version 6.4R4.3; groups { ROUTE-primary { routing-options { static { route <*> community 209:776; } } } } system { host-name wdc-edge-06; domain-name inet.qwest.net; default-address-selection; dump-on-panic; authentication-order [ radius password ]; name-server { 205.171.3.65; } radius-server { 208.47.0.153 { secret "$9$BUi1EyevL-dsvM-wYgUDCtu1clW8xN-bUjmTz3tp"; timeout 5; retry 3; } 216.111.65.20 { secret "$9$f5z6CtOEhrtpEylKx7ik.539u01RESxNs4aZkq"; timeout 5; retry 3; } } login { message "\n\n\t\t\Unauthorized Access is Prohibited. For operational problems\n\t\tplease contact noc@qwest.net or call 1-888-336-6306.\n\n"; class full { idle-timeout 15; permissions [ admin clear configure interface-control network routing-control shell snmp system trace view maintenance firewall-control secret rollback ]; deny-configuration "protocols (bgp|isis|rsvp|mpls) disable|protocols isis interface|protocols mpls label-switched-path .* metric"; } class limited { idle-timeout 15; permissions [ clear configure interface network routing system trace view firewall ]; allow-configuration "interfaces (at|t1|t3|ml|ge|gr|so|ds|fe)"; } class nmc2 { idle-timeout 15; permissions [ admin clear configure interface-control network routing-control shell snmp system trace view maintenance firewall-control secret rollback ]; deny-configuration "protocols (bgp|isis|rsvp|mpls) disable|protocols mpls label-switched-path .* metric"; } class partial { idle-timeout 15; permissions [ clear configure interface-control network routing system trace view firewall-control ]; allow-configuration "protocols bgp group|protocols connections|protocols mpls interface|policy-options|routing-instances|routing-options"; deny-configuration "protocols bgp group (Qwest|Peer)"; } class readonly { idle-timeout 15; permissions [ interface network routing trace view firewall ]; allow-commands "clear interfaces"; deny-commands "request|telnet|test|ssh"; } class superuser-eng { idle-timeout 15; permissions [ admin clear configure field floppy interface-control network reset routing-control shell snmp system trace trace-control view maintenance firewall-control secret rollback security access-control ]; deny-configuration "protocols (bgp|isis|rsvp|mpls) disable|protocols mpls label-switched-path .* metric"; } class superuser-local { idle-timeout 15; permissions all; deny-configuration "protocols (bgp|isis|rsvp|mpls) disable"; } class superuser-non-ops { idle-timeout 15; permissions [ admin clear configure field floppy interface-control network reset routing-control shell snmp system trace trace-control view maintenance firewall-control secret rollback security access-control ]; deny-configuration "protocols isis interface|protocols mpls label-switched-path .* metric"; } class view_config_only { idle-timeout 15; permissions [ admin configure interface routing snmp system view firewall secret security access ]; allow-commands "request system snapshot"; deny-commands "request|test|file"; allow-configuration policy-options; } user autoload { uid 108; class view_config_only; } user eng { uid 107; class superuser-eng; } user imp { uid 103; class partial; } user ipnoc { uid 102; class partial; } user lab { uid 109; class superuser-non-ops; } user nmc { uid 104; class full; } user nmc2 { uid 110; class nmc2; } user opseng { uid 106; class superuser-local; } user prov { uid 101; class limited; } user readonly { uid 100; class readonly; } user tac { uid 105; class full; } } services { ssh; telnet; } syslog { user * { any emergency; } host 205.171.6.20 { interactive-commands any; } host 216.111.65.1 { interactive-commands any; } host 208.47.0.114 { any warning; facility-override local5; } host 216.207.100.16 { any warning; facility-override local5; } host 216.111.65.81 { any warning; facility-override local5; } file messages { any info; authorization notice; interactive-commands any; archive size 20m files 3 no-world-readable; } } ntp { server 205.171.0.44; server 205.171.0.45; server 205.171.0.46; } } chassis { no-source-route; dump-on-panic; alarm { management-ethernet { link-down ignore; } } } interfaces { so-0/0/0 { description "OC48 to wdc-core-01; pos3/0; x-connect; qip_prod; edgecore"; encapsulation cisco-hdlc; sonet-options { fcs 32; payload-scrambler; } unit 0 { description "OC48 to wdc-core-01; pos3/0; x-connect; qip_prod; edgecore"; point-to-point; family inet { address 205.171.24.118/30; } family iso; } } so-1/0/0 { description "OC48 to wdc-core-03; pos1/0; x-connect; qip_prod; edgecore"; enable; encapsulation cisco-hdlc; sonet-options { fcs 32; payload-scrambler; } unit 0 { description "OC48 to wdc-core-03; pos1/0; x-connect; qip_prod; edgecore"; family inet { address 205.171.24.126/30; } family iso; } } t3-2/2/3 { disable; } t3-3/3/0 { encapsulation cisco-hdlc; t3-options { no-payload-scrambler; } unit 0 { family inet { rpf-check; } } } fxp0 { disable; } lo0 { description "wdc-edge-06.inet.qwest.net; qip_prod; edgertr"; unit 0 { description "wdc-edge-06.inet.qwest.net; qip_prod; edgertr"; family inet { filter { input edge-secure-RE; } address 205.171.3.136/32; } family iso { address 39.752f.0100.0014.0000.2000.0000.2051.7100.3136.00; } } } } forwarding-options { sampling { input { family inet { rate 1000; run-length 5; } } output { file filename samplinglog files 5 size 30m world-readable stamp; } } } snmp { community WA45a0r214Do { clients { 63.151.189.25/32; 65.100.64.120/32; 65.100.65.64/27; 65.120.19.203/32; 155.70.32.7/32; 155.70.137.234/32; 204.147.85.135/32; 205.171.6.5/32; 205.171.6.34/32; 205.171.6.35/32; 205.171.6.38/32; 205.171.6.46/32; 205.171.9.202/32; 205.171.10.247/32; 205.171.13.221/32; 205.171.14.244/32; 205.171.14.246/32; 205.171.17.202/32; 205.171.21.198/32; 205.171.25.207/32; 205.171.26.242/32; 205.171.27.247/32; 205.171.29.193/32; 205.171.30.203/32; 205.171.31.208/32; 205.171.128.203/32; 205.171.128.204/32; 205.171.129.195/32; 205.171.139.201/32; 208.47.0.15/32; 208.47.0.43/32; 208.47.0.138/32; 216.111.65.0/24; 216.111.66.0/24; 216.207.100.0/24; } } trap-group all-traps { categories { authentication; chassis; link; routing; startup; } targets { 205.171.6.10; 216.111.66.153; 216.207.100.143; 216.111.65.144; 216.111.65.143; } } } routing-options { static { rib-group unicast-multicast-rib; route 0.0.0.0/0 { discard; no-install; } route 151.196.0.250/32 next-hop [ 208.46.126.174 208.46.126.182 ]; route 63.146.17.128/27 next-hop 63.146.0.134; route 151.205.128.249/32 next-hop 63.237.65.98; route 207.68.64.249/32 next-hop [ t3-3/3/0.0 t3-3/3/2.0 ]; route 192.0.2.0/24 { discard; no-readvertise; } route 198.26.132.81/32 next-hop 63.148.66.246; } rib-groups { unicast-multicast-rib { import-rib [ inet.0 inet.2 ]; } multicast-rib { export-rib inet.2; import-rib inet.2; } ifrg { import-rib [ inet.0 inet.2 ]; } mcrg { export-rib inet.2; import-rib inet.2; } } router-id 205.171.3.136; autonomous-system 209; forwarding-table { export customer-loadshare; unicast-reverse-path feasible-paths; } } protocols { bgp { enable; log-updown; import import-with-defaults; export export-with-defaults; group Qwest-Internal { type internal; local-address 205.171.3.136; import import-accept; family inet { any; } authentication-key "$9$A5yKtIEleW-VYEcs24Zkq"; export [ core-out static-bgp connected-bgp ]; peer-as 209; neighbor 205.171.0.44; neighbor 205.171.0.45; neighbor 205.171.0.46; } inactive: group Customer-full-routes { type external; metric-out igp; family inet { any { prefix-limit { maximum 800; teardown 65 idle-timeout forever; } } } export full-routes; } inactive: group Customer-full-routes-w-default { type external; metric-out igp; family inet { any { prefix-limit { maximum 800; teardown 65 idle-timeout forever; } } } export full-routes-w-default; } inactive: group Customer-qwest-routes { type external; metric-out igp; family inet { any { prefix-limit { maximum 800; teardown 65 idle-timeout forever; } } } export qwest-routes; } inactive: group Customer-qwest-routes-w-default { type external; metric-out igp; family inet { any { prefix-limit { maximum 800; teardown 65 idle-timeout forever; } } } export qwest-routes-w-default; } inactive: group Customer-default-only { type external; metric-out igp; family inet { any { prefix-limit { maximum 800; teardown 65 idle-timeout forever; } } } export default-only; } inactive: group Peer-External_UseMeds { type external; metric-out igp; family inet { any; } export external-out; } inactive: group Peer-External_NoUseMeds { type external; metric-out igp; family inet { any; } export external-out; } inactive: group Peer-External_UseMeds_Hopaway { type external; metric-out igp; family inet { any; } export external-out; } } isis { no-holddown; rib-group inet unicast-multicast-rib; overload timeout 900; level 2 wide-metrics-only; level 1 disable; interface so-0/0/0.0 { level 1 disable; level 2 metric 5; } interface so-1/0/0.0 { level 1 disable; level 2 metric 5; } interface lo0.0 { level 1 disable; level 2 passive; } } } policy-options { prefix-list bgp-regexp { apply-path "protocols bgp group <*> neighbor <*>"; } prefix-list services-snmp { apply-path "snmp community <*> clients <*>"; } prefix-list services-radius { apply-path "system radius-server <*>"; } prefix-list services-tacplus { apply-path "system tacplus-server <*>"; } prefix-list services-domain { apply-path "system name-server <*>"; } prefix-list services-ntp { 205.171.0.0/22; 205.171.200.0/22; apply-path "system ntp server <*>"; } prefix-list loopback-ip { apply-path "interfaces lo0 unit 0 family inet address <*>"; } prefix-list NGS-blocks { 65.119.64.0/20; 65.147.144.0/20; } prefix-list ntp-services; prefix-list bogons { 0.0.0.0/7; 2.0.0.0/8; 5.0.0.0/8; 7.0.0.0/8; 10.0.0.0/8; 23.0.0.0/8; 27.0.0.0/8; 31.0.0.0/8; 36.0.0.0/7; 39.0.0.0/8; 42.0.0.0/8; 49.0.0.0/8; 50.0.0.0/8; 77.0.0.0/8; 78.0.0.0/7; 92.0.0.0/6; 96.0.0.0/4; 112.0.0.0/5; 120.0.0.0/8; 127.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 173.0.0.0/8; 174.0.0.0/7; 176.0.0.0/5; 184.0.0.0/6; 192.0.2.0/24; 192.168.0.0/16; 197.0.0.0/8; 198.18.0.0/15; 223.0.0.0/8; 224.0.0.0/3; } policy-statement external-in { term external-in-10 { then { metric 10000; local-preference 80; community set comm-209-888; accept; } } term external-in-20 { then reject; } } policy-statement deny-gunk { term deny-gunk-10 { from { route-filter 0.0.0.0/0 upto /24 next term; route-filter 0.0.0.0/0 upto /32; } then reject; } term deny-gunk-20 { from { route-filter 0.0.0.0/0 through 0.0.0.0/32 reject; route-filter 10.0.0.0/8 orlonger reject; route-filter 127.0.0.0/8 orlonger reject; route-filter 172.16.0.0/12 orlonger reject; route-filter 192.168.0.0/16 orlonger reject; route-filter 128.0.0.0/16 orlonger reject; route-filter 191.255.0.0/16 orlonger reject; route-filter 233.255.255.0/24 orlonger reject; route-filter 224.0.0.0/3 orlonger reject; route-filter 198.32.176.0/24 orlonger reject; route-filter 192.157.69.0/24 orlonger reject; route-filter 198.32.186.0/24 orlonger reject; route-filter 192.41.177.0/24 orlonger reject; route-filter 198.32.136.0/24 orlonger reject; route-filter 198.32.184.0/24 orlonger reject; route-filter 198.32.130.0/24 orlonger reject; route-filter 206.220.243.0/24 orlonger reject; route-filter 198.32.128.0/24 orlonger reject; route-filter 198.32.200.0/24 orlonger reject; route-filter 198.32.139.0/24 orlonger reject; route-filter 198.32.187.0/24 orlonger reject; route-filter 198.32.177.0/24 orlonger reject; route-filter 198.9.201.0/24 orlonger reject; route-filter 198.36.137.0/24 orlonger reject; } then next term; } } policy-statement customer-loadshare { term 1 { from { protocol bgp; neighbor [ 151.196.0.250 151.205.0.249 209.158.128.200 151.196.0.249 207.68.64.249 151.200.255.253 151.205.128.249 ]; } then { load-balance per-packet; } } } policy-statement export-default { from { protocol static; route-filter 0.0.0.0/0 exact; } then accept; } policy-statement deny-gunk-allow-default { term deny-gunk-10 { from { route-filter 0.0.0.0/0 upto /24 next term; route-filter 0.0.0.0/0 upto /32; } then reject; } term deny-gunk-20 { from { route-filter 10.0.0.0/8 orlonger reject; route-filter 127.0.0.0/8 orlonger reject; route-filter 172.16.0.0/12 orlonger reject; route-filter 192.168.0.0/16 orlonger reject; route-filter 128.0.0.0/16 orlonger reject; route-filter 191.255.0.0/16 orlonger reject; route-filter 233.255.255.0/24 orlonger reject; route-filter 224.0.0.0/3 orlonger reject; route-filter 198.32.176.0/24 orlonger reject; route-filter 192.157.69.0/24 orlonger reject; route-filter 198.32.186.0/24 orlonger reject; route-filter 192.41.177.0/24 orlonger reject; route-filter 198.32.136.0/24 orlonger reject; route-filter 198.32.184.0/24 orlonger reject; route-filter 198.32.130.0/24 orlonger reject; route-filter 206.220.243.0/24 orlonger reject; route-filter 198.32.128.0/24 orlonger reject; route-filter 198.32.200.0/24 orlonger reject; route-filter 198.32.139.0/24 orlonger reject; route-filter 198.32.187.0/24 orlonger reject; route-filter 198.32.177.0/24 orlonger reject; route-filter 198.9.201.0/24 orlonger reject; route-filter 198.36.137.0/24 orlonger reject; } then next term; } } policy-statement non-transit-in { term non-transit-in-10 { then { metric 10000; local-preference 80; community set comm-209-888; accept; } } } policy-statement bogons { from { route-filter 10.0.0.0/8 orlonger; route-filter 172.16.0.0/12 orlonger; route-filter 192.168.0.0/16 orlonger; route-filter 0.0.0.0/0 through 0.0.0.0/32; } then accept; } policy-statement external-out { term 10 { from policy connected-bgp; then next term; } term 20 { from policy static-bgp; then next term; } term 30 { from as-path 20; then reject; } term 40 { from community [ 209:777 209:888 209:999 ]; then reject; } term 50 { from { community 209:209; policy stnd_external_out; } then accept; } term 60 { then reject; } } policy-statement import-with-defaults { then { metric 100000; preference 255; local-preference 1; origin incomplete; community set 209:001; reject; } } policy-statement export-with-defaults { then { metric 100000; preference 255; local-preference 1; origin incomplete; community set 209:001; reject; } } policy-statement import-accept { then accept; } policy-statement full-routes { term 10 { from policy connected-bgp; then next term; } term 20 { from policy static-bgp; then next term; } term 30 { from as-path 21; then reject; } term 40 { from community [ 209:777 209:999 ]; then reject; } term 50 { from { community [ 209:888 209:209 ]; policy stnd_external_out; } then accept; } term 60 { then reject; } } policy-statement full-routes-w-default { term 10 { from policy connected-bgp; then next term; } term 20 { from policy static-bgp; then next term; } term 30 { from as-path 21; then reject; } term 40 { from community [ 209:777 209:999 ]; then reject; } term 50 { from { protocol static; route-filter 0.0.0.0/0 exact; } then accept; } term 60 { from { community [ 209:888 209:209 ]; policy stnd_external_out; } then accept; } term 70 { then reject; } } policy-statement qwest-routes { term 10 { from policy connected-bgp; then next term; } term 20 { from policy static-bgp; then next term; } term 30 { from as-path 21; then reject; } term 40 { from community [ 209:777 209:888 209:999 ]; then reject; } term 50 { from { community 209:209; policy stnd_external_out; } then accept; } term 60 { then reject; } } policy-statement qwest-routes-w-default { term 10 { from policy connected-bgp; then next term; } term 20 { from policy static-bgp; then next term; } term 30 { from as-path 21; then reject; } term 40 { from community [ 209:777 209:888 209:999 ]; then reject; } term 50 { from { protocol static; route-filter 0.0.0.0/0 exact; } then accept; } term 60 { from { community 209:209; policy stnd_external_out; } then accept; } term 70 { then reject; } } policy-statement default-only { term 10 { from { protocol static; route-filter 0.0.0.0/0 exact; } then accept; } term 20 { then reject; } } policy-statement connected-bgp { term deny-bogons { from { protocol direct; policy bogons; } then reject; } term default { from protocol direct; then { local-preference 100; origin igp; community set 209:777; community add wdc-pop; next-hop self; accept; } } } policy-statement static-bgp { term deny-10 { from { protocol static; policy bogons; } then reject; } term permit-20 { from { protocol static; policy stnd_backup_qwest; } then { local-preference 90; origin igp; community add wdc-pop; community add 209:777; next-hop self; accept; } } term permit-30 { from { protocol static; policy stnd_netblocks_qwest; } then { local-preference 100; origin igp; community add wdc-pop; community add 209:777; next-hop self; accept; } } term permit-40 { from { protocol static; policy stnd_backup_cust; } then { local-preference 90; origin igp; community add wdc-pop; community add 209:209; next-hop self; accept; } } term permit-50 { from protocol static; then { local-preference 100; origin igp; community add wdc-pop; community add 209:209; next-hop self; accept; } } } policy-statement stnd_backup_cust { from { route-filter 0.0.0.0/32 exact; } then accept; } policy-statement stnd_backup_qwest { from { route-filter 0.0.0.0/32 exact; } then accept; } policy-statement stnd_netblocks_qwest { from { route-filter 63.144.0.0/12 longer; route-filter 63.224.0.0/12 longer; route-filter 65.100.0.0/14 longer; route-filter 65.112.0.0/12 longer; route-filter 65.128.0.0/11 longer; route-filter 66.77.0.0/16 longer; route-filter 67.0.0.0/13 longer; route-filter 67.40.0.0/15 longer; route-filter 67.42.0.0/16 longer; route-filter 67.128.0.0/13 longer; route-filter 67.144.0.0/14 longer; route-filter 67.148.0.0/16 longer; route-filter 68.176.0.0/15 longer; route-filter 69.8.192.0/18 longer; route-filter 168.103.0.0/16 longer; route-filter 198.36.128.0/17 longer; route-filter 198.59.0.0/18 longer; route-filter 198.59.64.0/19 longer; route-filter 198.233.0.0/16 longer; route-filter 198.243.0.0/16 longer; route-filter 199.117.0.0/16 longer; route-filter 204.131.0.0/16 longer; route-filter 204.26.64.0/18 longer; route-filter 204.98.0.0/16 longer; route-filter 204.132.0.0/15 longer; route-filter 204.134.0.0/16 longer; route-filter 204.147.80.0/20 longer; route-filter 204.228.64.0/18 longer; route-filter 204.245.64.0/18 longer; route-filter 205.168.0.0/14 longer; route-filter 205.215.192.0/19 longer; route-filter 206.80.192.0/19 longer; route-filter 206.81.128.0/19 longer; route-filter 206.81.192.0/19 longer; route-filter 206.196.128.0/19 longer; route-filter 207.108.0.0/15 longer; route-filter 207.159.64.0/18 longer; route-filter 207.224.0.0/15 longer; route-filter 208.44.0.0/14 longer; route-filter 209.3.0.0/16 longer; route-filter 209.45.128.0/17 longer; route-filter 209.180.0.0/15 longer; route-filter 209.201.0.0/17 longer; route-filter 209.211.0.0/16 longer; route-filter 216.111.0.0/16 longer; route-filter 216.160.0.0/15 longer; route-filter 216.206.0.0/15 longer; route-filter 70.56.0.0/14 longer; route-filter 71.32.0.0/13 longer; route-filter 72.164.0.0/15 longer; route-filter 71.208.0.0/12 longer; route-filter 72.166.0.0/16 longer; } then accept; } policy-statement core-out { term blackhole { from community blackhole-209:0; then { next-hop 192.0.2.3; accept; } } term default { then { next-hop self; } } } policy-statement stnd_external_out { from { route-filter 0.0.0.0/0 exact reject; route-filter 0.0.0.0/7 orlonger reject; route-filter 2.0.0.0/8 orlonger reject; route-filter 5.0.0.0/8 orlonger reject; route-filter 7.0.0.0/8 orlonger reject; route-filter 10.0.0.0/8 orlonger reject; route-filter 23.0.0.0/8 orlonger reject; route-filter 27.0.0.0/8 orlonger reject; route-filter 31.0.0.0/8 orlonger reject; route-filter 36.0.0.0/7 orlonger reject; route-filter 39.0.0.0/8 orlonger reject; route-filter 42.0.0.0/8 orlonger reject; route-filter 49.0.0.0/8 orlonger reject; route-filter 50.0.0.0/8 orlonger reject; route-filter 77.0.0.0/8 orlonger reject; route-filter 78.0.0.0/7 orlonger reject; route-filter 92.0.0.0/6 orlonger reject; route-filter 96.0.0.0/4 orlonger reject; route-filter 112.0.0.0/5 orlonger reject; route-filter 120.0.0.0/8 orlonger reject; route-filter 127.0.0.0/8 orlonger reject; route-filter 169.254.0.0/16 orlonger reject; route-filter 172.16.0.0/12 orlonger reject; route-filter 173.0.0.0/8 orlonger reject; route-filter 174.0.0.0/7 orlonger reject; route-filter 176.0.0.0/5 orlonger reject; route-filter 184.0.0.0/6 orlonger reject; route-filter 192.0.2.0/24 orlonger reject; route-filter 192.168.0.0/16 orlonger reject; route-filter 197.0.0.0/8 orlonger reject; route-filter 198.18.0.0/15 orlonger reject; route-filter 223.0.0.0/8 orlonger reject; route-filter 224.0.0.0/3 orlonger reject; route-filter 0.0.0.0/0 prefix-length-range /25-/32 reject; route-filter 0.0.0.0/0 orlonger accept; } } policy-statement stnd_external_out_bogons { from { route-filter 0.0.0.0/0 exact reject; route-filter 0.0.0.0/7 orlonger reject; route-filter 2.0.0.0/8 orlonger reject; route-filter 5.0.0.0/8 orlonger reject; route-filter 7.0.0.0/8 orlonger reject; route-filter 10.0.0.0/8 orlonger reject; route-filter 23.0.0.0/8 orlonger reject; route-filter 27.0.0.0/8 orlonger reject; route-filter 31.0.0.0/8 orlonger reject; route-filter 36.0.0.0/7 orlonger reject; route-filter 39.0.0.0/8 orlonger reject; route-filter 42.0.0.0/8 orlonger reject; route-filter 49.0.0.0/8 orlonger reject; route-filter 50.0.0.0/8 orlonger reject; route-filter 77.0.0.0/8 orlonger reject; route-filter 78.0.0.0/7 orlonger reject; route-filter 92.0.0.0/6 orlonger reject; route-filter 96.0.0.0/4 orlonger reject; route-filter 112.0.0.0/5 orlonger reject; route-filter 120.0.0.0/8 orlonger reject; route-filter 127.0.0.0/8 orlonger reject; route-filter 169.254.0.0/16 orlonger reject; route-filter 172.16.0.0/12 orlonger reject; route-filter 173.0.0.0/8 orlonger reject; route-filter 174.0.0.0/7 orlonger reject; route-filter 176.0.0.0/5 orlonger reject; route-filter 184.0.0.0/6 orlonger reject; route-filter 192.0.2.0/24 orlonger reject; route-filter 192.168.0.0/16 orlonger reject; route-filter 197.0.0.0/8 orlonger reject; route-filter 198.18.0.0/15 orlonger reject; route-filter 223.0.0.0/8 orlonger reject; route-filter 224.0.0.0/3 orlonger reject; route-filter 0.0.0.0/0 orlonger accept; } } policy-statement transit-customer-in { term bad-communities { from community BAD_COMMUNITIES; then reject; } term peer-routes { from as-path 19; then reject; } term blackhole { from community blackhole-209:0; then { community set blackhole-209:0; community add no-export; next-hop 192.0.2.3; accept; } } term permit-20 { from { community 10; policy stnd_external_out; } then { local-preference 100; community set 209:888; community add wdc-pop; next policy; } } term permit-30 { from { community 6; policy stnd_external_out_bogons; } then { local-preference 100; community set 209:999; community add wdc-pop; next policy; } } term permit-40 { from { community 7; policy stnd_external_out; } then { local-preference 70; community add 209:209; community add wdc-pop; next policy; } } term permit-50 { from { community 8; policy stnd_external_out; } then { local-preference 80; community add 209:209; community add wdc-pop; next policy; } } term permit-60 { from { community 9; policy stnd_external_out; } then { local-preference 90; community add 209:209; community add wdc-pop; next policy; } } term permit-70 { from policy stnd_external_out; then { local-preference 100; community add 209:209; community add wdc-pop; next policy; } } term deny-all { then reject; } } community 10 members 209:888; community 209:001 members 209:001; community 209:209 members 209:209; community 209:65504 members 209:65504; community 209:777 members 209:777; community 209:888 members 209:888; community 209:889 members 209:889; community 209:999 members 209:999; community 6 members 209:999; community 7 members 209:70; community 8 members 209:80; community 9 members 209:90; community BAD_COMMUNITIES members "^(209:(([1-9])|([0-6].)|([3-7]..)|(....)|([0-5]....)|(6[0-3]...)|(64[0-4]..)|(65...)))$"; community blackhole-209:0 members 209:0; community comm-209-209 members 209:209; community comm-209-300 members 209:300; community comm-209-65018 members 209:65018; community comm-209-65032 members 209:65032; community comm-209-70 members 209:70; community comm-209-777 members 209:777; community comm-209-80 members 209:80; community comm-209-888 members 209:888; community comm-209-90 members 209:90; community comm-209-999 members 209:999; community comm-popaggr members 209:707; community comm-primary members 209:776; community no-export members no-export; community wdc-pop members 209:20228; as-path 21 ".*(64512-65535).*"; as-path 98 .; as-path as_path_20_reject ".* (64512-65535|1|174|701|1239|1299|2548|2828|2914|3257|3356|3549|3561|4006|4134|4200|4544|4565|6453|6461|7018|7911) .*"; as-path as_path_20_accept .*; as-path 19 ".*(174|577|701|852|1239|1299|1668|2828|2914|3320|3257|3356|3549|3561|4134|4637|4725|5400|5511|6453|6461|7018|7473|7911|12956).*"; as-path 20 ".*(64512-65535|174|577|701|852|1239|1299|1668|2828|2914|3257|3320|3356|3549|3561|4134|4637|4725|5400|5511|6453|6461|7018|7473|7911|12956).*"; } firewall { policer limit-small { if-exceeding { bandwidth-limit 500k; burst-size-limit 50k; } then discard; } policer limit-medium { if-exceeding { bandwidth-limit 2m; burst-size-limit 500k; } then discard; } policer limit-medium-high { if-exceeding { bandwidth-limit 10m; burst-size-limit 1m; } then discard; } policer limit-high { if-exceeding { bandwidth-limit 15m; burst-size-limit 1m; } then discard; } policer limit-spoofing { if-exceeding { bandwidth-limit 3m; burst-size-limit 300k; } then discard; } policer limit-customer { if-exceeding { bandwidth-limit 500k; burst-size-limit 50k; } then discard; } policer 22Meg { if-exceeding { bandwidth-limit 30m; burst-size-limit 50k; } then discard; } policer 3Meg { if-exceeding { bandwidth-limit 3m; burst-size-limit 50k; } then discard; } filter edge-secure-RE { term limit-syn-fin { from { protocol tcp; tcp-flags "syn | fin"; } then { policer limit-small; next term; } } term icmp-source-quench { from { protocol icmp; icmp-type source-quench; } then { discard; } } term icmp { from { protocol icmp; } then { policer limit-medium; accept; } } term traceroute { from { protocol udp; destination-port 33434-33523; } then { policer limit-small; accept; } } term management-access { from { source-address { 216.111.65.1/32; 208.47.0.248/32; 204.147.85.60/32; 204.147.85.59/32; 208.47.0.15/32; 216.111.66.1/32; 208.47.0.43/32; 207.225.133.120/32; } protocol tcp; port [ telnet ssh ]; } then accept; } term snmp { from { source-prefix-list { services-snmp; } protocol udp; port snmp; } then { policer limit-medium; accept; } } term radius { from { source-prefix-list { services-radius; } protocol udp; port radius; } then { policer limit-medium; accept; } } term domain { from { source-prefix-list { services-domain; } protocol udp; port domain; } then { policer limit-medium; accept; } } term ntp { from { source-prefix-list { services-ntp; } protocol udp; port ntp; } then { policer limit-medium; accept; } } term bgp { from { source-prefix-list { bgp-regexp; } protocol tcp; port bgp; } then { policer limit-high; sample; accept; } } term tcp-fragments { from { is-fragment; protocol tcp; } then { policer limit-medium-high; accept; } } term rsvp { from { source-address { 205.171.0.0/16; 67.14.0.0/15; 67.14.128.0/23; } protocol rsvp; } then { policer limit-medium; accept; } } term ldp { from { source-address { 205.171.0.0/16; 67.133.0.0/23; } protocol [ tcp udp ]; port 646; } then { policer limit-medium; accept; } } term gretunnel { from { source-address { 205.171.0.0/16; } protocol gre; } then { policer limit-medium; accept; } } term sap { from { destination-address { 224.2.127.254/32; } protocol udp; port 9875; } then { policer limit-medium; accept; } } term vrrp { from { source-address { 205.171.0.0/16; } destination-address { 224.0.0.18/32; } protocol 112; } then { policer limit-medium; accept; } } term ftp-data { from { source-address { 205.171.0.0/16; 207.17.137.34/32; } protocol tcp; source-port [ ftp ftp-data ]; } then { policer limit-high; accept; } } term deny-all { then { count discards; log; sample; discard; } } } filter dos-identifier-out { interface-specific; term sample { then { sample; next term; } } term bogons { from { source-prefix-list { bogons; } } then { count bogons; next term; } } term tcp-established { from { protocol tcp; tcp-established; } then { count tcp-established; next term; } } term tcp-syn { from { protocol tcp; tcp-flags syn; } then { count tcp-syn; next term; } } term icmp-echo-reply { from { protocol icmp; icmp-type echo-reply; } then { count icmp-echo-replies; accept; } } term icmp-echo-request { from { protocol icmp; icmp-type echo-request; } then { count icmp-echo-requests; accept; } } term netbios { from { protocol [ udp tcp ]; destination-port [ netbios-ssn netbios-ns netbios-dgm ]; } then { count netbios; accept; } } term port-135 { from { protocol [ udp tcp ]; port 135; } then { count port-135; accept; } } term port-445 { from { protocol [ udp tcp ]; port 445; } then { count port-445; accept; } } term port-1434 { from { protocol udp; port 1434; } then { count port-1434; accept; } } term accept-all { then accept; } } filter 200-00-3-in { term allow-bgp { from { protocol tcp; port bgp; } then accept; } term rate-limit { then { policer 3Meg; accept; } } } filter 200-00-3-out { term allow-bgp { from { protocol tcp; port bgp; } then accept; } term rate-limit { then { policer 3Meg; accept; } } } }