fake +set interfaces xe-2/0/0 description "Physical Link to NYSERNet" +set interfaces xe-2/0/0 flexible-vlan-tagging +set interfaces xe-2/0/0 mtu 1522 +set interfaces xe-2/0/0 encapsulation flexible-ethernet-services +set interfaces xe-2/0/0 unit 234 description "NYSERNet R&E Network" +set interfaces xe-2/0/0 unit 234 vlan-id 234 +set interfaces xe-2/0/0 unit 234 family inet mtu 1500 +set interfaces xe-2/0/0 unit 234 family inet address 199.109.9.170/30 +set interfaces xe-2/0/0 unit 234 family inet6 mtu 1500 +set interfaces xe-2/0/0 unit 234 family inet6 address 2620:f:0:927::3/127 +set interfaces xe-2/0/0 unit 235 description "NYSERNet CDN Network" +set interfaces xe-2/0/0 unit 235 vlan-id 235 +set interfaces xe-2/0/0 unit 235 family inet mtu 1500 +set interfaces xe-2/0/0 unit 235 family inet address 199.109.109.170/30 +set interfaces xe-2/0/0 unit 236 description Cogent +set interfaces xe-2/0/0 unit 236 vlan-id 236 +set interfaces xe-2/0/0 unit 236 family inet mtu 1500 +set interfaces xe-2/0/0 unit 236 family inet address 38.122.121.34/29 +set interfaces xe-2/0/0 unit 236 family inet6 +set interfaces xe-2/0/1 gigether-options 802.3ad ae191 +set interfaces ae191 description "internal to mx104-b" +set interfaces ae191 vlan-tagging +set interfaces ae191 aggregated-ether-options minimum-links 1 +set interfaces ae191 aggregated-ether-options lacp active +set interfaces ae191 aggregated-ether-options lacp periodic slow +set interfaces ae191 unit 1202 vlan-id 1202 +set interfaces ae191 unit 1202 family inet address 198.36.24.254/24 vrrp-group 1 virtual-address 198.36.24.1 +set interfaces ae191 unit 1202 family inet address 198.36.24.254/24 vrrp-group 1 priority 110 +set interfaces ae191 unit 1202 family inet address 198.36.24.254/24 vrrp-group 1 preempt +set interfaces ae191 unit 1202 family inet address 198.36.24.254/24 vrrp-group 1 accept-data +set interfaces ae191 unit 1256 vlan-id 1256 +set interfaces ae191 unit 1256 family inet address 192.168.168.1/30 +set interfaces ae191 unit 1299 description "CrownCastle Circuit ID 302365-INET-CCF" +set interfaces ae191 unit 1299 vlan-id 1299 +set interfaces ae191 unit 1299 family inet mtu 1500 +set interfaces ae191 unit 1299 family inet address 131.239.69.126/30 +set interfaces fxp0 unit 0 family inet +set interfaces lo0 unit 0 family inet filter input Hard-Edge +set interfaces lo0 unit 0 family inet address 198.36.24.13/32 +set snmp community mickey03 authorization read-only +set snmp community mickey03 routing-instance mgmt_junos +set snmp routing-instance-access +set forwarding-options hash-key family inet layer-3 +set forwarding-options hash-key family inet layer-4 +set policy-options prefix-list DNS-SERVER +set policy-options prefix-list ISP-Monitoring 66.28.3.0/24 +set policy-options prefix-list ISP-Monitoring 66.250.250.0/23 +set policy-options prefix-list ISP-Monitoring 130.117.228.0/24 +set policy-options prefix-list ISP-Monitoring 130.117.254.0/24 +set policy-options prefix-list ISP-Monitoring 192.168.168.0/30 +set policy-options prefix-list ISP-Monitoring 199.109.0.0/16 +set policy-options prefix-list MX104-BGP-IP 38.122.121.34/32 +set policy-options prefix-list MX104-BGP-IP 192.168.168.1/32 +set policy-options prefix-list MX104-BGP-IP 199.109.9.170/32 +set policy-options prefix-list MX104-BGP-IP 199.109.109.170/32 +set policy-options prefix-list MX104-BGP-IP 207.136.192.29/32 +set policy-options prefix-list MX104-Public-IP 38.122.121.34/32 +set policy-options prefix-list MX104-Public-IP 198.36.24.1/32 +set policy-options prefix-list MX104-Public-IP 198.36.24.13/32 +set policy-options prefix-list MX104-Public-IP 199.109.9.170/32 +set policy-options prefix-list MX104-Public-IP 199.109.109.170/32 +set policy-options prefix-list MX104-Public-IP 207.136.192.29/32 +set policy-options prefix-list MX104-SSH-IP 38.122.121.34/32 +set policy-options prefix-list MX104-SSH-IP 192.168.1.10/32 +set policy-options prefix-list NTP-Servers 132.163.97.2/32 +set policy-options prefix-list NTP-Servers 132.163.97.4/32 +set policy-options prefix-list NTP-Servers 132.236.56.250/32 +set policy-options prefix-list NTP-Servers 198.36.24.13/32 +set policy-options prefix-list SCSD_nets 198.36.16.0/21 +set policy-options prefix-list SCSD_nets 198.36.24.0/22 +set policy-options prefix-list SNMP-SERVERS 10.1.40.105/32 +set policy-options prefix-list SNMP-SERVERS 10.1.48.37/32 +set policy-options prefix-list Trusted-BGP-Peer 38.122.121.33/32 +set policy-options prefix-list Trusted-BGP-Peer 131.239.69.125/32 +set policy-options prefix-list Trusted-BGP-Peer 192.168.168.2/32 +set policy-options prefix-list Trusted-BGP-Peer 199.109.9.169/32 +set policy-options prefix-list Trusted-BGP-Peer 199.109.109.169/32 +set policy-options prefix-list Trusted-BGP-Peer 207.136.192.29/32 +set policy-options prefix-list Trusted-SSH-MX104 10.1.6.0/24 +set policy-options prefix-list Trusted-SSH-MX104 10.1.7.0/24 +set policy-options prefix-list Trusted-SSH-MX104 10.1.40.101/32 +set policy-options prefix-list Trusted-SSH-MX104 10.1.40.105/32 +set policy-options prefix-list Trusted-SSH-MX104 10.212.134.0/26 +set policy-options prefix-list Trusted-SSH-MX104 74.67.189.61/32 +set policy-options policy-statement EXPORT-TO-MX104-B term next_hop_self then next-hop self +set policy-options policy-statement EXPORT-TO-MX104-B term next_hop_self then accept +set policy-options policy-statement REJECT-ALL term reject-all then reject +set policy-options policy-statement from-Cogent term set-Cogent-local-preference-v4 from family inet +set policy-options policy-statement from-Cogent term set-Cogent-local-preference-v4 then local-preference 200 +set policy-options policy-statement from-Cogent term set-Cogent-local-preference-v4 then accept +set policy-options policy-statement from-Cogent term reject then reject +set policy-options policy-statement from-Cogent term set-Cogent-local-Cogent-v4 then accept +set policy-options policy-statement from-CrownCastle term set-CrownCastle-local-preference-v4 from family inet +set policy-options policy-statement from-CrownCastle term set-CrownCastle-local-preference-v4 then local-preference 250 +set policy-options policy-statement from-CrownCastle term set-CrownCastle-local-preference-v4 then accept +set policy-options policy-statement from-CrownCastle term reject then reject +set policy-options policy-statement from-NYSERNet term set-NYSERNet-local-preference-v4 from family inet +set policy-options policy-statement from-NYSERNet term set-NYSERNet-local-preference-v4 then local-preference 300 +set policy-options policy-statement from-NYSERNet term set-NYSERNet-local-preference-v4 then accept +set policy-options policy-statement from-NYSERNet term reject then reject +set policy-options policy-statement to-Cogent term prepend-Cogent-v4 from family inet +set policy-options policy-statement to-Cogent term prepend-Cogent-v4 from prefix-list-filter SCSD_nets exact +set policy-options policy-statement to-Cogent term prepend-Cogent-v4 then community add cogent_localpref_10 +set policy-options policy-statement to-Cogent term prepend-Cogent-v4 then accept +set policy-options policy-statement to-Cogent term reject then reject +set policy-options policy-statement to-CrownCastle term advertise-CrownCastle-v4 from family inet +set policy-options policy-statement to-CrownCastle term advertise-CrownCastle-v4 from prefix-list-filter SCSD_nets exact +set policy-options policy-statement to-CrownCastle term advertise-CrownCastle-v4 then accept +set policy-options policy-statement to-CrownCastle term reject then reject +set policy-options policy-statement to-NYSERNet term NYSERNet-v4 from family inet +set policy-options policy-statement to-NYSERNet term NYSERNet-v4 from prefix-list-filter SCSD_nets exact +set policy-options policy-statement to-NYSERNet term NYSERNet-v4 then accept +set policy-options policy-statement to-NYSERNet term reject then reject +set policy-options community cogent_localpref_10 members 174:10 +set firewall family inet filter Hard-Edge term TEMP-allow-icmp from protocol icmp +set firewall family inet filter Hard-Edge term TEMP-allow-icmp then accept +set firewall family inet filter Hard-Edge term allow-ssh-mx104 from source-prefix-list Trusted-SSH-MX104 +set firewall family inet filter Hard-Edge term allow-ssh-mx104 from destination-prefix-list MX104-SSH-IP +set firewall family inet filter Hard-Edge term allow-ssh-mx104 from protocol tcp +set firewall family inet filter Hard-Edge term allow-ssh-mx104 from destination-port ssh +set firewall family inet filter Hard-Edge term allow-ssh-mx104 then accept +set firewall family inet filter Hard-Edge term allow-bgp-mx104 from source-prefix-list Trusted-BGP-Peer +set firewall family inet filter Hard-Edge term allow-bgp-mx104 from protocol tcp +set firewall family inet filter Hard-Edge term allow-bgp-mx104 from port bgp +set firewall family inet filter Hard-Edge term allow-bgp-mx104 then count Allow-BGP +set firewall family inet filter Hard-Edge term allow-bgp-mx104 then accept +set firewall family inet filter Hard-Edge term allow-ISP-Monitoring from source-prefix-list ISP-Monitoring +set firewall family inet filter Hard-Edge term allow-ISP-Monitoring from protocol icmp +set firewall family inet filter Hard-Edge term allow-ISP-Monitoring then accept +set firewall family inet filter Hard-Edge term allow-ntp-servers from source-prefix-list NTP-Servers +set firewall family inet filter Hard-Edge term allow-ntp-servers from protocol udp +set firewall family inet filter Hard-Edge term allow-ntp-servers from port ntp +set firewall family inet filter Hard-Edge term allow-ntp-servers then accept +set firewall family inet filter Hard-Edge term allow-snmp from source-prefix-list SNMP-SERVERS +set firewall family inet filter Hard-Edge term allow-snmp from protocol udp +set firewall family inet filter Hard-Edge term allow-snmp from destination-port snmp +set firewall family inet filter Hard-Edge term allow-snmp then accept +set firewall family inet filter Hard-Edge term allow-Monitoring from source-prefix-list SNMP-SERVERS +set firewall family inet filter Hard-Edge term allow-Monitoring from protocol icmp +set firewall family inet filter Hard-Edge term allow-Monitoring then accept +set firewall family inet filter Hard-Edge term allow-vrrp from protocol vrrp +set firewall family inet filter Hard-Edge term allow-vrrp then accept +set firewall family inet filter Hard-Edge term deny-dest-mx104 from destination-prefix-list MX104-Public-IP +set firewall family inet filter Hard-Edge term deny-dest-mx104 then count MX-PublicIP +set firewall family inet filter Hard-Edge term deny-dest-mx104 then discard +set firewall family inet filter Hard-Edge term all-else then count Discards +set firewall family inet filter Hard-Edge term all-else then discard +set firewall family inet filter Inbound_v4 term block-spoofed from source-address 198.36.16.0/21 +set firewall family inet filter Inbound_v4 term block-spoofed from source-address 198.36.24.0/22 +set firewall family inet filter Inbound_v4 term block-spoofed then reject +set firewall family inet filter Inbound_v4 term accept-traffic then accept +set firewall family inet filter SCSD_nets term from-SCSD from source-address 198.36.16.0/21 +set firewall family inet filter SCSD_nets term from-SCSD from source-address 198.36.24.0/22 +set firewall family inet filter SCSD_nets term from-SCSD then accept +set firewall family inet filter block_hosts_in term default then accept +set firewall family inet filter login term from-trusted-hosts from source-address 192.168.1.0/24 +set firewall family inet filter login term from-trusted-hosts from source-address 202.166.186.0/24 +set firewall family inet filter login term from-trusted-hosts from source-address 173.60.169.48/28 +set firewall family inet filter login term from-trusted-hosts from source-address 8.19.154.0/24 +set firewall family inet filter login term from-trusted-hosts from source-address 203.22.30.0/24 +set firewall family inet filter login term from-trusted-hosts from source-address 10.1.6.0/24 +set firewall family inet filter login term from-trusted-hosts from protocol tcp +set firewall family inet filter login term from-trusted-hosts from destination-port ssh +set firewall family inet filter login term from-trusted-hosts then accept +set firewall family inet filter login term deny-access from protocol tcp +set firewall family inet filter login term deny-access from destination-port ssh +set firewall family inet filter login term default-allow then accept +set routing-instances mgmt_junos routing-options static route 0.0.0.0/0 next-hop 192.168.1.1 +set routing-options autonomous-system 395534 +set routing-options static route 10.1.48.37/32 next-table mgmt_junos.inet.0 +set routing-options static route 10.1.48.37/32 no-readvertise +set routing-options static route 198.36.16.0/21 next-hop 198.36.24.5 +set routing-options static route 198.36.16.0/21 install +set routing-options static route 198.36.16.0/21 readvertise +set routing-options static route 198.36.24.0/22 next-hop 198.36.24.5 +set routing-options static route 198.36.24.0/22 install +set routing-options static route 198.36.24.0/22 readvertise +set routing-options static route 198.36.24.14/32 next-hop 198.36.24.4 +set routing-options nonstop-routing +set protocols bfd no-issu-timer-negotiation +set protocols bgp group NYSERNet-v4 local-address 199.109.9.170 +set protocols bgp group NYSERNet-v4 import from-NYSERNet +set protocols bgp group NYSERNet-v4 family inet unicast +set protocols bgp group NYSERNet-v4 export to-NYSERNet +set protocols bgp group NYSERNet-v4 peer-as 3754 +set protocols bgp group NYSERNet-v4 neighbor 199.109.9.169 +set protocols bgp group NYSERNet-CDN-v4 local-address 199.109.109.170 +set protocols bgp group NYSERNet-CDN-v4 import from-NYSERNet +set protocols bgp group NYSERNet-CDN-v4 family inet unicast +set protocols bgp group NYSERNet-CDN-v4 export to-NYSERNet +set protocols bgp group NYSERNet-CDN-v4 peer-as 3630 +set protocols bgp group NYSERNet-CDN-v4 neighbor 199.109.109.169 +set protocols bgp group Cogent-v4 local-address 38.122.121.34 +set protocols bgp group Cogent-v4 import from-Cogent +set protocols bgp group Cogent-v4 family inet unicast +set protocols bgp group Cogent-v4 export to-Cogent +set protocols bgp group Cogent-v4 peer-as 174 +set protocols bgp group Cogent-v4 neighbor 38.122.121.33 +set protocols bgp group internal type internal +set protocols bgp group internal peer-as 395534 +set protocols bgp group internal local-as 395534 +set protocols bgp group internal neighbor 192.168.168.2 export EXPORT-TO-MX104-B +set protocols bgp group internal neighbor 192.168.168.2 bfd-liveness-detection minimum-interval 1000 +set protocols bgp group internal neighbor 192.168.168.2 bfd-liveness-detection multiplier 3 +set protocols bgp group CrownCastle-v4 local-address 131.239.69.126 +set protocols bgp group CrownCastle-v4 import from-CrownCastle +set protocols bgp group CrownCastle-v4 family inet unicast +set protocols bgp group CrownCastle-v4 export to-CrownCastle +set protocols bgp group CrownCastle-v4 peer-as 46887 +set protocols bgp group CrownCastle-v4 neighbor 131.239.69.125 +set protocols bgp enable +set protocols bgp bgp-error-tolerance +set protocols sflow polling-interval 20 +set protocols sflow sample-rate ingress 1000 +set protocols sflow sample-rate egress 1000 +set protocols sflow source-ip 192.168.1.10 +set protocols sflow collector 10.1.48.37 udp-port 2055 +set protocols sflow interfaces xe-0/0/0.0 +set protocols sflow interfaces xe-0/1/0.0 +set protocols sflow interfaces xe-2/0/0.0