run show configuration ## Last commit: 2012-01-11 15:55:25 CET by ejerole version 11.4R1.6; groups { node0 { system { host-name SRX1400-1; backup-router 10.0.1.1 destination 0.0.0.0/0; services { outbound-ssh { client nsm { device-id EC60AD; secret "$9$Vvws4Pfz3nCaZnCtpREX7-V24jHq"; ## SECRET-DATA services netconf; 10.87.59.5 port 7804; } } } } interfaces { fxp0 { unit 0 { family inet { address 10.0.1.87/24; } } } } } node1 { system { host-name SRX1400-2; backup-router 10.0.1.1 destination 0.0.0.0/0; services { outbound-ssh { client nsm { device-id 9E2EA7; secret "$9$62JSAOREcyM87Ap0IRhvMYgoJHmfTzn9APf"; ## SECRET-DATA services netconf; 172.23.38.53 port 7804; } } } } interfaces { fxp0 { unit 0 { family inet { address 10.0.1.88/24; } } } } } } apply-groups "${node}"; system { backup-router 10.0.1.1 destination 0.0.0.0/0; time-zone Europe/Berlin; authentication-order [ radius password ]; root-authentication { encrypted-password "$1$tdbgaxaK$vLszMPP0HIAXfEWITc0Fk1"; ## SECRET-DATA } radius-server { 10.0.1.28 secret "$9$Vib2aji.TF/UjmTznpuKM8"; ## SECRET-DATA } scripts { op { file srx-monitor.slax; } } login { user admin { uid 2003; class super-user; authentication { encrypted-password "$1$ZoUPPjMI$hN.5F4ZMFTINDivDqAkCZ/"; ## SECRET-DATA } } user eedtaki { uid 2012; class super-user; authentication { encrypted-password "$1$DARieIlB$4qhc2JLtSCvebxgePfn/6."; ## SECRET-DATA } } user health { uid 2004; class super-user; authentication { encrypted-password "$1$o2QhlB6u$Wo.MvNtMVkzTlHKaNSr50/"; ## SECRET-DATA } } user remote { uid 2005; class super-user; } user test { uid 2000; class super-user; authentication { encrypted-password "$1$Au0ClaYk$OA.6TRXfGV51c3IngQ1Z71"; ## SECRET-DATA } } } services { ftp { connection-limit 5; rate-limit 10; } ssh { protocol-version v2; } telnet; netconf { ssh; } web-management { http { interface [ fxp0.0 reth1.0 ]; } https { system-generated-certificate; interface reth1.0; } } } syslog { user * { any emergency; } file messages { any notice; authorization info; } file default-log-messages { any any; structured-data; } } license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp { boot-server 172.23.38.70; server 172.23.38.70 prefer; source-address 10.87.33.54; } } chassis { aggregated-devices { ethernet { device-count 5; } } fpc 0 { pic 0 { max-queues-per-interface 8; } } cluster { control-link-recovery; redundancy-group 0 { node 0 priority 129; node 1 priority 128; } } } interfaces { ge-0/0/2 { vlan-tagging; unit 10 { vlan-id 10; family inet6 { address 2011:1b70:828e:2483::1/64; } } } ge-0/0/3 { vlan-tagging; unit 9 { vlan-id 9; family inet { address 11.1.0.1/16; } } } fab0 { fabric-options { member-interfaces { xe-2/0/1; } } } fab1 { fabric-options { member-interfaces { xe-6/0/1; } } } lo0 { unit 0 { family inet { address 127.0.0.1/32; } } unit 210 { family inet { address 10.87.32.210/32; } } unit 211 { family inet { address 10.87.32.211/32; } } } } forwarding-options { load-balance { indexed-next-hop; } hash-key { family inet { layer-3; } } } snmp { description "Gi-FW SRX cluster-1"; location Germany_EDD_Herzogenrath_Lab22; contact M-PBN_Project_2011A; community public { authorization read-only; clients { 10.0.1.204/32; } } trap-options; trap-group NOC { version v2; categories { chassis; link; remote-operations; routing; startup; rmon-alarm; vrrp-events; configuration; sonet-alarms; } targets { 10.87.59.10; } } traceoptions { file snmp-trace size 5m files 3; flag all; } } routing-options { graceful-restart; static { route 172.20.76.0/24 next-hop 10.0.1.1; route 0.0.0.0/0 next-hop 10.87.33.49; route 10.0.19.0/24 next-hop 10.0.1.1; route 10.0.1.28/32 next-hop 10.0.1.1; } } policy-options { prefix-list 1 { 10.87.33.16/28; } policy-statement MSP-Load { term a { from { instance TRUST; route-filter 10.87.54.120/29 exact; } then accept; } } policy-statement OM-static { term term1 { from { instance OM; protocol static; } then accept; } } policy-statement export-iac { term term1 { from { protocol ospf; route-filter 10.87.62.20/30 exact; route-filter 10.87.62.28/30 exact; } to instance TRUST; then { external { type 1; } accept; } } } policy-statement export-internet { term static_route_nat { from { protocol static; route-filter 10.87.62.96/29 exact; route-filter 10.87.62.104/29 exact; } then { external { type 2; } accept; } } term ospf_route { from { instance TRUST; route-filter 10.87.62.16/30 exact; route-filter 10.87.62.24/30 exact; route-filter 172.16.0.0/15 exact; route-filter 192.168.100.0/24 exact; route-filter 10.87.62.39/32 exact; route-filter 10.87.62.37/32 exact; } then accept; } } policy-statement export-ospf-trust { term static { from protocol static; then { external { type 1; } accept; } } term ospf { from { protocol ospf; route-filter 10.87.62.20/30 exact; route-filter 10.87.62.28/30 exact; route-filter 10.87.62.38/32 exact; route-filter 10.87.62.40/32 exact; } then { external { type 1; } accept; } } } policy-statement export-ospf-untrust { term Accept { from protocol aggregate; then { external { type 1; } accept; } } term reject { then reject; } } policy-statement from-NOC { term 1 { from { instance NOC; route-filter 172.23.38.64/27 exact; } then accept; } } policy-statement from-NOC-YOULAB { term term1 { from { instance NOC-YOULAB; route-filter 0.0.0.0/0 exact; } then accept; } term term2 { from { instance NOC-YOULAB; protocol ospf; } then reject; } } policy-statement from-OM { term term1 { from { instance OM; route-filter 0.0.0.0/0 exact; } then accept; } } policy-statement load_balance { then { load-balance per-packet; } } policy-statement trust_ospf_untrust { term ospf { from { instance TRUST; protocol ospf; route-filter 10.87.62.16/30 exact; route-filter 10.87.62.24/30 exact; route-filter 172.16.0.0/15 exact; route-filter 192.168.100.0/24 exact; route-filter 10.87.62.37/32 exact; route-filter 10.87.62.39/32 exact; } then { external { type 2; } accept; } } term reject { then reject; } } policy-statement untrust_ospf_trust { term ospf { from { instance UNTRUST; protocol ospf; route-filter 10.87.62.20/30 exact; route-filter 10.87.62.28/30 exact; route-filter 10.87.62.38/32 exact; route-filter 10.87.62.40/32 exact; } then { external { type 1; } accept; } } term reject { then reject; } } } class-of-service { forwarding-classes { queue 5 aaa; } } security { gprs { gtp; } alg { traceoptions { file ABC size 5m; } } forwarding-options { family { inet6 { mode flow-based; } } } flow { tcp-session { no-syn-check; } } nat { source { rule-set NAT64_source { from zone trust; to zone untrust; rule NAT64_rs2 { match { destination-address 11.1.0.10/32; } then { source-nat { interface; } } } } } destination { pool nat64 { address 11.1.0.10/32; } rule-set single-pool { from zone trust; rule NAT64_re { match { destination-address 2044:1b70:828e:2484:a10::/96; } then { destination-nat pool nat64; } } } } } policies { from-zone trust to-zone untrust { policy IPV6 { match { source-address any-ipv6; destination-address any-ipv6; application any; } then { permit; } } policy NAT64 { match { source-address any-ipv6; destination-address any-ipv4; application any; } then { permit; } } } inactive: from-zone global to-zone global { policy MGMT { match { source-address any-ipv4; destination-address SRX-MGMT; application [ junos-ping junos-ssh snmp-walk ]; } then { permit; } } } inactive: from-zone SS7-untrust to-zone SS7-trust { policy SS7-untrust-trust { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone untrust { host-inbound-traffic { system-services { ssh; all; ntp; } protocols { ospf3; } } interfaces { ge-0/0/3.9 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } security-zone trust { host-inbound-traffic { system-services { ntp; all; ssh; } protocols { ospf3; } } interfaces { ge-0/0/2.10 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } } } routing-instances { NOC { instance-type virtual-router; routing-options { static { route 0.0.0.0/0 next-table OM.inet.0; } instance-import from-OM; } } NOC-YOULAB { instance-type virtual-router; routing-options { router-id 10.0.24.20; instance-import OM-static; } } OM { instance-type virtual-router; interface reth3.520; ## 'reth3.520' is not defined interface reth3.703; ## 'reth3.703' is not defined interface reth3.769; ## 'reth3.769' is not defined routing-options { static { route 10.87.33.0/28 next-hop 10.87.33.33; route 10.87.33.16/28 next-hop 10.87.33.33; route 10.87.33.48/28 next-hop 10.87.33.33; route 10.87.45.0/26 next-hop 10.87.45.193; route 10.87.45.168/29 next-hop 10.87.45.193; route 10.87.45.176/29 next-hop 10.87.45.193; route 10.87.32.192/27 next-hop 10.87.33.33; route 10.87.45.160/29 next-hop 10.87.45.193; route 10.87.44.192/28 next-hop 10.87.43.209; route 10.87.45.100/30 next-hop 10.87.45.193; route 10.87.49.136/30 next-hop 10.87.43.209; route 10.87.2.212/30 next-hop 10.87.43.209; route 10.87.45.224/28 next-hop 10.87.45.193; route 10.87.46.160/27 next-hop 10.87.45.193; route 10.87.46.0/24 next-hop 10.87.45.193; route 10.87.43.224/28 next-hop 10.87.43.209; route 172.20.76.0/24 next-table NOC-YOULAB.inet.0; } instance-import [ from-NOC-YOULAB from-NOC ]; } } inactive: SS7 { instance-type virtual-router; interface ge-0/0/6.466; interface ge-0/0/6.686; interface ge-4/0/6.467; interface ge-4/0/6.687; routing-options { static { route 10.87.42.249/32 next-hop 10.87.41.146; route 10.87.40.4/32 next-hop 10.87.53.66; route 10.87.40.36/32 next-hop 10.87.53.74; route 10.87.42.253/32 next-hop 10.87.41.154; } } } TRUST { description VR-trust; instance-type virtual-router; interface ge-0/0/2.10; interface lo0.210; routing-options { rib TRUST.inet6.0 { static { inactive: route ::/0 next-table UNTRUST.inet6.0; inactive: route 2044:1b70:828e:2484:a10:0:b01:0/112 next-table UNTRUST.inet6.0; } } /* This can be used to transport IPv6 to Untrust Directly and adv. default to IAC VPN */ static { route 10.87.51.0/27 next-hop 10.87.51.73; route 10.87.58.0/24 next-hop 10.87.51.73; route 10.87.59.0/24 next-hop 10.87.51.73; route 10.87.60.128/25 next-hop 10.87.51.73; route 10.87.61.0/24 next-hop 10.87.51.73; route 10.44.48.144/28 next-hop 10.87.51.73; route 10.87.54.120/29 next-hop 10.87.51.73; route 10.87.60.0/25 next-hop 10.87.51.73; route 10.87.62.4/30 next-table UNTRUST.inet.0; route 10.87.62.12/30 next-table UNTRUST.inet.0; route 10.87.62.64/28 next-table UNTRUST.inet.0; route 192.168.200.0/24 next-table UNTRUST.inet.0; route 172.18.0.0/15 next-table UNTRUST.inet.0; route 11.1.0.0/16 next-table UNTRUST.inet.0; } router-id 10.87.32.110; instance-import untrust_ospf_trust; } } UNTRUST { description "UNTRUST-VR towards Internet VPN"; instance-type virtual-router; interface ge-0/0/3.9; interface lo0.211; routing-options { static { route 10.87.62.96/29 discard; route 10.87.62.104/29 discard; } router-id 10.87.32.111; instance-import trust_ospf_untrust; } } } applications { application snmp-walk { protocol udp; destination-port snmp; } application iperf-udp { protocol udp; destination-port 5001; } application squid-proxy { protocol tcp; destination-port 8080; } application skype { protocol tcp; source-port 54045; } application skype-udp { protocol udp; source-port 54045; } application iap-tcp-8181 { protocol tcp; destination-port 8181; } application iptv { protocol tcp; destination-port 3000; } application snmp-traps { protocol udp; source-port 162; } application sctp_NO_alg { term t1 protocol 132 destination-port 0; } } {primary:node0}[edit] ejerole@SRX1400-1#