API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 9th, 2025
40
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 23.91 KB | None | 0 0
raw download clone embed print report
  1. ## Last commit: 2025-06-09 12:03:33 CDT by me
  2. version 21.2R3-S9.21;
  3. system {
  4. host-name MDCINT0;
  5. root-authentication {
  6. encrypted-password ""; ## SECRET-DATA
  7. }
  8. login {
  9. retry-options {
  10. tries-before-disconnect 3;
  11. backoff-threshold 2;
  12. lockout-period 5;
  13. }
  14. class service-accounts {
  15. idle-timeout 1;
  16. login-alarms;
  17. permissions [ secret trace-control view-configuration ];
  18. allow-commands "(request system halt.*|show configuration.*|show log.*)";
  19. }
  20. class super-user-local {
  21. login-alarms;
  22. permissions all;
  23. }
  24. class super-user-remote {
  25. idle-timeout 10;
  26. login-alarms;
  27. permissions all;
  28. }
  29. user admin {
  30. full-name Administrator;
  31. uid 2000;
  32. class super-user-local;
  33. authentication {
  34. encrypted-password ""; ## SECRET-DATA
  35. }
  36. }
  37. user remote-admin {
  38. full-name ENT-SEC-NetworkAdmins-G;
  39. uid 2001;
  40. class super-user-remote;
  41. }
  42. user service-accounts {
  43. full-name ENT-SEC-NetworkServiceAccounts-G;
  44. uid 2002;
  45. class service-accounts;
  46. }
  47. message "\n########################################################################\n# THIS SYSTEM IS RESTRICTED TO AUTHORIZED USAGE! #\n# #\n# Unauthorized usage will be subject to criminal penalties, fines, #\n# damages and/or disciplinary action. If you are not authorized to use #\n# this system, you must exit immediately. If you are authorized to #\n# use this system, you must do so in compliance with all laws, #\n# regulations, conduct rules, and company security policies applicable #\n# to this system. This system, including any hardware components, #\n# software, workstations, and storage spaces is subject to monitoring #\n# and search without advanced notice. Users should have no expectation #\n# of privacy in their use of any aspect of this system. #\n########################################################################\n\n";
  48. }
  49. services {
  50. ssh {
  51. root-login deny;
  52. protocol-version v2;
  53. max-sessions-per-connection 2;
  54. sftp-server;
  55. ciphers [ "[email protected]" "[email protected]" aes256-ctr aes128-ctr ];
  56. macs [ hmac-sha2-256 hmac-sha2-512 "[email protected]" ];
  57. key-exchange [ curve25519-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 ];
  58. hostkey-algorithm {
  59. ssh-ecdsa;
  60. ssh-ed25519;
  61. }
  62. connection-limit 5;
  63. }
  64. }
  65. auto-snapshot;
  66. domain-name mgmt.mdc.com;
  67. domain-search [ mgmt.mdc.com wlc.mdc.com ad.mdc.com mdc.com lab.mdc.com ];
  68. time-zone America/Chicago;
  69. no-multicast-echo;
  70. no-redirects;
  71. no-redirects-ipv6;
  72. no-ping-record-route;
  73. no-ping-time-stamp;
  74. management-instance;
  75. authentication-order radius;
  76. location { ... }
  77. ports {
  78. console {
  79. authentication-order [ password radius ];
  80. insecure;
  81. }
  82. }
  83. name-server {
  84. 10.20.11.1 routing-instance mgmt_junos;
  85. 10.20.11.2 routing-instance mgmt_junos;
  86. }
  87. radius-server {
  88. 10.20.11.1 {
  89. routing-instance mgmt_junos;
  90. secret ""; ## SECRET-DATA
  91. }
  92. 10.20.11.2 {
  93. routing-instance mgmt_junos;
  94. secret ""; ## SECRET-DATA
  95. }
  96. }
  97. accounting {
  98. events [ login change-log interactive-commands ];
  99. destination {
  100. radius {
  101. server {
  102. 10.20.11.1 {
  103. routing-instance mgmt_junos;
  104. secret ""; ## SECRET-DATA
  105. }
  106. 10.20.11.2 {
  107. routing-instance mgmt_junos;
  108. secret ""; ## SECRET-DATA
  109. }
  110. }
  111. }
  112. }
  113. }
  114. syslog {
  115. archive {
  116. size 300k;
  117. files 1;
  118. }
  119. user * {
  120. any critical;
  121. }
  122. host 10.20.10.4 {
  123. firewall any;
  124. routing-instance mgmt_junos;
  125. }
  126. host 10.20.10.9 {
  127. any any;
  128. match "!kernel: FW";
  129. routing-instance mgmt_junos;
  130. }
  131. file alert {
  132. any alert;
  133. }
  134. file commands {
  135. any any;
  136. match "(UI_JUNOSCRIPT*|UI_CMDLINE*|UI_CFG*|UI_LOAD_EVENT)";
  137. archive {
  138. size 500k;
  139. files 1;
  140. }
  141. }
  142. file commands-root {
  143. any any;
  144. match "(as root|User 'root' used JUNOScript|User 'root', command|root: invoke-commands)";
  145. archive {
  146. size 500k;
  147. files 1;
  148. }
  149. }
  150. file critical {
  151. any critical;
  152. }
  153. file default-log-messages {
  154. any any;
  155. match "!FIREWALL-6-FW";
  156. explicit-priority;
  157. }
  158. file emergency {
  159. any emergency;
  160. }
  161. file error {
  162. any error;
  163. }
  164. file feb {
  165. any any;
  166. match feb0;
  167. }
  168. file firewall {
  169. firewall any;
  170. archive {
  171. size 5m;
  172. files 1;
  173. world-readable;
  174. }
  175. }
  176. file info {
  177. any info;
  178. match "!(adjkerntz -a|/var/etc/ukern_gbl_rotate.sh|feb0|rmopd|exited, status 255|kernel: FW|newsyslog|keyboard-interactive/pam|UI_JUNOSCRIPT*|UI_CMDLINE*|UI_CFG_AUDIT*|UI_DBASE_LOGIN_EVENT|UI_DBASE_LOGOUT_EVENT|UI_CLI*|UI_LOGOUT_EVENT|UI_JUNOSCRIPT_CMD|UI_AUTH_EVENT|UI_LOGIN_EVENT|UI_CMDLINE_READ_LINE|UI_CFG_AUDIT_SET|/usr/libexec/atrun)";
  179. }
  180. file interactive-commands {
  181. interactive-commands any;
  182. archive {
  183. size 500k;
  184. files 1;
  185. }
  186. }
  187. file login {
  188. any any;
  189. match "(keyboard-interactive/pam|UI_CLI*|UI_AUTH_EVENT|UI_LOGIN_EVENT|UI_LOGOUT_EVENT|SSHD_LOGIN_FAILED|UI_DBASE_LOGIN_EVENT|UI_DBASE_LOGOUT_EVENT)";
  190. archive {
  191. size 500k;
  192. files 1;
  193. }
  194. }
  195. file messages {
  196. any critical;
  197. authorization any;
  198. archive {
  199. size 1m;
  200. files 1;
  201. }
  202. }
  203. file notice {
  204. any notice;
  205. match "!(exited, status 255|keyboard-interactive/pam|UI_CLI*|UI_AUTH_EVENT|UI_LOGIN_EVENT|UI_LOGOUT_EVENT|SSHD_LOGIN_FAILED|UI_DBASE_LOGIN_EVENT|UI_DBASE_LOGOUT_EVENT|as root|User 'root' used JUNOScript|User 'root', command|root: invoke-commands)";
  206. }
  207. file rpm {
  208. any any;
  209. match rmopd;
  210. archive {
  211. size 100k;
  212. files 1;
  213. }
  214. }
  215. file syslog-event-daemon-info {
  216. daemon info;
  217. match "!exited, status 255";
  218. }
  219. }
  220. max-configurations-on-flash 5;
  221. processes {
  222. satellite-discovery-provisioning-process disable;
  223. satellite-platform-management-process disable;
  224. }
  225. ntp {
  226. server 132.163.96.1 routing-instance mgmt_junos;
  227. server 132.163.96.2 routing-instance mgmt_junos;
  228. }
  229. }
  230. chassis {
  231. aggregated-devices {
  232. ethernet {
  233. device-count 1;
  234. }
  235. }
  236. fpc 0 {
  237. pic 0 {
  238. inline-services {
  239. bandwidth 1g;
  240. }
  241. }
  242. service-package bundle-nat-ipsec;
  243. }
  244. }
  245. services {
  246. rpm {
  247. probe INET-PROBE {
  248. test PING-TEST {
  249. probe-type icmp-ping;
  250. target address 8.8.8.8;
  251. probe-count 5;
  252. probe-interval 1;
  253. test-interval 25;
  254. thresholds {
  255. total-loss 5;
  256. }
  257. traps [ probe-failure test-failure ];
  258. }
  259. }
  260. }
  261. service-set NAPT-SERVICE-SET {
  262. nat-rules NAPT-DEFAULT;
  263. interface-service {
  264. service-interface si-0/0/0;
  265. }
  266. }
  267. nat {
  268. pool NAPT-DEFAULT-POOL {
  269. interface ge-0/1/3.201;
  270. address-overload;
  271. port {
  272. range low 49160 high 53255;
  273. }
  274. }
  275. rule NAPT-DEFAULT {
  276. match-direction input;
  277. term NAPT-BYPASS-P2P {
  278. from {
  279. source-address {
  280. 10.255.254.0/30;
  281. }
  282. }
  283. then {
  284. no-translation;
  285. }
  286. }
  287. term PRIVATE-TO-INET {
  288. from {
  289. source-address {
  290. 10.0.0.0/8;
  291. 172.16.0.0/12;
  292. 192.168.0.0/16;
  293. }
  294. }
  295. then {
  296. translated {
  297. source-pool NAPT-DEFAULT-POOL;
  298. translation-type {
  299. napt-44;
  300. }
  301. }
  302. }
  303. }
  304. }
  305. }
  306. }
  307. interfaces {
  308. ge-0/0/0 {
  309. description MDCCR-1-0;
  310. gigether-options {
  311. 802.3ad ae0;
  312. }
  313. }
  314. si-0/0/0 {
  315. unit 0 {
  316. family inet;
  317. }
  318. }
  319. ge-0/0/1 {
  320. description MDCCR-1-1;
  321. gigether-options {
  322. 802.3ad ae0;
  323. }
  324. }
  325. ge-0/0/2 {
  326. description MDCCR-1-2;
  327. gigether-options {
  328. 802.3ad ae0;
  329. }
  330. }
  331. ge-0/0/3 {
  332. description MDCCR-1-3;
  333. gigether-options {
  334. 802.3ad ae0;
  335. }
  336. }
  337. ge-0/0/4 {
  338. description MDCCR-0-4;
  339. gigether-options {
  340. 802.3ad ae0;
  341. }
  342. }
  343. ge-0/0/5 {
  344. description MDCCR-0-5;
  345. gigether-options {
  346. 802.3ad ae0;
  347. }
  348. }
  349. ge-0/0/6 {
  350. description MDCCR-0-6;
  351. gigether-options {
  352. 802.3ad ae0;
  353. }
  354. }
  355. ge-0/0/7 {
  356. description MDCCR-0-7;
  357. gigether-options {
  358. 802.3ad ae0;
  359. }
  360. }
  361. ge-0/1/0 {
  362. media-type copper;
  363. }
  364. ge-0/1/1 {
  365. media-type copper;
  366. }
  367. ge-0/1/2 {
  368. media-type copper;
  369. }
  370. ge-0/1/3 {
  371. description Lumen-Demarc;
  372. vlan-tagging;
  373. media-type copper;
  374. unit 201 {
  375. bandwidth 940m;
  376. vlan-id 201;
  377. family inet {
  378. dhcp {
  379. no-dns-install;
  380. retransmission-interval 64;
  381. update-server;
  382. force-discover;
  383. options {
  384. no-hostname;
  385. }
  386. }
  387. }
  388. }
  389. }
  390. ae0 {
  391. description MDCCR;
  392. vlan-tagging;
  393. aggregated-ether-options {
  394. lacp {
  395. active;
  396. periodic fast;
  397. }
  398. }
  399. unit 500 {
  400. bandwidth 8g;
  401. vlan-id 500;
  402. family inet {
  403. service {
  404. input {
  405. service-set NAPT-SERVICE-SET;
  406. }
  407. output {
  408. service-set NAPT-SERVICE-SET;
  409. }
  410. }
  411. address 10.255.254.2/30;
  412. }
  413. }
  414. }
  415. fxp0 {
  416. unit 0 {
  417. family inet {
  418. address 10.10.10.252/24;
  419. }
  420. }
  421. }
  422. lo0 {
  423. unit 0 {
  424. family inet {
  425. filter {
  426. input Protect-RE;
  427. }
  428. address 127.0.0.1/32;
  429. }
  430. }
  431. }
  432. }
  433. snmp {
  434. description Internet-Lumen;
  435. location "";
  436. contact "";
  437. filter-duplicates;
  438. client-list PRTG {
  439. 10.20.10.0/30;
  440. }
  441. community "" {
  442. authorization read-only;
  443. client-list-name PRTG;
  444. routing-instance mgmt_junos;
  445. }
  446. community "" {
  447. authorization read-write;
  448. client-list-name PRTG;
  449. routing-instance mgmt_junos;
  450. }
  451. trap-options {
  452. routing-instance mgmt_junos {
  453. source-address 10.10.10.252;
  454. }
  455. }
  456. trap-group PRTG {
  457. version v2;
  458. categories {
  459. authentication;
  460. chassis;
  461. link;
  462. remote-operations;
  463. routing;
  464. startup;
  465. rmon-alarm;
  466. vrrp-events;
  467. configuration;
  468. }
  469. targets {
  470. 10.20.10.1;
  471. 10.20.10.2;
  472. }
  473. routing-instance mgmt_junos;
  474. }
  475. routing-instance-access {
  476. access-list {
  477. mgmt_junos;
  478. }
  479. }
  480. }
  481. event-options {
  482. policy MONITOR-CPU {
  483. events snmpd_health_mon_thresh_cross;
  484. attributes-match {
  485. snmpd_health_mon_thresh_cross.event-name matches "Health Monitor.+CPU.+rising";
  486. }
  487. then {
  488. priority-override {
  489. severity critical;
  490. }
  491. execute-commands {
  492. commands {
  493. "show system processes extensive | except 0.0 | no-more";
  494. "show system virtual-memory";
  495. "set task accounting on";
  496. "show task accounting detail";
  497. "set task accounting off";
  498. "show task memory detail";
  499. "show task memory summary";
  500. "show task io";
  501. "show task history";
  502. "show task statistics";
  503. "show task job";
  504. "show task jobs";
  505. "show krt queue";
  506. "show chassis routing-engine";
  507. "show chassis fpc 0";
  508. "show pfe statistics traffic";
  509. "show services inline nat pool";
  510. "show pfe tcam usage all-tcam-stages";
  511. }
  512. output-filename HIGH_CPU_CATCH;
  513. destination local-flash;
  514. output-format text;
  515. }
  516. raise-trap;
  517. }
  518. }
  519. policy INET-FAIL-DHCP-RENEW {
  520. events ping_test_failed;
  521. attributes-match {
  522. ping_test_failed.test-owner matches INET-PROBE;
  523. ping_test_failed.test-name matches PING-TEST;
  524. }
  525. then {
  526. priority-override {
  527. severity emergency;
  528. }
  529. execute-commands {
  530. commands {
  531. "clear dhcp client binding all";
  532. "request dhcp client renew all";
  533. }
  534. output-filename INET_FAIL;
  535. destination local-flash;
  536. output-format text;
  537. }
  538. raise-trap;
  539. }
  540. }
  541. destinations {
  542. local-flash {
  543. archive-sites {
  544. /var/tmp;
  545. }
  546. }
  547. }
  548. }
  549. policy-options {
  550. prefix-list Local-Addresses {
  551. apply-path "interfaces <*> unit <*> family inet address <*>";
  552. }
  553. prefix-list Trusted-DNS {
  554. apply-path "system name-server <*>";
  555. }
  556. prefix-list Trusted-ICMP-Reply {
  557. 8.8.8.8/32;
  558. 10.10.10.0/24;
  559. 10.10.16.0/24;
  560. 10.20.10.0/23;
  561. 10.34.16.0/23;
  562. 10.34.24.0/23;
  563. 10.37.16.0/23;
  564. 10.255.252.0/22;
  565. }
  566. prefix-list Trusted-ICMP-Request {
  567. 10.10.10.0/24;
  568. 10.10.16.0/24;
  569. 10.20.10.0/23;
  570. 10.34.16.0/23;
  571. 10.34.24.0/23;
  572. 10.37.16.0/23;
  573. 10.255.252.0/22;
  574. }
  575. prefix-list Trusted-Management {
  576. 10.10.10.0/24;
  577. 10.10.16.0/24;
  578. 10.20.10.0/24;
  579. 10.20.11.0/30;
  580. 10.34.16.0/23;
  581. 10.37.16.0/23;
  582. }
  583. prefix-list Trusted-Management-High-BW {
  584. 10.20.10.3/32;
  585. 10.20.11.0/30;
  586. }
  587. prefix-list Trusted-NTP {
  588. apply-path "system ntp server <*>";
  589. }
  590. prefix-list Trusted-RADIUS {
  591. apply-path "system radius-server <*>";
  592. }
  593. prefix-list Trusted-SNMP {
  594. apply-path "snmp client-list <*> <*>";
  595. }
  596. prefix-list Trusted-Syslog {
  597. 10.20.10.4/32;
  598. 10.20.10.9/32;
  599. }
  600. }
  601. firewall {
  602. family inet {
  603. filter Protect-RE {
  604. interface-specific;
  605. term Discard-LNCB {
  606. from {
  607. destination-address {
  608. 224.0.0.0/24;
  609. }
  610. }
  611. then {
  612. discard;
  613. }
  614. }
  615. term Accept-Loopback-All {
  616. from {
  617. source-address {
  618. 127.0.0.1/32;
  619. }
  620. }
  621. then accept;
  622. }
  623. term Accept-SSH-High-BW {
  624. from {
  625. source-prefix-list {
  626. Trusted-Management-High-BW;
  627. }
  628. protocol tcp;
  629. destination-port 22;
  630. }
  631. then {
  632. policer High-Bandwidth;
  633. accept;
  634. }
  635. }
  636. term Accept-SSH {
  637. from {
  638. source-prefix-list {
  639. Trusted-Management;
  640. }
  641. protocol tcp;
  642. destination-port 22;
  643. }
  644. then {
  645. policer Medium-Bandwidth;
  646. accept;
  647. }
  648. }
  649. term Accept-RADIUS {
  650. from {
  651. source-prefix-list {
  652. Trusted-RADIUS;
  653. }
  654. protocol udp;
  655. source-port [ 1812 1813 ];
  656. }
  657. then {
  658. policer Low-Bandwidth;
  659. accept;
  660. }
  661. }
  662. term Accept-SNMP {
  663. from {
  664. source-prefix-list {
  665. Trusted-SNMP;
  666. }
  667. protocol udp;
  668. destination-port [ 161 162 ];
  669. }
  670. then {
  671. policer Low-Bandwidth;
  672. accept;
  673. }
  674. }
  675. term Accept-DNS {
  676. from {
  677. source-prefix-list {
  678. Trusted-DNS;
  679. }
  680. protocol udp;
  681. source-port 53;
  682. }
  683. then {
  684. policer Low-Bandwidth;
  685. accept;
  686. }
  687. }
  688. term Accept-DHCP-Client {
  689. from {
  690. source-address {
  691. 0.0.0.0/32;
  692. }
  693. destination-address {
  694. 255.255.255.255/32;
  695. }
  696. protocol udp;
  697. source-port 68;
  698. destination-port [ 67 68 ];
  699. }
  700. then {
  701. policer Low-Bandwidth;
  702. accept;
  703. }
  704. }
  705. term Accept-DHCP-Server {
  706. from {
  707. protocol udp;
  708. source-port [ 67 68 ];
  709. destination-port [ 67 68 ];
  710. }
  711. then {
  712. policer Low-Bandwidth;
  713. accept;
  714. }
  715. }
  716. term Accept-NTP {
  717. from {
  718. source-prefix-list {
  719. Trusted-NTP;
  720. }
  721. protocol udp;
  722. destination-port 123;
  723. }
  724. then {
  725. policer Low-Bandwidth;
  726. accept;
  727. }
  728. }
  729. term Accept-Syslog {
  730. from {
  731. source-prefix-list {
  732. Trusted-Syslog;
  733. }
  734. protocol udp;
  735. destination-port 514;
  736. }
  737. then {
  738. policer Medium-Bandwidth;
  739. accept;
  740. }
  741. }
  742. term Discard-ICMP-Fragments {
  743. from {
  744. is-fragment;
  745. protocol icmp;
  746. }
  747. then {
  748. count ICMP-FRAGMENT-DISCARD-COUNTER;
  749. log;
  750. syslog;
  751. discard;
  752. }
  753. }
  754. term Accept-ICMP-Request {
  755. from {
  756. source-prefix-list {
  757. Trusted-ICMP-Request;
  758. }
  759. protocol icmp;
  760. icmp-type echo-request;
  761. }
  762. then {
  763. policer Low-Bandwidth;
  764. accept;
  765. }
  766. }
  767. term Accept-ICMP-Reply {
  768. from {
  769. source-prefix-list {
  770. Trusted-ICMP-Reply;
  771. }
  772. protocol icmp;
  773. icmp-type echo-reply;
  774. }
  775. then {
  776. policer Low-Bandwidth;
  777. accept;
  778. }
  779. }
  780. /* WARNING: DO NOT REMOVE, MODIFY, OR DEACTIVATE THIS TERM - DOING SO WILL DROP ALL INTERNET-BOUND TRAFFIC */
  781. term Accept-Traceroute-ICMP {
  782. from {
  783. source-prefix-list {
  784. Local-Addresses;
  785. }
  786. protocol icmp;
  787. ttl 1;
  788. icmp-type [ echo-request timestamp time-exceeded unreachable ];
  789. }
  790. then {
  791. policer Low-Bandwidth;
  792. accept;
  793. }
  794. }
  795. term Default-Discard {
  796. then {
  797. count DEFAULT-DISCARD-COUNTER;
  798. log;
  799. syslog;
  800. discard;
  801. }
  802. }
  803. }
  804. }
  805. policer High-Bandwidth {
  806. if-exceeding {
  807. bandwidth-limit 50m;
  808. burst-size-limit 5m;
  809. }
  810. then discard;
  811. }
  812. policer Low-Bandwidth {
  813. if-exceeding {
  814. bandwidth-limit 1m;
  815. burst-size-limit 625k;
  816. }
  817. then discard;
  818. }
  819. policer Medium-Bandwidth {
  820. if-exceeding {
  821. bandwidth-limit 5m;
  822. burst-size-limit 625k;
  823. }
  824. then discard;
  825. }
  826. }
  827. routing-instances {
  828. mgmt_junos {
  829. routing-options {
  830. static {
  831. route 0.0.0.0/0 next-hop 10.10.10.254;
  832. }
  833. }
  834. }
  835. }
  836. routing-options {
  837. static {
  838. route 10.0.0.0/8 next-hop 10.255.254.1;
  839. route 172.16.0.0/12 next-hop 10.255.254.1;
  840. route 192.168.0.0/16 next-hop 10.255.254.1;
  841. }
  842. }
  843. protocols {
  844. lldp {
  845. interface all;
  846. interface ge-0/1/3 {
  847. disable;
  848. }
  849. }
  850. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!