kiwi/oav
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
a096ce07cf5e22912f2b1eb01dff179dc2c3aae4
oav/tmp/qwest.txt
Charlie Root a096ce07cf Current oav website
2023-03-20 12:18:38 +01:00

1641 lines
46 KiB
Plaintext
Raw Blame History

version 6.4R4.3;
groups {
ROUTE-primary {
routing-options {
static {
route <*> community 209:776;
}
}
}
}
system {
host-name wdc-edge-06;
domain-name inet.qwest.net;
default-address-selection;
dump-on-panic;
authentication-order [ radius password ];
name-server {
205.171.3.65;
}
radius-server {
208.47.0.153 {
secret "$9$BUi1EyevL-dsvM-wYgUDCtu1clW8xN-bUjmTz3tp";
timeout 5;
retry 3;
}
216.111.65.20 {
secret "$9$f5z6CtOEhrtpEylKx7ik.539u01RESxNs4aZkq";
timeout 5;
retry 3;
}
}
login {
message "\n\n\t\t\Unauthorized Access is Prohibited. For operational problems\n\t\tplease contact noc@qwest.net or call 1-888-336-6306.\n\n";
class full {
idle-timeout 15;
permissions [ admin clear configure interface-control network routing-control shell snmp system trace view maintenance firewall-control secret rollback ];
deny-configuration "protocols (bgp|isis|rsvp|mpls) disable|protocols isis interface|protocols mpls label-switched-path .* metric";
}
class limited {
idle-timeout 15;
permissions [ clear configure interface network routing system trace view firewall ];
allow-configuration "interfaces (at|t1|t3|ml|ge|gr|so|ds|fe)";
}
class nmc2 {
idle-timeout 15;
permissions [ admin clear configure interface-control network routing-control shell snmp system trace view maintenance firewall-control secret rollback ];
deny-configuration "protocols (bgp|isis|rsvp|mpls) disable|protocols mpls label-switched-path .* metric";
}
class partial {
idle-timeout 15;
permissions [ clear configure interface-control network routing system trace view firewall-control ];
allow-configuration "protocols bgp group|protocols connections|protocols mpls interface|policy-options|routing-instances|routing-options";
deny-configuration "protocols bgp group (Qwest|Peer)";
}
class readonly {
idle-timeout 15;
permissions [ interface network routing trace view firewall ];
allow-commands "clear interfaces";
deny-commands "request|telnet|test|ssh";
}
class superuser-eng {
idle-timeout 15;
permissions [ admin clear configure field floppy interface-control network reset routing-control shell snmp system trace trace-control view maintenance firewall-control secret rollback security access-control ];
deny-configuration "protocols (bgp|isis|rsvp|mpls) disable|protocols mpls label-switched-path .* metric";
}
class superuser-local {
idle-timeout 15;
permissions all;
deny-configuration "protocols (bgp|isis|rsvp|mpls) disable";
}
class superuser-non-ops {
idle-timeout 15;
permissions [ admin clear configure field floppy interface-control network reset routing-control shell snmp system trace trace-control view maintenance firewall-control secret rollback security access-control ];
deny-configuration "protocols isis interface|protocols mpls label-switched-path .* metric";
}
class view_config_only {
idle-timeout 15;
permissions [ admin configure interface routing snmp system view firewall secret security access ];
allow-commands "request system snapshot";
deny-commands "request|test|file";
allow-configuration policy-options;
}
user autoload {
uid 108;
class view_config_only;
}
user eng {
uid 107;
class superuser-eng;
}
user imp {
uid 103;
class partial;
}
user ipnoc {
uid 102;
class partial;
}
user lab {
uid 109;
class superuser-non-ops;
}
user nmc {
uid 104;
class full;
}
user nmc2 {
uid 110;
class nmc2;
}
user opseng {
uid 106;
class superuser-local;
}
user prov {
uid 101;
class limited;
}
user readonly {
uid 100;
class readonly;
}
user tac {
uid 105;
class full;
}
}
services {
ssh;
telnet;
}
syslog {
user * {
any emergency;
}
host 205.171.6.20 {
interactive-commands any;
}
host 216.111.65.1 {
interactive-commands any;
}
host 208.47.0.114 {
any warning;
facility-override local5;
}
host 216.207.100.16 {
any warning;
facility-override local5;
}
host 216.111.65.81 {
any warning;
facility-override local5;
}
file messages {
any info;
authorization notice;
interactive-commands any;
archive size 20m files 3 no-world-readable;
}
}
ntp {
server 205.171.0.44;
server 205.171.0.45;
server 205.171.0.46;
}
}
chassis {
no-source-route;
dump-on-panic;
alarm {
management-ethernet {
link-down ignore;
}
}
}
interfaces {
so-0/0/0 {
description "OC48 to wdc-core-01; pos3/0; x-connect; qip_prod; edgecore";
encapsulation cisco-hdlc;
sonet-options {
fcs 32;
payload-scrambler;
}
unit 0 {
description "OC48 to wdc-core-01; pos3/0; x-connect; qip_prod; edgecore";
point-to-point;
family inet {
address 205.171.24.118/30;
}
family iso;
}
}
so-1/0/0 {
description "OC48 to wdc-core-03; pos1/0; x-connect; qip_prod; edgecore";
enable;
encapsulation cisco-hdlc;
sonet-options {
fcs 32;
payload-scrambler;
}
unit 0 {
description "OC48 to wdc-core-03; pos1/0; x-connect; qip_prod; edgecore";
family inet {
address 205.171.24.126/30;
}
family iso;
}
}
t3-2/2/3 {
disable;
}
t3-3/3/0 {
encapsulation cisco-hdlc;
t3-options {
no-payload-scrambler;
}
unit 0 {
family inet {
rpf-check;
}
}
}
fxp0 {
disable;
}
lo0 {
description "wdc-edge-06.inet.qwest.net; qip_prod; edgertr";
unit 0 {
description "wdc-edge-06.inet.qwest.net; qip_prod; edgertr";
family inet {
filter {
input edge-secure-RE;
}
address 205.171.3.136/32;
}
family iso {
address 39.752f.0100.0014.0000.2000.0000.2051.7100.3136.00;
}
}
}
}
forwarding-options {
sampling {
input {
family inet {
rate 1000;
run-length 5;
}
}
output {
file filename samplinglog files 5 size 30m world-readable stamp;
}
}
}
snmp {
community WA45a0r214Do {
clients {
63.151.189.25/32;
65.100.64.120/32;
65.100.65.64/27;
65.120.19.203/32;
155.70.32.7/32;
155.70.137.234/32;
204.147.85.135/32;
205.171.6.5/32;
205.171.6.34/32;
205.171.6.35/32;
205.171.6.38/32;
205.171.6.46/32;
205.171.9.202/32;
205.171.10.247/32;
205.171.13.221/32;
205.171.14.244/32;
205.171.14.246/32;
205.171.17.202/32;
205.171.21.198/32;
205.171.25.207/32;
205.171.26.242/32;
205.171.27.247/32;
205.171.29.193/32;
205.171.30.203/32;
205.171.31.208/32;
205.171.128.203/32;
205.171.128.204/32;
205.171.129.195/32;
205.171.139.201/32;
208.47.0.15/32;
208.47.0.43/32;
208.47.0.138/32;
216.111.65.0/24;
216.111.66.0/24;
216.207.100.0/24;
}
}
trap-group all-traps {
categories {
authentication;
chassis;
link;
routing;
startup;
}
targets {
205.171.6.10;
216.111.66.153;
216.207.100.143;
216.111.65.144;
216.111.65.143;
}
}
}
routing-options {
static {
rib-group unicast-multicast-rib;
route 0.0.0.0/0 {
discard;
no-install;
}
route 151.196.0.250/32 next-hop [ 208.46.126.174 208.46.126.182 ];
route 63.146.17.128/27 next-hop 63.146.0.134;
route 151.205.128.249/32 next-hop 63.237.65.98;
route 207.68.64.249/32 next-hop [ t3-3/3/0.0 t3-3/3/2.0 ];
route 192.0.2.0/24 {
discard;
no-readvertise;
}
route 198.26.132.81/32 next-hop 63.148.66.246;
}
rib-groups {
unicast-multicast-rib {
import-rib [ inet.0 inet.2 ];
}
multicast-rib {
export-rib inet.2;
import-rib inet.2;
}
ifrg {
import-rib [ inet.0 inet.2 ];
}
mcrg {
export-rib inet.2;
import-rib inet.2;
}
}
router-id 205.171.3.136;
autonomous-system 209;
forwarding-table {
export customer-loadshare;
unicast-reverse-path feasible-paths;
}
}
protocols {
bgp {
enable;
log-updown;
import import-with-defaults;
export export-with-defaults;
group Qwest-Internal {
type internal;
local-address 205.171.3.136;
import import-accept;
family inet {
any;
}
authentication-key "$9$A5yKtIEleW-VYEcs24Zkq";
export [ core-out static-bgp connected-bgp ];
peer-as 209;
neighbor 205.171.0.44;
neighbor 205.171.0.45;
neighbor 205.171.0.46;
}
inactive: group Customer-full-routes {
type external;
metric-out igp;
family inet {
any {
prefix-limit {
maximum 800;
teardown 65 idle-timeout forever;
}
}
}
export full-routes;
}
inactive: group Customer-full-routes-w-default {
type external;
metric-out igp;
family inet {
any {
prefix-limit {
maximum 800;
teardown 65 idle-timeout forever;
}
}
}
export full-routes-w-default;
}
inactive: group Customer-qwest-routes {
type external;
metric-out igp;
family inet {
any {
prefix-limit {
maximum 800;
teardown 65 idle-timeout forever;
}
}
}
export qwest-routes;
}
inactive: group Customer-qwest-routes-w-default {
type external;
metric-out igp;
family inet {
any {
prefix-limit {
maximum 800;
teardown 65 idle-timeout forever;
}
}
}
export qwest-routes-w-default;
}
inactive: group Customer-default-only {
type external;
metric-out igp;
family inet {
any {
prefix-limit {
maximum 800;
teardown 65 idle-timeout forever;
}
}
}
export default-only;
}
inactive: group Peer-External_UseMeds {
type external;
metric-out igp;
family inet {
any;
}
export external-out;
}
inactive: group Peer-External_NoUseMeds {
type external;
metric-out igp;
family inet {
any;
}
export external-out;
}
inactive: group Peer-External_UseMeds_Hopaway {
type external;
metric-out igp;
family inet {
any;
}
export external-out;
}
}
isis {
no-holddown;
rib-group inet unicast-multicast-rib;
overload timeout 900;
level 2 wide-metrics-only;
level 1 disable;
interface so-0/0/0.0 {
level 1 disable;
level 2 metric 5;
}
interface so-1/0/0.0 {
level 1 disable;
level 2 metric 5;
}
interface lo0.0 {
level 1 disable;
level 2 passive;
}
}
}
policy-options {
prefix-list bgp-regexp {
apply-path "protocols bgp group <*> neighbor <*>";
}
prefix-list services-snmp {
apply-path "snmp community <*> clients <*>";
}
prefix-list services-radius {
apply-path "system radius-server <*>";
}
prefix-list services-tacplus {
apply-path "system tacplus-server <*>";
}
prefix-list services-domain {
apply-path "system name-server <*>";
}
prefix-list services-ntp {
205.171.0.0/22;
205.171.200.0/22;
apply-path "system ntp server <*>";
}
prefix-list loopback-ip {
apply-path "interfaces lo0 unit 0 family inet address <*>";
}
prefix-list NGS-blocks {
65.119.64.0/20;
65.147.144.0/20;
}
prefix-list ntp-services;
prefix-list bogons {
0.0.0.0/7;
2.0.0.0/8;
5.0.0.0/8;
7.0.0.0/8;
10.0.0.0/8;
23.0.0.0/8;
27.0.0.0/8;
31.0.0.0/8;
36.0.0.0/7;
39.0.0.0/8;
42.0.0.0/8;
49.0.0.0/8;
50.0.0.0/8;
77.0.0.0/8;
78.0.0.0/7;
92.0.0.0/6;
96.0.0.0/4;
112.0.0.0/5;
120.0.0.0/8;
127.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
173.0.0.0/8;
174.0.0.0/7;
176.0.0.0/5;
184.0.0.0/6;
192.0.2.0/24;
192.168.0.0/16;
197.0.0.0/8;
198.18.0.0/15;
223.0.0.0/8;
224.0.0.0/3;
}
policy-statement external-in {
term external-in-10 {
then {
metric 10000;
local-preference 80;
community set comm-209-888;
accept;
}
}
term external-in-20 {
then reject;
}
}
policy-statement deny-gunk {
term deny-gunk-10 {
from {
route-filter 0.0.0.0/0 upto /24 next term;
route-filter 0.0.0.0/0 upto /32;
}
then reject;
}
term deny-gunk-20 {
from {
route-filter 0.0.0.0/0 through 0.0.0.0/32 reject;
route-filter 10.0.0.0/8 orlonger reject;
route-filter 127.0.0.0/8 orlonger reject;
route-filter 172.16.0.0/12 orlonger reject;
route-filter 192.168.0.0/16 orlonger reject;
route-filter 128.0.0.0/16 orlonger reject;
route-filter 191.255.0.0/16 orlonger reject;
route-filter 233.255.255.0/24 orlonger reject;
route-filter 224.0.0.0/3 orlonger reject;
route-filter 198.32.176.0/24 orlonger reject;
route-filter 192.157.69.0/24 orlonger reject;
route-filter 198.32.186.0/24 orlonger reject;
route-filter 192.41.177.0/24 orlonger reject;
route-filter 198.32.136.0/24 orlonger reject;
route-filter 198.32.184.0/24 orlonger reject;
route-filter 198.32.130.0/24 orlonger reject;
route-filter 206.220.243.0/24 orlonger reject;
route-filter 198.32.128.0/24 orlonger reject;
route-filter 198.32.200.0/24 orlonger reject;
route-filter 198.32.139.0/24 orlonger reject;
route-filter 198.32.187.0/24 orlonger reject;
route-filter 198.32.177.0/24 orlonger reject;
route-filter 198.9.201.0/24 orlonger reject;
route-filter 198.36.137.0/24 orlonger reject;
}
then next term;
}
}
policy-statement customer-loadshare {
term 1 {
from {
protocol bgp;
neighbor [ 151.196.0.250 151.205.0.249 209.158.128.200 151.196.0.249 207.68.64.249 151.200.255.253 151.205.128.249 ];
}
then {
load-balance per-packet;
}
}
}
policy-statement export-default {
from {
protocol static;
route-filter 0.0.0.0/0 exact;
}
then accept;
}
policy-statement deny-gunk-allow-default {
term deny-gunk-10 {
from {
route-filter 0.0.0.0/0 upto /24 next term;
route-filter 0.0.0.0/0 upto /32;
}
then reject;
}
term deny-gunk-20 {
from {
route-filter 10.0.0.0/8 orlonger reject;
route-filter 127.0.0.0/8 orlonger reject;
route-filter 172.16.0.0/12 orlonger reject;
route-filter 192.168.0.0/16 orlonger reject;
route-filter 128.0.0.0/16 orlonger reject;
route-filter 191.255.0.0/16 orlonger reject;
route-filter 233.255.255.0/24 orlonger reject;
route-filter 224.0.0.0/3 orlonger reject;
route-filter 198.32.176.0/24 orlonger reject;
route-filter 192.157.69.0/24 orlonger reject;
route-filter 198.32.186.0/24 orlonger reject;
route-filter 192.41.177.0/24 orlonger reject;
route-filter 198.32.136.0/24 orlonger reject;
route-filter 198.32.184.0/24 orlonger reject;
route-filter 198.32.130.0/24 orlonger reject;
route-filter 206.220.243.0/24 orlonger reject;
route-filter 198.32.128.0/24 orlonger reject;
route-filter 198.32.200.0/24 orlonger reject;
route-filter 198.32.139.0/24 orlonger reject;
route-filter 198.32.187.0/24 orlonger reject;
route-filter 198.32.177.0/24 orlonger reject;
route-filter 198.9.201.0/24 orlonger reject;
route-filter 198.36.137.0/24 orlonger reject;
}
then next term;
}
}
policy-statement non-transit-in {
term non-transit-in-10 {
then {
metric 10000;
local-preference 80;
community set comm-209-888;
accept;
}
}
}
policy-statement bogons {
from {
route-filter 10.0.0.0/8 orlonger;
route-filter 172.16.0.0/12 orlonger;
route-filter 192.168.0.0/16 orlonger;
route-filter 0.0.0.0/0 through 0.0.0.0/32;
}
then accept;
}
policy-statement external-out {
term 10 {
from policy connected-bgp;
then next term;
}
term 20 {
from policy static-bgp;
then next term;
}
term 30 {
from as-path 20;
then reject;
}
term 40 {
from community [ 209:777 209:888 209:999 ];
then reject;
}
term 50 {
from {
community 209:209;
policy stnd_external_out;
}
then accept;
}
term 60 {
then reject;
}
}
policy-statement import-with-defaults {
then {
metric 100000;
preference 255;
local-preference 1;
origin incomplete;
community set 209:001;
reject;
}
}
policy-statement export-with-defaults {
then {
metric 100000;
preference 255;
local-preference 1;
origin incomplete;
community set 209:001;
reject;
}
}
policy-statement import-accept {
then accept;
}
policy-statement full-routes {
term 10 {
from policy connected-bgp;
then next term;
}
term 20 {
from policy static-bgp;
then next term;
}
term 30 {
from as-path 21;
then reject;
}
term 40 {
from community [ 209:777 209:999 ];
then reject;
}
term 50 {
from {
community [ 209:888 209:209 ];
policy stnd_external_out;
}
then accept;
}
term 60 {
then reject;
}
}
policy-statement full-routes-w-default {
term 10 {
from policy connected-bgp;
then next term;
}
term 20 {
from policy static-bgp;
then next term;
}
term 30 {
from as-path 21;
then reject;
}
term 40 {
from community [ 209:777 209:999 ];
then reject;
}
term 50 {
from {
protocol static;
route-filter 0.0.0.0/0 exact;
}
then accept;
}
term 60 {
from {
community [ 209:888 209:209 ];
policy stnd_external_out;
}
then accept;
}
term 70 {
then reject;
}
}
policy-statement qwest-routes {
term 10 {
from policy connected-bgp;
then next term;
}
term 20 {
from policy static-bgp;
then next term;
}
term 30 {
from as-path 21;
then reject;
}
term 40 {
from community [ 209:777 209:888 209:999 ];
then reject;
}
term 50 {
from {
community 209:209;
policy stnd_external_out;
}
then accept;
}
term 60 {
then reject;
}
}
policy-statement qwest-routes-w-default {
term 10 {
from policy connected-bgp;
then next term;
}
term 20 {
from policy static-bgp;
then next term;
}
term 30 {
from as-path 21;
then reject;
}
term 40 {
from community [ 209:777 209:888 209:999 ];
then reject;
}
term 50 {
from {
protocol static;
route-filter 0.0.0.0/0 exact;
}
then accept;
}
term 60 {
from {
community 209:209;
policy stnd_external_out;
}
then accept;
}
term 70 {
then reject;
}
}
policy-statement default-only {
term 10 {
from {
protocol static;
route-filter 0.0.0.0/0 exact;
}
then accept;
}
term 20 {
then reject;
}
}
policy-statement connected-bgp {
term deny-bogons {
from {
protocol direct;
policy bogons;
}
then reject;
}
term default {
from protocol direct;
then {
local-preference 100;
origin igp;
community set 209:777;
community add wdc-pop;
next-hop self;
accept;
}
}
}
policy-statement static-bgp {
term deny-10 {
from {
protocol static;
policy bogons;
}
then reject;
}
term permit-20 {
from {
protocol static;
policy stnd_backup_qwest;
}
then {
local-preference 90;
origin igp;
community add wdc-pop;
community add 209:777;
next-hop self;
accept;
}
}
term permit-30 {
from {
protocol static;
policy stnd_netblocks_qwest;
}
then {
local-preference 100;
origin igp;
community add wdc-pop;
community add 209:777;
next-hop self;
accept;
}
}
term permit-40 {
from {
protocol static;
policy stnd_backup_cust;
}
then {
local-preference 90;
origin igp;
community add wdc-pop;
community add 209:209;
next-hop self;
accept;
}
}
term permit-50 {
from protocol static;
then {
local-preference 100;
origin igp;
community add wdc-pop;
community add 209:209;
next-hop self;
accept;
}
}
}
policy-statement stnd_backup_cust {
from {
route-filter 0.0.0.0/32 exact;
}
then accept;
}
policy-statement stnd_backup_qwest {
from {
route-filter 0.0.0.0/32 exact;
}
then accept;
}
policy-statement stnd_netblocks_qwest {
from {
route-filter 63.144.0.0/12 longer;
route-filter 63.224.0.0/12 longer;
route-filter 65.100.0.0/14 longer;
route-filter 65.112.0.0/12 longer;
route-filter 65.128.0.0/11 longer;
route-filter 66.77.0.0/16 longer;
route-filter 67.0.0.0/13 longer;
route-filter 67.40.0.0/15 longer;
route-filter 67.42.0.0/16 longer;
route-filter 67.128.0.0/13 longer;
route-filter 67.144.0.0/14 longer;
route-filter 67.148.0.0/16 longer;
route-filter 68.176.0.0/15 longer;
route-filter 69.8.192.0/18 longer;
route-filter 168.103.0.0/16 longer;
route-filter 198.36.128.0/17 longer;
route-filter 198.59.0.0/18 longer;
route-filter 198.59.64.0/19 longer;
route-filter 198.233.0.0/16 longer;
route-filter 198.243.0.0/16 longer;
route-filter 199.117.0.0/16 longer;
route-filter 204.131.0.0/16 longer;
route-filter 204.26.64.0/18 longer;
route-filter 204.98.0.0/16 longer;
route-filter 204.132.0.0/15 longer;
route-filter 204.134.0.0/16 longer;
route-filter 204.147.80.0/20 longer;
route-filter 204.228.64.0/18 longer;
route-filter 204.245.64.0/18 longer;
route-filter 205.168.0.0/14 longer;
route-filter 205.215.192.0/19 longer;
route-filter 206.80.192.0/19 longer;
route-filter 206.81.128.0/19 longer;
route-filter 206.81.192.0/19 longer;
route-filter 206.196.128.0/19 longer;
route-filter 207.108.0.0/15 longer;
route-filter 207.159.64.0/18 longer;
route-filter 207.224.0.0/15 longer;
route-filter 208.44.0.0/14 longer;
route-filter 209.3.0.0/16 longer;
route-filter 209.45.128.0/17 longer;
route-filter 209.180.0.0/15 longer;
route-filter 209.201.0.0/17 longer;
route-filter 209.211.0.0/16 longer;
route-filter 216.111.0.0/16 longer;
route-filter 216.160.0.0/15 longer;
route-filter 216.206.0.0/15 longer;
route-filter 70.56.0.0/14 longer;
route-filter 71.32.0.0/13 longer;
route-filter 72.164.0.0/15 longer;
route-filter 71.208.0.0/12 longer;
route-filter 72.166.0.0/16 longer;
}
then accept;
}
policy-statement core-out {
term blackhole {
from community blackhole-209:0;
then {
next-hop 192.0.2.3;
accept;
}
}
term default {
then {
next-hop self;
}
}
}
policy-statement stnd_external_out {
from {
route-filter 0.0.0.0/0 exact reject;
route-filter 0.0.0.0/7 orlonger reject;
route-filter 2.0.0.0/8 orlonger reject;
route-filter 5.0.0.0/8 orlonger reject;
route-filter 7.0.0.0/8 orlonger reject;
route-filter 10.0.0.0/8 orlonger reject;
route-filter 23.0.0.0/8 orlonger reject;
route-filter 27.0.0.0/8 orlonger reject;
route-filter 31.0.0.0/8 orlonger reject;
route-filter 36.0.0.0/7 orlonger reject;
route-filter 39.0.0.0/8 orlonger reject;
route-filter 42.0.0.0/8 orlonger reject;
route-filter 49.0.0.0/8 orlonger reject;
route-filter 50.0.0.0/8 orlonger reject;
route-filter 77.0.0.0/8 orlonger reject;
route-filter 78.0.0.0/7 orlonger reject;
route-filter 92.0.0.0/6 orlonger reject;
route-filter 96.0.0.0/4 orlonger reject;
route-filter 112.0.0.0/5 orlonger reject;
route-filter 120.0.0.0/8 orlonger reject;
route-filter 127.0.0.0/8 orlonger reject;
route-filter 169.254.0.0/16 orlonger reject;
route-filter 172.16.0.0/12 orlonger reject;
route-filter 173.0.0.0/8 orlonger reject;
route-filter 174.0.0.0/7 orlonger reject;
route-filter 176.0.0.0/5 orlonger reject;
route-filter 184.0.0.0/6 orlonger reject;
route-filter 192.0.2.0/24 orlonger reject;
route-filter 192.168.0.0/16 orlonger reject;
route-filter 197.0.0.0/8 orlonger reject;
route-filter 198.18.0.0/15 orlonger reject;
route-filter 223.0.0.0/8 orlonger reject;
route-filter 224.0.0.0/3 orlonger reject;
route-filter 0.0.0.0/0 prefix-length-range /25-/32 reject;
route-filter 0.0.0.0/0 orlonger accept;
}
}
policy-statement stnd_external_out_bogons {
from {
route-filter 0.0.0.0/0 exact reject;
route-filter 0.0.0.0/7 orlonger reject;
route-filter 2.0.0.0/8 orlonger reject;
route-filter 5.0.0.0/8 orlonger reject;
route-filter 7.0.0.0/8 orlonger reject;
route-filter 10.0.0.0/8 orlonger reject;
route-filter 23.0.0.0/8 orlonger reject;
route-filter 27.0.0.0/8 orlonger reject;
route-filter 31.0.0.0/8 orlonger reject;
route-filter 36.0.0.0/7 orlonger reject;
route-filter 39.0.0.0/8 orlonger reject;
route-filter 42.0.0.0/8 orlonger reject;
route-filter 49.0.0.0/8 orlonger reject;
route-filter 50.0.0.0/8 orlonger reject;
route-filter 77.0.0.0/8 orlonger reject;
route-filter 78.0.0.0/7 orlonger reject;
route-filter 92.0.0.0/6 orlonger reject;
route-filter 96.0.0.0/4 orlonger reject;
route-filter 112.0.0.0/5 orlonger reject;
route-filter 120.0.0.0/8 orlonger reject;
route-filter 127.0.0.0/8 orlonger reject;
route-filter 169.254.0.0/16 orlonger reject;
route-filter 172.16.0.0/12 orlonger reject;
route-filter 173.0.0.0/8 orlonger reject;
route-filter 174.0.0.0/7 orlonger reject;
route-filter 176.0.0.0/5 orlonger reject;
route-filter 184.0.0.0/6 orlonger reject;
route-filter 192.0.2.0/24 orlonger reject;
route-filter 192.168.0.0/16 orlonger reject;
route-filter 197.0.0.0/8 orlonger reject;
route-filter 198.18.0.0/15 orlonger reject;
route-filter 223.0.0.0/8 orlonger reject;
route-filter 224.0.0.0/3 orlonger reject;
route-filter 0.0.0.0/0 orlonger accept;
}
}
policy-statement transit-customer-in {
term bad-communities {
from community BAD_COMMUNITIES;
then reject;
}
term peer-routes {
from as-path 19;
then reject;
}
term blackhole {
from community blackhole-209:0;
then {
community set blackhole-209:0;
community add no-export;
next-hop 192.0.2.3;
accept;
}
}
term permit-20 {
from {
community 10;
policy stnd_external_out;
}
then {
local-preference 100;
community set 209:888;
community add wdc-pop;
next policy;
}
}
term permit-30 {
from {
community 6;
policy stnd_external_out_bogons;
}
then {
local-preference 100;
community set 209:999;
community add wdc-pop;
next policy;
}
}
term permit-40 {
from {
community 7;
policy stnd_external_out;
}
then {
local-preference 70;
community add 209:209;
community add wdc-pop;
next policy;
}
}
term permit-50 {
from {
community 8;
policy stnd_external_out;
}
then {
local-preference 80;
community add 209:209;
community add wdc-pop;
next policy;
}
}
term permit-60 {
from {
community 9;
policy stnd_external_out;
}
then {
local-preference 90;
community add 209:209;
community add wdc-pop;
next policy;
}
}
term permit-70 {
from policy stnd_external_out;
then {
local-preference 100;
community add 209:209;
community add wdc-pop;
next policy;
}
}
term deny-all {
then reject;
}
}
community 10 members 209:888;
community 209:001 members 209:001;
community 209:209 members 209:209;
community 209:65504 members 209:65504;
community 209:777 members 209:777;
community 209:888 members 209:888;
community 209:889 members 209:889;
community 209:999 members 209:999;
community 6 members 209:999;
community 7 members 209:70;
community 8 members 209:80;
community 9 members 209:90;
community BAD_COMMUNITIES members "^(209:(([1-9])|([0-6].)|([3-7]..)|(....)|([0-5]....)|(6[0-3]...)|(64[0-4]..)|(65...)))$";
community blackhole-209:0 members 209:0;
community comm-209-209 members 209:209;
community comm-209-300 members 209:300;
community comm-209-65018 members 209:65018;
community comm-209-65032 members 209:65032;
community comm-209-70 members 209:70;
community comm-209-777 members 209:777;
community comm-209-80 members 209:80;
community comm-209-888 members 209:888;
community comm-209-90 members 209:90;
community comm-209-999 members 209:999;
community comm-popaggr members 209:707;
community comm-primary members 209:776;
community no-export members no-export;
community wdc-pop members 209:20228;
as-path 21 ".*(64512-65535).*";
as-path 98 .;
as-path as_path_20_reject ".* (64512-65535|1|174|701|1239|1299|2548|2828|2914|3257|3356|3549|3561|4006|4134|4200|4544|4565|6453|6461|7018|7911) .*";
as-path as_path_20_accept .*;
as-path 19 ".*(174|577|701|852|1239|1299|1668|2828|2914|3320|3257|3356|3549|3561|4134|4637|4725|5400|5511|6453|6461|7018|7473|7911|12956).*";
as-path 20 ".*(64512-65535|174|577|701|852|1239|1299|1668|2828|2914|3257|3320|3356|3549|3561|4134|4637|4725|5400|5511|6453|6461|7018|7473|7911|12956).*";
}
firewall {
policer limit-small {
if-exceeding {
bandwidth-limit 500k;
burst-size-limit 50k;
}
then discard;
}
policer limit-medium {
if-exceeding {
bandwidth-limit 2m;
burst-size-limit 500k;
}
then discard;
}
policer limit-medium-high {
if-exceeding {
bandwidth-limit 10m;
burst-size-limit 1m;
}
then discard;
}
policer limit-high {
if-exceeding {
bandwidth-limit 15m;
burst-size-limit 1m;
}
then discard;
}
policer limit-spoofing {
if-exceeding {
bandwidth-limit 3m;
burst-size-limit 300k;
}
then discard;
}
policer limit-customer {
if-exceeding {
bandwidth-limit 500k;
burst-size-limit 50k;
}
then discard;
}
policer 22Meg {
if-exceeding {
bandwidth-limit 30m;
burst-size-limit 50k;
}
then discard;
}
policer 3Meg {
if-exceeding {
bandwidth-limit 3m;
burst-size-limit 50k;
}
then discard;
}
filter edge-secure-RE {
term limit-syn-fin {
from {
protocol tcp;
tcp-flags "syn | fin";
}
then {
policer limit-small;
next term;
}
}
term icmp-source-quench {
from {
protocol icmp;
icmp-type source-quench;
}
then {
discard;
}
}
term icmp {
from {
protocol icmp;
}
then {
policer limit-medium;
accept;
}
}
term traceroute {
from {
protocol udp;
destination-port 33434-33523;
}
then {
policer limit-small;
accept;
}
}
term management-access {
from {
source-address {
216.111.65.1/32;
208.47.0.248/32;
204.147.85.60/32;
204.147.85.59/32;
208.47.0.15/32;
216.111.66.1/32;
208.47.0.43/32;
207.225.133.120/32;
}
protocol tcp;
port [ telnet ssh ];
}
then accept;
}
term snmp {
from {
source-prefix-list {
services-snmp;
}
protocol udp;
port snmp;
}
then {
policer limit-medium;
accept;
}
}
term radius {
from {
source-prefix-list {
services-radius;
}
protocol udp;
port radius;
}
then {
policer limit-medium;
accept;
}
}
term domain {
from {
source-prefix-list {
services-domain;
}
protocol udp;
port domain;
}
then {
policer limit-medium;
accept;
}
}
term ntp {
from {
source-prefix-list {
services-ntp;
}
protocol udp;
port ntp;
}
then {
policer limit-medium;
accept;
}
}
term bgp {
from {
source-prefix-list {
bgp-regexp;
}
protocol tcp;
port bgp;
}
then {
policer limit-high;
sample;
accept;
}
}
term tcp-fragments {
from {
is-fragment;
protocol tcp;
}
then {
policer limit-medium-high;
accept;
}
}
term rsvp {
from {
source-address {
205.171.0.0/16;
67.14.0.0/15;
67.14.128.0/23;
}
protocol rsvp;
}
then {
policer limit-medium;
accept;
}
}
term ldp {
from {
source-address {
205.171.0.0/16;
67.133.0.0/23;
}
protocol [ tcp udp ];
port 646;
}
then {
policer limit-medium;
accept;
}
}
term gretunnel {
from {
source-address {
205.171.0.0/16;
}
protocol gre;
}
then {
policer limit-medium;
accept;
}
}
term sap {
from {
destination-address {
224.2.127.254/32;
}
protocol udp;
port 9875;
}
then {
policer limit-medium;
accept;
}
}
term vrrp {
from {
source-address {
205.171.0.0/16;
}
destination-address {
224.0.0.18/32;
}
protocol 112;
}
then {
policer limit-medium;
accept;
}
}
term ftp-data {
from {
source-address {
205.171.0.0/16;
207.17.137.34/32;
}
protocol tcp;
source-port [ ftp ftp-data ];
}
then {
policer limit-high;
accept;
}
}
term deny-all {
then {
count discards;
log;
sample;
discard;
}
}
}
filter dos-identifier-out {
interface-specific;
term sample {
then {
sample;
next term;
}
}
term bogons {
from {
source-prefix-list {
bogons;
}
}
then {
count bogons;
next term;
}
}
term tcp-established {
from {
protocol tcp;
tcp-established;
}
then {
count tcp-established;
next term;
}
}
term tcp-syn {
from {
protocol tcp;
tcp-flags syn;
}
then {
count tcp-syn;
next term;
}
}
term icmp-echo-reply {
from {
protocol icmp;
icmp-type echo-reply;
}
then {
count icmp-echo-replies;
accept;
}
}
term icmp-echo-request {
from {
protocol icmp;
icmp-type echo-request;
}
then {
count icmp-echo-requests;
accept;
}
}
term netbios {
from {
protocol [ udp tcp ];
destination-port [ netbios-ssn netbios-ns netbios-dgm ];
}
then {
count netbios;
accept;
}
}
term port-135 {
from {
protocol [ udp tcp ];
port 135;
}
then {
count port-135;
accept;
}
}
term port-445 {
from {
protocol [ udp tcp ];
port 445;
}
then {
count port-445;
accept;
}
}
term port-1434 {
from {
protocol udp;
port 1434;
}
then {
count port-1434;
accept;
}
}
term accept-all {
then accept;
}
}
filter 200-00-3-in {
term allow-bgp {
from {
protocol tcp;
port bgp;
}
then accept;
}
term rate-limit {
then {
policer 3Meg;
accept;
}
}
}
filter 200-00-3-out {
term allow-bgp {
from {
protocol tcp;
port bgp;
}
then accept;
}
term rate-limit {
then {
policer 3Meg;
accept;
}
}
}
}
Reference in New Issue View Git Blame Copy Permalink