## Last commit: 2025-06-09 12:03:33 CDT by me version 21.2R3-S9.21; system { host-name MDCINT0; root-authentication { encrypted-password ""; ## SECRET-DATA } login { retry-options { tries-before-disconnect 3; backoff-threshold 2; lockout-period 5; } class service-accounts { idle-timeout 1; login-alarms; permissions [ secret trace-control view-configuration ]; allow-commands "(request system halt.*|show configuration.*|show log.*)"; } class super-user-local { login-alarms; permissions all; } class super-user-remote { idle-timeout 10; login-alarms; permissions all; } user admin { full-name Administrator; uid 2000; class super-user-local; authentication { encrypted-password ""; ## SECRET-DATA } } user remote-admin { full-name ENT-SEC-NetworkAdmins-G; uid 2001; class super-user-remote; } user service-accounts { full-name ENT-SEC-NetworkServiceAccounts-G; uid 2002; class service-accounts; } message "\n########################################################################\n# THIS SYSTEM IS RESTRICTED TO AUTHORIZED USAGE! #\n# #\n# Unauthorized usage will be subject to criminal penalties, fines, #\n# damages and/or disciplinary action. If you are not authorized to use #\n# this system, you must exit immediately. If you are authorized to #\n# use this system, you must do so in compliance with all laws, #\n# regulations, conduct rules, and company security policies applicable #\n# to this system. This system, including any hardware components, #\n# software, workstations, and storage spaces is subject to monitoring #\n# and search without advanced notice. Users should have no expectation #\n# of privacy in their use of any aspect of this system. #\n########################################################################\n\n"; } services { ssh { root-login deny; protocol-version v2; max-sessions-per-connection 2; sftp-server; ciphers [ "aes256-gcm@openssh.com" "aes128-gcm@openssh.com" aes256-ctr aes128-ctr ]; macs [ hmac-sha2-256 hmac-sha2-512 "umac-128@openssh.com" ]; key-exchange [ curve25519-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 ]; hostkey-algorithm { ssh-ecdsa; ssh-ed25519; } connection-limit 5; } } auto-snapshot; domain-name mgmt.mdc.com; domain-search [ mgmt.mdc.com wlc.mdc.com ad.mdc.com mdc.com lab.mdc.com ]; time-zone America/Chicago; no-multicast-echo; no-redirects; no-redirects-ipv6; no-ping-record-route; no-ping-time-stamp; management-instance; authentication-order radius; location { ... } ports { console { authentication-order [ password radius ]; insecure; } } name-server { 10.20.11.1 routing-instance mgmt_junos; 10.20.11.2 routing-instance mgmt_junos; } radius-server { 10.20.11.1 { routing-instance mgmt_junos; secret ""; ## SECRET-DATA } 10.20.11.2 { routing-instance mgmt_junos; secret ""; ## SECRET-DATA } } accounting { events [ login change-log interactive-commands ]; destination { radius { server { 10.20.11.1 { routing-instance mgmt_junos; secret ""; ## SECRET-DATA } 10.20.11.2 { routing-instance mgmt_junos; secret ""; ## SECRET-DATA } } } } } syslog { archive { size 300k; files 1; } user * { any critical; } host 10.20.10.4 { firewall any; routing-instance mgmt_junos; } host 10.20.10.9 { any any; match "!kernel: FW"; routing-instance mgmt_junos; } file alert { any alert; } file commands { any any; match "(UI_JUNOSCRIPT*|UI_CMDLINE*|UI_CFG*|UI_LOAD_EVENT)"; archive { size 500k; files 1; } } file commands-root { any any; match "(as root|User 'root' used JUNOScript|User 'root', command|root: invoke-commands)"; archive { size 500k; files 1; } } file critical { any critical; } file default-log-messages { any any; match "!FIREWALL-6-FW"; explicit-priority; } file emergency { any emergency; } file error { any error; } file feb { any any; match feb0; } file firewall { firewall any; archive { size 5m; files 1; world-readable; } } file info { any info; match "!(adjkerntz -a|/var/etc/ukern_gbl_rotate.sh|feb0|rmopd|exited, status 255|kernel: FW|newsyslog|keyboard-interactive/pam|UI_JUNOSCRIPT*|UI_CMDLINE*|UI_CFG_AUDIT*|UI_DBASE_LOGIN_EVENT|UI_DBASE_LOGOUT_EVENT|UI_CLI*|UI_LOGOUT_EVENT|UI_JUNOSCRIPT_CMD|UI_AUTH_EVENT|UI_LOGIN_EVENT|UI_CMDLINE_READ_LINE|UI_CFG_AUDIT_SET|/usr/libexec/atrun)"; } file interactive-commands { interactive-commands any; archive { size 500k; files 1; } } file login { any any; match "(keyboard-interactive/pam|UI_CLI*|UI_AUTH_EVENT|UI_LOGIN_EVENT|UI_LOGOUT_EVENT|SSHD_LOGIN_FAILED|UI_DBASE_LOGIN_EVENT|UI_DBASE_LOGOUT_EVENT)"; archive { size 500k; files 1; } } file messages { any critical; authorization any; archive { size 1m; files 1; } } file notice { any notice; match "!(exited, status 255|keyboard-interactive/pam|UI_CLI*|UI_AUTH_EVENT|UI_LOGIN_EVENT|UI_LOGOUT_EVENT|SSHD_LOGIN_FAILED|UI_DBASE_LOGIN_EVENT|UI_DBASE_LOGOUT_EVENT|as root|User 'root' used JUNOScript|User 'root', command|root: invoke-commands)"; } file rpm { any any; match rmopd; archive { size 100k; files 1; } } file syslog-event-daemon-info { daemon info; match "!exited, status 255"; } } max-configurations-on-flash 5; processes { satellite-discovery-provisioning-process disable; satellite-platform-management-process disable; } ntp { server 132.163.96.1 routing-instance mgmt_junos; server 132.163.96.2 routing-instance mgmt_junos; } } chassis { aggregated-devices { ethernet { device-count 1; } } fpc 0 { pic 0 { inline-services { bandwidth 1g; } } service-package bundle-nat-ipsec; } } services { rpm { probe INET-PROBE { test PING-TEST { probe-type icmp-ping; target address 8.8.8.8; probe-count 5; probe-interval 1; test-interval 25; thresholds { total-loss 5; } traps [ probe-failure test-failure ]; } } } service-set NAPT-SERVICE-SET { nat-rules NAPT-DEFAULT; interface-service { service-interface si-0/0/0; } } nat { pool NAPT-DEFAULT-POOL { interface ge-0/1/3.201; address-overload; port { range low 49160 high 53255; } } rule NAPT-DEFAULT { match-direction input; term NAPT-BYPASS-P2P { from { source-address { 10.255.254.0/30; } } then { no-translation; } } term PRIVATE-TO-INET { from { source-address { 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; } } then { translated { source-pool NAPT-DEFAULT-POOL; translation-type { napt-44; } } } } } } } interfaces { ge-0/0/0 { description MDCCR-1-0; gigether-options { 802.3ad ae0; } } si-0/0/0 { unit 0 { family inet; } } ge-0/0/1 { description MDCCR-1-1; gigether-options { 802.3ad ae0; } } ge-0/0/2 { description MDCCR-1-2; gigether-options { 802.3ad ae0; } } ge-0/0/3 { description MDCCR-1-3; gigether-options { 802.3ad ae0; } } ge-0/0/4 { description MDCCR-0-4; gigether-options { 802.3ad ae0; } } ge-0/0/5 { description MDCCR-0-5; gigether-options { 802.3ad ae0; } } ge-0/0/6 { description MDCCR-0-6; gigether-options { 802.3ad ae0; } } ge-0/0/7 { description MDCCR-0-7; gigether-options { 802.3ad ae0; } } ge-0/1/0 { media-type copper; } ge-0/1/1 { media-type copper; } ge-0/1/2 { media-type copper; } ge-0/1/3 { description Lumen-Demarc; vlan-tagging; media-type copper; unit 201 { bandwidth 940m; vlan-id 201; family inet { dhcp { no-dns-install; retransmission-interval 64; update-server; force-discover; options { no-hostname; } } } } } ae0 { description MDCCR; vlan-tagging; aggregated-ether-options { lacp { active; periodic fast; } } unit 500 { bandwidth 8g; vlan-id 500; family inet { service { input { service-set NAPT-SERVICE-SET; } output { service-set NAPT-SERVICE-SET; } } address 10.255.254.2/30; } } } fxp0 { unit 0 { family inet { address 10.10.10.252/24; } } } lo0 { unit 0 { family inet { filter { input Protect-RE; } address 127.0.0.1/32; } } } } snmp { description Internet-Lumen; location ""; contact ""; filter-duplicates; client-list PRTG { 10.20.10.0/30; } community "" { authorization read-only; client-list-name PRTG; routing-instance mgmt_junos; } community "" { authorization read-write; client-list-name PRTG; routing-instance mgmt_junos; } trap-options { routing-instance mgmt_junos { source-address 10.10.10.252; } } trap-group PRTG { version v2; categories { authentication; chassis; link; remote-operations; routing; startup; rmon-alarm; vrrp-events; configuration; } targets { 10.20.10.1; 10.20.10.2; } routing-instance mgmt_junos; } routing-instance-access { access-list { mgmt_junos; } } } event-options { policy MONITOR-CPU { events snmpd_health_mon_thresh_cross; attributes-match { snmpd_health_mon_thresh_cross.event-name matches "Health Monitor.+CPU.+rising"; } then { priority-override { severity critical; } execute-commands { commands { "show system processes extensive | except 0.0 | no-more"; "show system virtual-memory"; "set task accounting on"; "show task accounting detail"; "set task accounting off"; "show task memory detail"; "show task memory summary"; "show task io"; "show task history"; "show task statistics"; "show task job"; "show task jobs"; "show krt queue"; "show chassis routing-engine"; "show chassis fpc 0"; "show pfe statistics traffic"; "show services inline nat pool"; "show pfe tcam usage all-tcam-stages"; } output-filename HIGH_CPU_CATCH; destination local-flash; output-format text; } raise-trap; } } policy INET-FAIL-DHCP-RENEW { events ping_test_failed; attributes-match { ping_test_failed.test-owner matches INET-PROBE; ping_test_failed.test-name matches PING-TEST; } then { priority-override { severity emergency; } execute-commands { commands { "clear dhcp client binding all"; "request dhcp client renew all"; } output-filename INET_FAIL; destination local-flash; output-format text; } raise-trap; } } destinations { local-flash { archive-sites { /var/tmp; } } } } policy-options { prefix-list Local-Addresses { apply-path "interfaces <*> unit <*> family inet address <*>"; } prefix-list Trusted-DNS { apply-path "system name-server <*>"; } prefix-list Trusted-ICMP-Reply { 8.8.8.8/32; 10.10.10.0/24; 10.10.16.0/24; 10.20.10.0/23; 10.34.16.0/23; 10.34.24.0/23; 10.37.16.0/23; 10.255.252.0/22; } prefix-list Trusted-ICMP-Request { 10.10.10.0/24; 10.10.16.0/24; 10.20.10.0/23; 10.34.16.0/23; 10.34.24.0/23; 10.37.16.0/23; 10.255.252.0/22; } prefix-list Trusted-Management { 10.10.10.0/24; 10.10.16.0/24; 10.20.10.0/24; 10.20.11.0/30; 10.34.16.0/23; 10.37.16.0/23; } prefix-list Trusted-Management-High-BW { 10.20.10.3/32; 10.20.11.0/30; } prefix-list Trusted-NTP { apply-path "system ntp server <*>"; } prefix-list Trusted-RADIUS { apply-path "system radius-server <*>"; } prefix-list Trusted-SNMP { apply-path "snmp client-list <*> <*>"; } prefix-list Trusted-Syslog { 10.20.10.4/32; 10.20.10.9/32; } } firewall { family inet { filter Protect-RE { interface-specific; term Discard-LNCB { from { destination-address { 224.0.0.0/24; } } then { discard; } } term Accept-Loopback-All { from { source-address { 127.0.0.1/32; } } then accept; } term Accept-SSH-High-BW { from { source-prefix-list { Trusted-Management-High-BW; } protocol tcp; destination-port 22; } then { policer High-Bandwidth; accept; } } term Accept-SSH { from { source-prefix-list { Trusted-Management; } protocol tcp; destination-port 22; } then { policer Medium-Bandwidth; accept; } } term Accept-RADIUS { from { source-prefix-list { Trusted-RADIUS; } protocol udp; source-port [ 1812 1813 ]; } then { policer Low-Bandwidth; accept; } } term Accept-SNMP { from { source-prefix-list { Trusted-SNMP; } protocol udp; destination-port [ 161 162 ]; } then { policer Low-Bandwidth; accept; } } term Accept-DNS { from { source-prefix-list { Trusted-DNS; } protocol udp; source-port 53; } then { policer Low-Bandwidth; accept; } } term Accept-DHCP-Client { from { source-address { 0.0.0.0/32; } destination-address { 255.255.255.255/32; } protocol udp; source-port 68; destination-port [ 67 68 ]; } then { policer Low-Bandwidth; accept; } } term Accept-DHCP-Server { from { protocol udp; source-port [ 67 68 ]; destination-port [ 67 68 ]; } then { policer Low-Bandwidth; accept; } } term Accept-NTP { from { source-prefix-list { Trusted-NTP; } protocol udp; destination-port 123; } then { policer Low-Bandwidth; accept; } } term Accept-Syslog { from { source-prefix-list { Trusted-Syslog; } protocol udp; destination-port 514; } then { policer Medium-Bandwidth; accept; } } term Discard-ICMP-Fragments { from { is-fragment; protocol icmp; } then { count ICMP-FRAGMENT-DISCARD-COUNTER; log; syslog; discard; } } term Accept-ICMP-Request { from { source-prefix-list { Trusted-ICMP-Request; } protocol icmp; icmp-type echo-request; } then { policer Low-Bandwidth; accept; } } term Accept-ICMP-Reply { from { source-prefix-list { Trusted-ICMP-Reply; } protocol icmp; icmp-type echo-reply; } then { policer Low-Bandwidth; accept; } } /* WARNING: DO NOT REMOVE, MODIFY, OR DEACTIVATE THIS TERM - DOING SO WILL DROP ALL INTERNET-BOUND TRAFFIC */ term Accept-Traceroute-ICMP { from { source-prefix-list { Local-Addresses; } protocol icmp; ttl 1; icmp-type [ echo-request timestamp time-exceeded unreachable ]; } then { policer Low-Bandwidth; accept; } } term Default-Discard { then { count DEFAULT-DISCARD-COUNTER; log; syslog; discard; } } } } policer High-Bandwidth { if-exceeding { bandwidth-limit 50m; burst-size-limit 5m; } then discard; } policer Low-Bandwidth { if-exceeding { bandwidth-limit 1m; burst-size-limit 625k; } then discard; } policer Medium-Bandwidth { if-exceeding { bandwidth-limit 5m; burst-size-limit 625k; } then discard; } } routing-instances { mgmt_junos { routing-options { static { route 0.0.0.0/0 next-hop 10.10.10.254; } } } } routing-options { static { route 10.0.0.0/8 next-hop 10.255.254.1; route 172.16.0.0/12 next-hop 10.255.254.1; route 192.168.0.0/16 next-hop 10.255.254.1; } } protocols { lldp { interface all; interface ge-0/1/3 { disable; } } }