firewall { | |
global-options { | |
all-ping "enable" | |
broadcast-ping "disable" | |
ip-src-route "disable" | |
ipv6-receive-redirects "disable" | |
ipv6-src-route "disable" | |
log-martians "enable" | |
} | |
group { | |
address-group ALL_WEBSERVERS { | |
address "198.18.15.12" | |
address "198.18.31.5" | |
address "198.18.63.5" | |
address "198.18.15.14" | |
address "198.18.31.6" | |
address "198.18.63.6" | |
description "REDACTED" | |
} | |
address-group ATT_WEBSITES { | |
address "192.0.2.227" | |
address "192.0.2.230" | |
address "192.0.2.233" | |
description "REDACTED" | |
} | |
address-group BACKBONE_GLUSTER_CLIENTS { | |
address "198.18.16.2" | |
address "198.18.16.3" | |
address "198.18.16.5" | |
address "198.18.16.6" | |
address "198.18.48.2" | |
address "198.18.48.3" | |
address "198.18.48.5" | |
address "198.18.48.6" | |
} | |
address-group BACKBONE_JUMP_HOSTS { | |
address "198.18.16.4" | |
address "198.18.48.4" | |
description "REDACTED" | |
} | |
address-group BACKBONE_MYSQL_SERVERS { | |
address "198.18.31.5" | |
address "198.18.63.5" | |
address "198.18.31.6" | |
address "198.18.63.6" | |
address "198.18.16.7" | |
address "198.18.48.7" | |
description "REDACTED" | |
} | |
address-group BACKBONE_NAME_SERVERS { | |
address "198.18.31.3" | |
address "198.18.63.3" | |
description "REDACTED" | |
} | |
address-group BACKBONE_SECURITY_SERVERS { | |
address "198.18.31.4" | |
address "198.18.63.4" | |
description "REDACTED" | |
} | |
address-group INT_GLUSTER_SERVERS { | |
address "198.18.255.5" | |
address "198.18.9.3-198.18.9.5" | |
description "REDACTED" | |
} | |
address-group INT_JUMP_HOSTS { | |
address "198.18.15.13" | |
address "192.0.2.229" | |
description "REDACTED" | |
} | |
address-group INT_NAMESERVERS { | |
address "198.18.255.1" | |
address "198.18.15.10" | |
description "REDACTED" | |
} | |
address-group INT_TIMESERVERS { | |
address "198.18.255.2" | |
address "198.18.15.11" | |
description "REDACTED" | |
} | |
address-group INT_WEBSERVERS { | |
address "198.18.15.12" | |
address "198.18.15.14" | |
description "REDACTED" | |
} | |
interface-group BACKBONE { | |
interface "wg0" | |
interface "wg1" | |
interface "wg2" | |
interface "wg3" | |
interface "wg4" | |
interface "wg5" | |
interface "wg6" | |
interface "wg7" | |
interface "wg8" | |
interface "wg9" | |
interface "wg100" | |
} | |
ipv6-address-group ALL_WEBSERVERS-V6 { | |
address "2001:db8:1:64::12" | |
address "2001:db8:1:64::14" | |
address "2001:db8:1:150b::5" | |
address "2001:db8:1:150b::6" | |
address "2001:db8:1:23e3::5" | |
address "2001:db8:1:23e3::6" | |
address "2001:db8:1:ffff::3" | |
description "REDACTED" | |
} | |
ipv6-address-group BACKBONE_GLUSTER_CLIENTS-V6 { | |
address "2001:db8:1:1538::2" | |
address "2001:db8:1:1538::3" | |
address "2001:db8:1:1538::5" | |
address "2001:db8:1:1538::6" | |
address "2001:db8:1:239d::2" | |
address "2001:db8:1:239d::3" | |
address "2001:db8:1:239d::5" | |
address "2001:db8:1:239d::6" | |
} | |
ipv6-address-group BACKBONE_JUMP_HOSTS-V6 { | |
address "2001:db8:1:239d::4" | |
address "2001:db8:1:1538::4" | |
description "REDACTED" | |
} | |
ipv6-address-group BACKBONE_MYSQL_SERVERS-V6 { | |
address "2001:db8:1:150b::5" | |
address "2001:db8:1:150b::6" | |
address "2001:db8:1:23e3::5" | |
address "2001:db8:1:23e3::6" | |
address "2001:db8:1:1538::7" | |
address "2001:db8:1:239d::7" | |
description "REDACTED" | |
} | |
ipv6-address-group BACKBONE_NAME_SERVERS-V6 { | |
address "2001:db8:1:150b::3" | |
address "2001:db8:1:23e3::3" | |
description "REDACTED" | |
} | |
ipv6-address-group BACKBONE_SECURITY_SERVERS-V6 { | |
address "2001:db8:1:150b::4" | |
address "2001:db8:1:23e3::4" | |
description "REDACTED" | |
} | |
ipv6-address-group IBM_WEBSITES-V6 { | |
address "2001:db8:1e01:80::227" | |
address "2001:db8:1e01:80::230" | |
address "2001:db8:1e01:80::233" | |
description "REDACTED" | |
} | |
ipv6-address-group INT_GLUSTER_SERVERS-V6 { | |
address "2001:db8:1:ffff::5" | |
address "2001:db8:1:46::3-2001:db8:1:46::5" | |
description "REDACTED" | |
} | |
ipv6-address-group INT_JUMP_HOSTS-V6 { | |
address "2001:db8:1:64::13" | |
address "2001:db8:1e01:80::229" | |
description "REDACTED" | |
} | |
ipv6-address-group INT_NAMESERVERS-V6 { | |
address "2001:db8:1:ffff::1" | |
address "2001:db8:1:64::10" | |
description "REDACTED" | |
} | |
ipv6-address-group INT_TIMESERVERS-V6 { | |
address "2001:db8:1:ffff::2" | |
address "2001:db8:1:64::11" | |
description "REDACTED" | |
} | |
ipv6-address-group INT_WEBSERVERS-V6 { | |
address "2001:db8:1:64::12" | |
address "2001:db8:1:64::14" | |
description "REDACTED" | |
} | |
ipv6-network-group IBM_SERVERS-V6 { | |
description "REDACTED" | |
network "2001:db8:1:239d::/64" | |
network "2001:db8:1:23e3::/64" | |
network "2001:db8:1:1538::/64" | |
network "2001:db8:1:150b::/64" | |
} | |
ipv6-network-group INT_SERVERS-V6 { | |
description "REDACTED" | |
network "2001:db8:1:a::/64" | |
network "2001:db8:1:46::/64" | |
network "2001:db8:1:64::/64" | |
} | |
network-group IBM_MGMT { | |
network "169.254.85.240/28" | |
network "169.254.49.0/26" | |
} | |
network-group IBM_SERVERS { | |
description "REDACTED" | |
network "198.18.16.0/24" | |
network "198.18.31.0/28" | |
network "198.18.48.0/24" | |
network "198.18.63.0/28" | |
} | |
network-group INT_SERVERS { | |
description "REDACTED" | |
network "198.18.0.0/24" | |
network "198.18.15.8/29" | |
network "198.18.9.0/24" | |
} | |
network-group RFC1918 { | |
description "REDACTED" | |
network "198.18.0.0/16" | |
network "10.0.0.0/8" | |
} | |
port-group GLUSTER_CLIENT { | |
description "REDACTED" | |
port "24007" | |
port "24009" | |
port "49152-65535" | |
} | |
port-group WEB { | |
description "REDACTED" | |
port "80" | |
port "443" | |
} | |
port-group WIREGUARD { | |
port "51820-51830" | |
port "51920" | |
} | |
} | |
ipv4 { | |
forward { | |
filter { | |
default-action "drop" | |
rule 2 { | |
action "accept" | |
state "established" | |
state "related" | |
} | |
rule 4 { | |
action "drop" | |
state "invalid" | |
} | |
rule 10 { | |
action "accept" | |
description "REDACTED" | |
inbound-interface { | |
group "BACKBONE" | |
} | |
outbound-interface { | |
group "BACKBONE" | |
} | |
} | |
rule 20 { | |
action "accept" | |
description "REDACTED" | |
inbound-interface { | |
name "bond0.110" | |
} | |
outbound-interface { | |
group "BACKBONE" | |
} | |
} | |
rule 100 { | |
action "accept" | |
description "REDACTED" | |
inbound-interface { | |
name "bond0.110" | |
} | |
outbound-interface { | |
name "bond0.20" | |
} | |
} | |
rule 200 { | |
action "jump" | |
description "REDACTED" | |
inbound-interface { | |
group "BACKBONE" | |
} | |
jump-target "BACKBONE_TO_INT" | |
outbound-interface { | |
name "bond0.110" | |
} | |
} | |
rule 210 { | |
action "jump" | |
description "REDACTED" | |
inbound-interface { | |
name "bond0.20" | |
} | |
jump-target "PUBLIC_TO_INT" | |
outbound-interface { | |
name "bond0.110" | |
} | |
} | |
} | |
} | |
input { | |
filter { | |
default-action "drop" | |
rule 1 { | |
action "accept" | |
state "established" | |
state "related" | |
} | |
rule 2 { | |
action "drop" | |
state "invalid" | |
} | |
rule 10 { | |
action "jump" | |
inbound-interface { | |
group "BACKBONE" | |
} | |
jump-target "BACKBONE_TO_LOCAL" | |
} | |
rule 20 { | |
action "jump" | |
inbound-interface { | |
name "bond0.110" | |
} | |
jump-target "INT_TO_LOCAL" | |
} | |
rule 30 { | |
action "jump" | |
inbound-interface { | |
name "bond0.20" | |
} | |
jump-target "PUBLIC_TO_LOCAL" | |
} | |
} | |
} | |
name BACKBONE_TO_INT { | |
default-action "drop" | |
description "REDACTED" | |
enable-default-log | |
rule 1 { | |
action "accept" | |
description "REDACTED" | |
protocol "icmp" | |
source { | |
group { | |
network-group "RFC1918" | |
} | |
} | |
} | |
rule 10 { | |
action "accept" | |
description "REDACTED" | |
source { | |
group { | |
address-group "BACKBONE_JUMP_HOSTS" | |
} | |
} | |
} | |
rule 20 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
address "198.18.15.11" | |
} | |
protocol "tcp_udp" | |
source { | |
group { | |
address-group "BACKBONE_SECURITY_SERVERS" | |
} | |
} | |
} | |
rule 30 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
address "198.18.255.4" | |
port "162,2055" | |
} | |
protocol "udp" | |
source { | |
address "198.18.253.0/24" | |
} | |
} | |
rule 40 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
address "198.18.9.3" | |
port "ssh" | |
} | |
protocol "tcp" | |
source { | |
address "198.18.253.0/24" | |
} | |
} | |
rule 50 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
address "198.18.15.11" | |
port "www,ldap,https,ldaps" | |
} | |
protocol "tcp" | |
source { | |
group { | |
network-group "IBM_SERVERS" | |
} | |
} | |
} | |
rule 60 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
address "198.18.15.11" | |
port "kerberos,kpasswd" | |
} | |
protocol "tcp_udp" | |
source { | |
group { | |
network-group "IBM_SERVERS" | |
} | |
} | |
} | |
rule 70 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
address "198.18.15.10" | |
port "5300" | |
} | |
protocol "tcp_udp" | |
source { | |
group { | |
address-group "BACKBONE_NAME_SERVERS" | |
} | |
} | |
} | |
rule 80 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
group { | |
address-group "INT_WEBSERVERS" | |
} | |
port "3306,4444,4567,4568" | |
} | |
protocol "tcp" | |
source { | |
group { | |
address-group "BACKBONE_MYSQL_SERVERS" | |
} | |
} | |
} | |
rule 90 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
group { | |
address-group "INT_JUMP_HOSTS" | |
} | |
port "ssh" | |
} | |
protocol "tcp" | |
} | |
rule 100 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
group { | |
address-group "INT_JUMP_HOSTS" | |
} | |
port "5201-5213" | |
} | |
protocol "tcp" | |
} | |
rule 110 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
group { | |
address-group "INT_NAMESERVERS" | |
} | |
port "domain,514" | |
} | |
protocol "tcp_udp" | |
} | |
rule 120 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
group { | |
address-group "INT_NAMESERVERS" | |
} | |
port "19532" | |
} | |
protocol "tcp" | |
} | |
rule 130 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
group { | |
address-group "INT_TIMESERVERS" | |
} | |
port "ntp,radius,radius-acct" | |
} | |
protocol "udp" | |
} | |
rule 140 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
address "198.19.27.65" | |
port "51413" | |
} | |
protocol "tcp_udp" | |
} | |
rule 142 { | |
action "drop" | |
description "REDACTED" | |
destination { | |
address "54.39.27.65" | |
} | |
protocol "icmp" | |
} | |
rule 144 { | |
action "drop" | |
description "REDACTED" | |
destination { | |
address "54.39.27.65" | |
port "!51413" | |
} | |
protocol "tcp_udp" | |
} | |
rule 150 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
group { | |
address-group "ATT_WEBSITES" | |
port-group "WEB" | |
} | |
} | |
protocol "tcp" | |
} | |
rule 160 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
group { | |
address-group "INT_GLUSTER_SERVERS" | |
port-group "GLUSTER_CLIENT" | |
} | |
} | |
protocol "tcp" | |
source { | |
group { | |
address-group "BACKBONE_GLUSTER_CLIENTS" | |
} | |
} | |
} | |
} | |
name BACKBONE_TO_LOCAL { | |
default-action "drop" | |
description "REDACTED" | |
enable-default-log | |
rule 1 { | |
action "accept" | |
description "REDACTED" | |
protocol "icmp" | |
} | |
rule 10 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
port "ssh" | |
} | |
protocol "tcp" | |
source { | |
group { | |
address-group "BACKBONE_JUMP_HOSTS" | |
} | |
} | |
} | |
rule 20 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
port "snmp" | |
} | |
protocol "udp" | |
source { | |
group { | |
address-group "ALL_WEBSERVERS" | |
} | |
} | |
} | |
} | |
name INT_TO_LOCAL { | |
default-action "drop" | |
description "REDACTED" | |
enable-default-log | |
rule 1 { | |
action "accept" | |
description "REDACTED" | |
protocol "icmp" | |
} | |
rule 10 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
port "ssh" | |
} | |
protocol "tcp" | |
source { | |
group { | |
address-group "INT_JUMP_HOSTS" | |
} | |
} | |
} | |
rule 20 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
port "bgp" | |
} | |
protocol "tcp" | |
source { | |
address "198.18.15.0/29" | |
} | |
} | |
rule 30 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
port "3780" | |
} | |
protocol "udp" | |
source { | |
address "198.18.15.3-198.18.15.4" | |
} | |
} | |
rule 40 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
port "3784-3785,4784" | |
} | |
protocol "udp" | |
source { | |
address "198.18.15.0/29" | |
} | |
} | |
rule 50 { | |
action "accept" | |
description "REDACTED" | |
protocol "vrrp" | |
} | |
rule 60 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
port "snmp" | |
} | |
protocol "udp" | |
source { | |
group { | |
address-group "ALL_WEBSERVERS" | |
} | |
} | |
} | |
rule 70 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
address "198.18.253.2-198.18.253.3" | |
port "https" | |
} | |
protocol "tcp" | |
source { | |
address "198.18.253.2-198.18.253.3" | |
} | |
} | |
} | |
name PUBLIC_TO_INT { | |
default-action "drop" | |
description "REDACTED" | |
rule 10 { | |
action "drop" | |
description "REDACTED" | |
destination { | |
group { | |
address-group "INT_JUMP_HOSTS" | |
} | |
port "55875" | |
} | |
protocol "tcp" | |
recent { | |
count "3" | |
time "hour" | |
} | |
state "new" | |
} | |
rule 15 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
group { | |
address-group "INT_JUMP_HOSTS" | |
} | |
port "55875" | |
} | |
protocol "tcp" | |
} | |
rule 20 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
group { | |
address-group "INT_JUMP_HOSTS" | |
} | |
port "5201-5232" | |
} | |
disable | |
protocol "tcp_udp" | |
} | |
rule 30 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
group { | |
address-group "ATT_WEBSITES" | |
port-group "WEB" | |
} | |
} | |
protocol "tcp" | |
} | |
} | |
name PUBLIC_TO_LOCAL { | |
default-action "drop" | |
description "REDACTED" | |
rule 10 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
group { | |
port-group "WIREGUARD" | |
} | |
} | |
protocol "tcp_udp" | |
source { | |
group { | |
port-group "WIREGUARD" | |
} | |
} | |
} | |
rule 20 { | |
action "accept" | |
description "REDACTED" | |
protocol "vrrp" | |
} | |
} | |
output { | |
filter { | |
default-action "accept" | |
} | |
} | |
} | |
ipv6 { | |
forward { | |
filter { | |
default-action "drop" | |
rule 2 { | |
action "accept" | |
state "established" | |
state "related" | |
} | |
rule 4 { | |
action "drop" | |
state "invalid" | |
} | |
rule 10 { | |
action "accept" | |
description "REDACTED" | |
inbound-interface { | |
group "BACKBONE" | |
} | |
outbound-interface { | |
group "BACKBONE" | |
} | |
} | |
rule 20 { | |
action "accept" | |
description "REDACTED" | |
inbound-interface { | |
name "bond0.110" | |
} | |
outbound-interface { | |
group "BACKBONE" | |
} | |
} | |
rule 100 { | |
action "accept" | |
inbound-interface { | |
name "bond0.110" | |
} | |
outbound-interface { | |
name "bond0.20" | |
} | |
} | |
rule 200 { | |
action "jump" | |
description "REDACTED" | |
inbound-interface { | |
group "BACKBONE" | |
} | |
jump-target "BACKBONE_TO_INT-V6" | |
outbound-interface { | |
name "bond0.110" | |
} | |
} | |
rule 210 { | |
action "jump" | |
description "REDACTED" | |
inbound-interface { | |
name "bond0.20" | |
} | |
jump-target "PUBLIC_TO_INT-V6" | |
outbound-interface { | |
name "bond0.110" | |
} | |
} | |
} | |
} | |
input { | |
filter { | |
default-action "drop" | |
rule 1 { | |
action "accept" | |
state "established" | |
state "related" | |
} | |
rule 2 { | |
action "drop" | |
state "invalid" | |
} | |
rule 10 { | |
action "jump" | |
inbound-interface { | |
group "BACKBONE" | |
} | |
jump-target "BACKBONE_TO_LOCAL-V6" | |
} | |
rule 20 { | |
action "jump" | |
inbound-interface { | |
name "bond0.110" | |
} | |
jump-target "INT_TO_LOCAL-V6" | |
} | |
rule 30 { | |
action "jump" | |
inbound-interface { | |
name "bond0.20" | |
} | |
jump-target "PUBLIC_TO_LOCAL-V6" | |
} | |
} | |
} | |
name BACKBONE_TO_INT-V6 { | |
default-action "drop" | |
description "REDACTED" | |
enable-default-log | |
rule 1 { | |
action "accept" | |
description "REDACTED" | |
protocol "ipv6-icmp" | |
source { | |
address "2001:db8:1::/48" | |
} | |
} | |
rule 10 { | |
action "accept" | |
description "REDACTED" | |
source { | |
group { | |
address-group "BACKBONE_JUMP_HOSTS-V6" | |
} | |
} | |
} | |
rule 20 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
address "2001:db8:1:64::11" | |
} | |
protocol "tcp_udp" | |
source { | |
group { | |
address-group "BACKBONE_SECURITY_SERVERS-V6" | |
} | |
} | |
} | |
rule 30 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
address "2001:db8:1:ffff::4" | |
port "162,2055" | |
} | |
protocol "udp" | |
source { | |
address "2001:db8:1:fffe::/64" | |
} | |
} | |
rule 40 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
address "2001:db8:1:46::3" | |
port "ssh" | |
} | |
protocol "tcp" | |
source { | |
address "2001:db8:1:fffe::/64" | |
} | |
} | |
rule 50 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
address "2001:db8:1:64::11" | |
port "www,ldap,https,ldaps" | |
} | |
protocol "tcp" | |
source { | |
group { | |
network-group "IBM_SERVERS-V6" | |
} | |
} | |
} | |
rule 60 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
address "2001:db8:1:64::11" | |
port "kerberos,kpasswd" | |
} | |
protocol "tcp_udp" | |
source { | |
group { | |
network-group "IBM_SERVERS-V6" | |
} | |
} | |
} | |
rule 70 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
address "2001:db8:1:64::10" | |
port "5300" | |
} | |
protocol "tcp_udp" | |
source { | |
group { | |
address-group "BACKBONE_NAME_SERVERS-V6" | |
} | |
} | |
} | |
rule 80 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
group { | |
address-group "INT_WEBSERVERS-V6" | |
} | |
port "3306,4444,4567,4568" | |
} | |
protocol "tcp" | |
source { | |
group { | |
address-group "BACKBONE_MYSQL_SERVERS-V6" | |
} | |
} | |
} | |
rule 90 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
group { | |
address-group "INT_JUMP_HOSTS-V6" | |
} | |
port "ssh" | |
} | |
protocol "tcp" | |
} | |
rule 100 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
group { | |
address-group "INT_JUMP_HOSTS-V6" | |
} | |
port "5201-5213" | |
} | |
protocol "tcp" | |
} | |
rule 110 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
group { | |
address-group "INT_NAMESERVERS-V6" | |
} | |
port "domain,514" | |
} | |
protocol "tcp_udp" | |
} | |
rule 120 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
group { | |
address-group "INT_NAMESERVERS-V6" | |
} | |
port "19532" | |
} | |
protocol "tcp" | |
} | |
rule 130 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
group { | |
address-group "INT_TIMESERVERS-V6" | |
} | |
port "ntp,radius,radius-acct" | |
} | |
protocol "udp" | |
} | |
rule 140 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
address "2001:db8:1e01:80::/64" | |
} | |
protocol "all" | |
} | |
rule 150 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
group { | |
address-group "INT_GLUSTER_SERVERS-V6" | |
port-group "GLUSTER_CLIENT" | |
} | |
} | |
protocol "tcp" | |
source { | |
group { | |
address-group "BACKBONE_GLUSTER_CLIENTS-V6" | |
} | |
} | |
} | |
} | |
name BACKBONE_TO_LOCAL-V6 { | |
default-action "drop" | |
description "REDACTED" | |
enable-default-log | |
rule 1 { | |
action "accept" | |
protocol "ipv6-icmp" | |
} | |
rule 10 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
port "ssh" | |
} | |
protocol "tcp" | |
source { | |
group { | |
address-group "BACKBONE_JUMP_HOSTS-V6" | |
} | |
} | |
} | |
rule 20 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
port "bgp" | |
} | |
protocol "tcp" | |
source { | |
address "fe80::/10" | |
} | |
} | |
rule 30 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
port "3784-3785,4784" | |
} | |
protocol "udp" | |
source { | |
address "fe80::/10" | |
} | |
} | |
rule 40 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
port "snmp" | |
} | |
protocol "udp" | |
source { | |
group { | |
address-group "ALL_WEBSERVERS-V6" | |
} | |
} | |
} | |
} | |
name INT_TO_LOCAL-V6 { | |
default-action "drop" | |
description "REDACTED" | |
enable-default-log | |
rule 1 { | |
action "accept" | |
description "REDACTED" | |
protocol "ipv6-icmp" | |
} | |
rule 10 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
port "ssh" | |
} | |
protocol "tcp" | |
source { | |
group { | |
address-group "INT_JUMP_HOSTS-V6" | |
} | |
} | |
} | |
rule 20 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
port "bgp" | |
} | |
protocol "tcp" | |
source { | |
address "2001:db8:1:6e::/64" | |
} | |
} | |
rule 30 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
port "3784-3785,4784" | |
} | |
protocol "udp" | |
source { | |
address "2001:db8:1:6e::/64" | |
} | |
} | |
rule 40 { | |
action "accept" | |
description "REDACTED" | |
protocol "vrrp" | |
} | |
rule 50 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
port "snmp" | |
} | |
protocol "udp" | |
source { | |
group { | |
address-group "ALL_WEBSERVERS-V6" | |
} | |
} | |
} | |
rule 60 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
port "443" | |
} | |
protocol "tcp" | |
source { | |
address "2001:db8:1:fffe::2-2001:db8:1:fffe::3" | |
} | |
} | |
} | |
name PUBLIC_TO_INT-V6 { | |
default-action "drop" | |
description "REDACTED" | |
rule 1 { | |
action "accept" | |
description "REDACTED" | |
protocol "ipv6-icmp" | |
} | |
} | |
name PUBLIC_TO_LOCAL-V6 { | |
default-action "drop" | |
description "REDACTED" | |
rule 1 { | |
action "accept" | |
description "REDACTED" | |
protocol "ipv6-icmp" | |
} | |
rule 10 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
port "546" | |
} | |
protocol "udp" | |
source { | |
port "547" | |
} | |
} | |
rule 20 { | |
action "accept" | |
description "REDACTED" | |
destination { | |
group { | |
port-group "WIREGUARD" | |
} | |
} | |
protocol "udp" | |
} | |
rule 30 { | |
action "accept" | |
description "REDACTED" | |
protocol "vrrp" | |
} | |
} | |
output { | |
filter { | |
default-action "accept" | |
} | |
} | |
} | |
} | |
high-availability { | |
vrrp { | |
group ATT-V4 { | |
address 198.19.52.249/22 { | |
} | |
authentication { | |
password "somePassword" | |
type "plaintext-password" | |
} | |
interface "bond0.20" | |
priority "254" | |
vrid "1" | |
} | |
group ATT-V6 { | |
address 2001:db8:6ec:b000::249/64 { | |
} | |
authentication { | |
password "somePassword2" | |
type "plaintext-password" | |
} | |
interface "bond0.20" | |
priority "254" | |
vrid "2" | |
} | |
snmp | |
sync-group CR01.INT { | |
member "ATT-V4" | |
member "ATT-V6" | |
} | |
} | |
} | |
interfaces { | |
bonding bond0 { | |
description "REDACTED" | |
hash-policy "layer3+4" | |
ipv6 { | |
address { | |
no-default-link-local | |
} | |
} | |
lacp-rate "fast" | |
member { | |
interface "eth0" | |
interface "eth1" | |
} | |
mode "802.3ad" | |
mtu "9214" | |
vif 20 { | |
address "198.18.100.4/29" | |
address "192.0.2.226/32" | |
address "2001:db8:6ec:b000::226/64" | |
description "REDACTED" | |
dhcpv6-options { | |
duid "00:01:00:01:c7:92:bc:12:34:56:78:9a:bc:de" | |
pd 0 { | |
interface dum1 { | |
address "0" | |
} | |
} | |
pd 1 { | |
interface dum1 { | |
address "0" | |
} | |
} | |
pd 2 { | |
interface dum1 { | |
address "0" | |
} | |
} | |
pd 3 { | |
interface dum1 { | |
address "0" | |
} | |
} | |
rapid-commit | |
} | |
mtu "1500" | |
} | |
vif 110 { | |
address "198.18.15.4/29" | |
address "fe80::198:18:15:4/64" | |
address "2001:db8:1:6e::4/64" | |
description "REDACTED" | |
ipv6 { | |
address { | |
no-default-link-local | |
} | |
} | |
mtu "9214" | |
} | |
} | |
dummy dum0 { | |
address "2001:db8:1:fffe::3/128" | |
address "198.18.253.3/32" | |
description "REDACTED" | |
} | |
dummy dum1 { | |
description "REDACTED" | |
} | |
ethernet eth0 { | |
description "REDACTED" | |
disable-flow-control | |
hw-id "12:34:56:78:9a:bc" | |
offload { | |
gro | |
gso | |
sg | |
tso | |
} | |
ring-buffer { | |
rx "4096" | |
tx "4096" | |
} | |
} | |
ethernet eth1 { | |
description "REDACTED" | |
disable-flow-control | |
hw-id "de:f0:12:34:56:78" | |
offload { | |
gro | |
gso | |
sg | |
tso | |
} | |
ring-buffer { | |
rx "4096" | |
tx "4096" | |
} | |
} | |
loopback lo { | |
} | |
wireguard wg0 { | |
description "REDACTED" | |
fwmark "51820" | |
ip { | |
adjust-mss "clamp-mss-to-pmtu" | |
} | |
ipv6 { | |
adjust-mss "clamp-mss-to-pmtu" | |
} | |
peer CR01-VYOS.BHSv4 { | |
address "198.19.115.181" | |
allowed-ips "0.0.0.0/0" | |
allowed-ips "::/0" | |
port "51822" | |
public-key "yuRTzsKzPYy87Rn8Sgm7a0soJit3hmcDPptGxlZ9jlg=" | |
} | |
port "51820" | |
private-key "2MtQ7ssxg5kIiHmS3d9nhGTzPCpVGjBmIPUWE3IVJ3g=" | |
} | |
wireguard wg1 { | |
description "REDACTED" | |
fwmark "51820" | |
ip { | |
adjust-mss "clamp-mss-to-pmtu" | |
} | |
ipv6 { | |
adjust-mss "clamp-mss-to-pmtu" | |
} | |
peer CR01-VYOS.BHSv6 { | |
address "2001:db8:203:b0b5::1" | |
allowed-ips "0.0.0.0/0" | |
allowed-ips "::/0" | |
port "51823" | |
public-key "yuRTzsKzPYy87Rn8Sgm7a0soJit3hmcDPptGxlZ9jlg=" | |
} | |
port "51821" | |
private-key "2MtQ7ssxg5kIiHmS3d9nhGTzPCpVGjBmIPUWE3IVJ3g=" | |
} | |
wireguard wg2 { | |
description "REDACTED" | |
fwmark "51820" | |
ip { | |
adjust-mss "clamp-mss-to-pmtu" | |
} | |
ipv6 { | |
adjust-mss "clamp-mss-to-pmtu" | |
} | |
peer CR01A-VYOS.DAL10v4 { | |
address "198.19.77.126" | |
allowed-ips "0.0.0.0/0" | |
allowed-ips "::/0" | |
port "51822" | |
public-key "yuRTzsKzPYy87Rn8Sgm7a0soJit3hmcDPptGxlZ9jlg=" | |
} | |
port "51822" | |
private-key "2MtQ7ssxg5kIiHmS3d9nhGTzPCpVGjBmIPUWE3IVJ3g=" | |
} | |
wireguard wg3 { | |
description "REDACTED" | |
fwmark "51820" | |
ip { | |
adjust-mss "clamp-mss-to-pmtu" | |
} | |
ipv6 { | |
adjust-mss "clamp-mss-to-pmtu" | |
} | |
peer CR01A-VYOS.DAL10v6 { | |
address "2001:db8:1e01:7d::4" | |
allowed-ips "0.0.0.0/0" | |
allowed-ips "::/0" | |
port "51823" | |
public-key "yuRTzsKzPYy87Rn8Sgm7a0soJit3hmcDPptGxlZ9jlg=" | |
} | |
port "51823" | |
private-key "2MtQ7ssxg5kIiHmS3d9nhGTzPCpVGjBmIPUWE3IVJ3g=" | |
} | |
wireguard wg4 { | |
description "REDACTED" | |
fwmark "51820" | |
ip { | |
adjust-mss "clamp-mss-to-pmtu" | |
} | |
ipv6 { | |
adjust-mss "clamp-mss-to-pmtu" | |
} | |
peer CR01B-VYOS.DAL10v4 { | |
address "198.19.77.123" | |
allowed-ips "0.0.0.0/0" | |
allowed-ips "::/0" | |
port "51822" | |
public-key "yuRTzsKzPYy87Rn8Sgm7a0soJit3hmcDPptGxlZ9jlg=" | |
} | |
port "51824" | |
private-key "2MtQ7ssxg5kIiHmS3d9nhGTzPCpVGjBmIPUWE3IVJ3g=" | |
} | |
wireguard wg5 { | |
description "REDACTED" | |
fwmark "51820" | |
ip { | |
adjust-mss "clamp-mss-to-pmtu" | |
} | |
ipv6 { | |
adjust-mss "clamp-mss-to-pmtu" | |
} | |
peer CR01B-VYOS.DAL10v6 { | |
address "2001:db8:1e01:7d::5" | |
allowed-ips "0.0.0.0/0" | |
allowed-ips "::/0" | |
port "51823" | |
public-key "yuRTzsKzPYy87Rn8Sgm7a0soJit3hmcDPptGxlZ9jlg=" | |
} | |
port "51825" | |
private-key "2MtQ7ssxg5kIiHmS3d9nhGTzPCpVGjBmIPUWE3IVJ3g=" | |
} | |
wireguard wg6 { | |
description "REDACTED" | |
fwmark "51820" | |
ip { | |
adjust-mss "clamp-mss-to-pmtu" | |
} | |
ipv6 { | |
adjust-mss "clamp-mss-to-pmtu" | |
} | |
peer CR01A-VYOS.WDC07v4 { | |
address "198.19.15.10" | |
allowed-ips "0.0.0.0/0" | |
allowed-ips "::/0" | |
port "51822" | |
public-key "yuRTzsKzPYy87Rn8Sgm7a0soJit3hmcDPptGxlZ9jlg=" | |
} | |
port "51826" | |
private-key "2MtQ7ssxg5kIiHmS3d9nhGTzPCpVGjBmIPUWE3IVJ3g=" | |
} | |
wireguard wg7 { | |
description "REDACTED" | |
fwmark "51820" | |
ip { | |
adjust-mss "clamp-mss-to-pmtu" | |
} | |
ipv6 { | |
adjust-mss "clamp-mss-to-pmtu" | |
} | |
peer CR01A-VYOS.WDC07v6 { | |
address "2001:db8:3a01:a5::3" | |
allowed-ips "0.0.0.0/0" | |
allowed-ips "::/0" | |
port "51823" | |
public-key "yuRTzsKzPYy87Rn8Sgm7a0soJit3hmcDPptGxlZ9jlg=" | |
} | |
port "51827" | |
private-key "2MtQ7ssxg5kIiHmS3d9nhGTzPCpVGjBmIPUWE3IVJ3g=" | |
} | |
wireguard wg8 { | |
description "REDACTED" | |
fwmark "51820" | |
ip { | |
adjust-mss "clamp-mss-to-pmtu" | |
} | |
ipv6 { | |
adjust-mss "clamp-mss-to-pmtu" | |
} | |
peer CR01B-VYOS.WDC07v4 { | |
address "198.19.15.11" | |
allowed-ips "::/0" | |
allowed-ips "0.0.0.0/0" | |
port "51822" | |
public-key "yuRTzsKzPYy87Rn8Sgm7a0soJit3hmcDPptGxlZ9jlg=" | |
} | |
port "51828" | |
private-key "2MtQ7ssxg5kIiHmS3d9nhGTzPCpVGjBmIPUWE3IVJ3g=" | |
} | |
wireguard wg9 { | |
description "REDACTED" | |
fwmark "51820" | |
ip { | |
adjust-mss "clamp-mss-to-pmtu" | |
} | |
ipv6 { | |
adjust-mss "clamp-mss-to-pmtu" | |
} | |
peer CR01B-VYOS.WDC07v6 { | |
address "2001:db8:3a01:a5::2" | |
allowed-ips "::/0" | |
allowed-ips "0.0.0.0/0" | |
port "51823" | |
public-key "yuRTzsKzPYy87Rn8Sgm7a0soJit3hmcDPptGxlZ9jlg=" | |
} | |
port "51829" | |
private-key "2MtQ7ssxg5kIiHmS3d9nhGTzPCpVGjBmIPUWE3IVJ3g=" | |
} | |
wireguard wg100 { | |
address "198.18.7.1/24" | |
address "2001:db8:1:fff::1/64" | |
description "REDACTED" | |
ip { | |
adjust-mss "clamp-mss-to-pmtu" | |
} | |
ipv6 { | |
adjust-mss "clamp-mss-to-pmtu" | |
} | |
peer PEER1 { | |
allowed-ips "198.18.7.0/24" | |
allowed-ips "2001:db8:1:fff::/64" | |
public-key "yuRTzsKzPYy87Rn8Sgm7a0soJit3hmcDPptGxlZ9jlg=" | |
} | |
peer PEER2 { | |
allowed-ips "198.18.7.0/24" | |
allowed-ips "2001:db8:1:fff::/64" | |
public-key "yuRTzsKzPYy87Rn8Sgm7a0soJit3hmcDPptGxlZ9jlg=" | |
} | |
port "51920" | |
private-key "2MtQ7ssxg5kIiHmS3d9nhGTzPCpVGjBmIPUWE3IVJ3g=" | |
} | |
} | |
nat { | |
source { | |
rule 999 { | |
description "REDACTED" | |
outbound-interface { | |
name "bond0.20" | |
} | |
source { | |
address "198.18.0.0/20" | |
} | |
translation { | |
address "198.19.52.249" | |
} | |
} | |
} | |
} | |
nat66 { | |
source { | |
rule 10 { | |
description "REDACTED" | |
outbound-interface { | |
name "bond0.20" | |
} | |
source { | |
prefix "2001:db8:1:a::/64" | |
} | |
translation { | |
address "2001:db8:6ec:b00c::/64" | |
} | |
} | |
rule 20 { | |
description "REDACTED" | |
outbound-interface { | |
name "bond0.20" | |
} | |
source { | |
prefix "2001:db8:1:46::/64" | |
} | |
translation { | |
address "2001:db8:6ec:b00d::/64" | |
} | |
} | |
rule 30 { | |
description "REDACTED" | |
outbound-interface { | |
name "bond0.20" | |
} | |
source { | |
prefix "2001:db8:1:c8::/64" | |
} | |
translation { | |
address "2001:db8:6ec:b00e::/64" | |
} | |
} | |
rule 40 { | |
description "REDACTED" | |
outbound-interface { | |
name "bond0.20" | |
} | |
source { | |
prefix "2001:db8:1:f0::/64" | |
} | |
translation { | |
address "2001:db8:6ec:b00f::/64" | |
} | |
} | |
} | |
} | |
policy { | |
as-path-list DAL10 { | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
regex "4242420668_$" | |
} | |
} | |
as-path-list IBM { | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
regex "^_42424206(68|70)_$" | |
} | |
} | |
as-path-list INT { | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
regex "_" | |
} | |
} | |
as-path-list WDC07 { | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
regex "4242420670_$" | |
} | |
} | |
large-community-list ANYCAST_ALL { | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
regex "4242420696:100:.*" | |
} | |
} | |
large-community-list ANYCAST_INT { | |
description "REDACTED" | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
regex "4242420696:100:1" | |
} | |
} | |
large-community-list BLACKHOLE_ALL { | |
description "REDACTED" | |
rule 10 { | |
action "permit" | |
regex "4242420696:86:.*" | |
} | |
} | |
large-community-list LOOPBACK_ALL { | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
regex "4242420696:10:.*" | |
} | |
} | |
prefix-list BGP-DAL10 { | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
ge "23" | |
prefix "198.18.16.0/20" | |
} | |
} | |
prefix-list BGP-INT { | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
ge "23" | |
prefix "198.18.0.0/20" | |
} | |
} | |
prefix-list BGP-REDISTRIBUTE { | |
description "REDACTED" | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
prefix "198.18.100.0/29" | |
} | |
rule 20 { | |
action "permit" | |
description "REDACTED" | |
prefix "198.18.15.0/29" | |
} | |
rule 30 { | |
action "permit" | |
description "REDACTED" | |
prefix "198.18.7.0/24" | |
} | |
} | |
prefix-list BGP-SERVICES { | |
description "REDACTED" | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
prefix "10.0.0.0/8" | |
} | |
rule 20 { | |
action "permit" | |
description "REDACTED" | |
ge "9" | |
prefix "10.0.0.0/8" | |
} | |
} | |
prefix-list BGP-WDC07 { | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
ge "23" | |
prefix "198.18.48.0/20" | |
} | |
} | |
prefix-list DEFAULT { | |
description "REDACTED" | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
prefix "0.0.0.0/0" | |
} | |
} | |
prefix-list LOOPBACK { | |
description "REDACTED" | |
rule 10 { | |
action "permit" | |
ge "32" | |
prefix "198.18.253.0/24" | |
} | |
} | |
prefix-list6 BGP-DAL10-V6 { | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
ge "64" | |
prefix "2001:db8:1:1000::/52" | |
} | |
} | |
prefix-list6 BGP-INT-V6 { | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
ge "64" | |
prefix "2001:db8:1::/52" | |
} | |
} | |
prefix-list6 BGP-WDC07-V6 { | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
ge "64" | |
prefix "2001:db8:1:2000::/52" | |
} | |
} | |
prefix-list6 DEFAULT-V6 { | |
description "REDACTED" | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
prefix "::/0" | |
} | |
} | |
prefix-list6 LOOPBACK-V6 { | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
ge "128" | |
prefix "2001:db8:1:fffe::/64" | |
} | |
} | |
route LAN_OUT { | |
description "REDACTED" | |
interface "bond0.110" | |
rule 10 { | |
description "REDACTED" | |
set { | |
table "110" | |
} | |
source { | |
address "198.19.27.64/28" | |
} | |
} | |
rule 9999 { | |
set { | |
table "main" | |
} | |
} | |
} | |
route-map BGP-BACKBONE-COSTED { | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
match { | |
ip { | |
address { | |
prefix-list "LOOPBACK" | |
} | |
} | |
} | |
} | |
rule 20 { | |
action "permit" | |
description "REDACTED" | |
match { | |
ipv6 { | |
address { | |
prefix-list "LOOPBACK-V6" | |
} | |
} | |
} | |
} | |
rule 30 { | |
action "permit" | |
call "BGP-BACKBONE-OUT" | |
description "REDACTED" | |
set { | |
local-preference "0" | |
} | |
} | |
} | |
route-map BGP-BACKBONE-IN { | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
match { | |
as-path "WDC07" | |
large-community { | |
large-community-list "ANYCAST_ALL" | |
} | |
} | |
set { | |
metric "+150" | |
} | |
} | |
rule 20 { | |
action "permit" | |
description "REDACTED" | |
match { | |
large-community { | |
large-community-list "ANYCAST_ALL" | |
} | |
} | |
set { | |
metric "+100" | |
} | |
} | |
rule 30 { | |
action "permit" | |
description "REDACTED" | |
match { | |
large-community { | |
large-community-list "BLACKHOLE_ALL" | |
} | |
} | |
set { | |
ip-next-hop "198.18.253.0" | |
ipv6-next-hop { | |
global "2001:db8:1:fffe:198:18:253:0" | |
} | |
} | |
} | |
rule 40 { | |
action "permit" | |
description "REDACTED" | |
match { | |
as-path "WDC07" | |
ip { | |
address { | |
prefix-list "BGP-SERVICES" | |
} | |
} | |
} | |
set { | |
metric "+150" | |
} | |
} | |
rule 50 { | |
action "permit" | |
description "REDACTED" | |
match { | |
large-community { | |
large-community-list "LOOPBACK_ALL" | |
} | |
} | |
} | |
rule 60 { | |
action "permit" | |
description "REDACTED" | |
match { | |
as-path "IBM" | |
ip { | |
address { | |
prefix-list "BGP-SERVICES" | |
} | |
} | |
} | |
} | |
rule 70 { | |
action "permit" | |
description "REDACTED" | |
match { | |
as-path "DAL10" | |
ip { | |
address { | |
prefix-list "BGP-DAL10" | |
} | |
} | |
} | |
} | |
rule 80 { | |
action "permit" | |
description "REDACTED" | |
match { | |
as-path "DAL10" | |
ipv6 { | |
address { | |
prefix-list "BGP-DAL10-V6" | |
} | |
} | |
} | |
} | |
rule 90 { | |
action "permit" | |
description "REDACTED" | |
match { | |
as-path "WDC07" | |
ip { | |
address { | |
prefix-list "BGP-WDC07" | |
} | |
} | |
} | |
} | |
rule 100 { | |
action "permit" | |
description "REDACTED" | |
match { | |
as-path "WDC07" | |
ipv6 { | |
address { | |
prefix-list "BGP-WDC07-V6" | |
} | |
} | |
} | |
} | |
rule 999 { | |
action "permit" | |
call "BGP-REDISTRIBUTE" | |
description "REDACTED" | |
} | |
} | |
route-map BGP-BACKBONE-OUT { | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
match { | |
large-community { | |
large-community-list "ANYCAST_INT" | |
} | |
} | |
} | |
rule 20 { | |
action "permit" | |
description "REDACTED" | |
match { | |
large-community { | |
large-community-list "BLACKHOLE_ALL" | |
} | |
} | |
} | |
rule 30 { | |
action "permit" | |
description "REDACTED" | |
match { | |
large-community { | |
large-community-list "LOOPBACK_ALL" | |
} | |
} | |
} | |
rule 40 { | |
action "permit" | |
match { | |
as-path "INT" | |
ip { | |
address { | |
prefix-list "BGP-INT" | |
} | |
} | |
} | |
} | |
rule 50 { | |
action "permit" | |
match { | |
as-path "INT" | |
ipv6 { | |
address { | |
prefix-list "BGP-INT-V6" | |
} | |
} | |
} | |
} | |
rule 999 { | |
action "permit" | |
call "BGP-REDISTRIBUTE" | |
description "REDACTED" | |
} | |
} | |
route-map BGP-CORE-COSTED { | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
match { | |
ip { | |
address { | |
prefix-list "LOOPBACK" | |
} | |
} | |
} | |
} | |
rule 20 { | |
action "permit" | |
description "REDACTED" | |
match { | |
ipv6 { | |
address { | |
prefix-list "LOOPBACK-V6" | |
} | |
} | |
} | |
} | |
rule 30 { | |
action "permit" | |
call "BGP-CORE-OUT" | |
description "REDACTED" | |
set { | |
local-preference "0" | |
} | |
} | |
} | |
route-map BGP-CORE-IN { | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
match { | |
large-community { | |
large-community-list "ANYCAST_INT" | |
} | |
} | |
set { | |
ipv6-next-hop { | |
prefer-global | |
} | |
} | |
} | |
rule 20 { | |
action "permit" | |
description "REDACTED" | |
match { | |
ip { | |
address { | |
prefix-list "BGP-INT" | |
} | |
} | |
} | |
} | |
rule 30 { | |
action "permit" | |
description "REDACTED" | |
match { | |
ipv6 { | |
address { | |
prefix-list "BGP-INT-V6" | |
} | |
} | |
} | |
set { | |
ipv6-next-hop { | |
prefer-global | |
} | |
} | |
} | |
rule 40 { | |
action "permit" | |
description "REDACTED" | |
match { | |
ip { | |
address { | |
prefix-list "DEFAULT" | |
} | |
} | |
} | |
} | |
rule 50 { | |
action "permit" | |
description "REDACTED" | |
match { | |
ipv6 { | |
address { | |
prefix-list "DEFAULT-V6" | |
} | |
} | |
} | |
set { | |
ipv6-next-hop { | |
prefer-global | |
} | |
} | |
} | |
rule 60 { | |
action "permit" | |
description "REDACTED" | |
match { | |
large-community { | |
large-community-list "LOOPBACK_ALL" | |
} | |
} | |
set { | |
ipv6-next-hop { | |
prefer-global | |
} | |
} | |
} | |
} | |
route-map BGP-CORE-OUT { | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
match { | |
large-community { | |
large-community-list "ANYCAST_ALL" | |
} | |
} | |
} | |
rule 20 { | |
action "permit" | |
description "REDACTED" | |
match { | |
ip { | |
address { | |
prefix-list "BGP-SERVICES" | |
} | |
} | |
} | |
} | |
rule 30 { | |
action "permit" | |
description "REDACTED" | |
match { | |
ip { | |
address { | |
prefix-list "BGP-DAL10" | |
} | |
} | |
} | |
} | |
rule 40 { | |
action "permit" | |
description "REDACTED" | |
match { | |
ipv6 { | |
address { | |
prefix-list "BGP-DAL10-V6" | |
} | |
} | |
} | |
} | |
rule 50 { | |
action "permit" | |
description "REDACTED" | |
match { | |
ip { | |
address { | |
prefix-list "BGP-WDC07" | |
} | |
} | |
} | |
} | |
rule 60 { | |
action "permit" | |
description "REDACTED" | |
match { | |
ipv6 { | |
address { | |
prefix-list "BGP-WDC07-V6" | |
} | |
} | |
} | |
} | |
rule 70 { | |
action "permit" | |
description "REDACTED" | |
match { | |
large-community { | |
large-community-list "LOOPBACK_ALL" | |
} | |
} | |
} | |
rule 999 { | |
action "permit" | |
call "BGP-REDISTRIBUTE" | |
description "REDACTED" | |
} | |
} | |
route-map BGP-REDISTRIBUTE { | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
match { | |
tag "86" | |
} | |
set { | |
large-community { | |
add "4242420696:86:1" | |
} | |
origin "igp" | |
} | |
} | |
rule 20 { | |
action "permit" | |
description "REDACTED" | |
match { | |
ip { | |
address { | |
prefix-list "LOOPBACK" | |
} | |
} | |
} | |
set { | |
large-community { | |
add "4242420696:10:1" | |
} | |
origin "igp" | |
} | |
} | |
rule 30 { | |
action "permit" | |
description "REDACTED" | |
match { | |
ipv6 { | |
address { | |
prefix-list "LOOPBACK-V6" | |
} | |
} | |
} | |
set { | |
large-community { | |
add "4242420696:10:1" | |
} | |
origin "igp" | |
} | |
} | |
rule 40 { | |
action "permit" | |
description "REDACTED" | |
match { | |
ip { | |
address { | |
prefix-list "BGP-REDISTRIBUTE" | |
} | |
} | |
} | |
set { | |
origin "igp" | |
} | |
} | |
rule 50 { | |
action "permit" | |
description "REDACTED" | |
match { | |
ipv6 { | |
address { | |
prefix-list "BGP-INT-V6" | |
} | |
} | |
} | |
set { | |
origin "igp" | |
} | |
} | |
} | |
route-map DEFAULT-ZEBRA-IN { | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
match { | |
ip { | |
address { | |
prefix-list "DEFAULT" | |
} | |
} | |
} | |
set { | |
src "192.0.2.226" | |
} | |
} | |
rule 20 { | |
action "permit" | |
description "REDACTED" | |
set { | |
src "198.18.253.3" | |
} | |
} | |
} | |
route-map DEFAULT-ZEBRA-IN-V6 { | |
rule 10 { | |
action "permit" | |
description "REDACTED" | |
match { | |
ipv6 { | |
address { | |
prefix-list "DEFAULT-V6" | |
} | |
} | |
} | |
set { | |
src "2600:1700:6ec:b000::226" | |
} | |
} | |
rule 20 { | |
action "permit" | |
description "REDACTED" | |
set { | |
src "2001:db8:1:fffe::3" | |
} | |
} | |
} | |
route6 LAN_OUT-V6 { | |
description "REDACTED" | |
interface "bond0.110" | |
rule 10 { | |
description "REDACTED" | |
set { | |
table "110" | |
} | |
source { | |
address "2001:db8:203:64ef::/64" | |
} | |
} | |
rule 20 { | |
description "REDACTED" | |
set { | |
table "100" | |
} | |
source { | |
address "2001:db8:1e01:80::/64" | |
} | |
} | |
rule 999 { | |
set { | |
table "main" | |
} | |
} | |
} | |
} | |
protocols { | |
bfd { | |
profile FAR { | |
interval { | |
receive "100" | |
transmit "100" | |
} | |
} | |
profile NEAR { | |
interval { | |
receive "50" | |
transmit "50" | |
} | |
} | |
} | |
bgp { | |
address-family { | |
ipv4-unicast { | |
redistribute { | |
connected { | |
route-map "BGP-REDISTRIBUTE" | |
} | |
} | |
} | |
ipv6-unicast { | |
redistribute { | |
connected { | |
route-map "BGP-REDISTRIBUTE" | |
} | |
} | |
} | |
} | |
neighbor 198.18.15.1 { | |
peer-group "CORE" | |
} | |
neighbor 198.18.15.3 { | |
peer-group "CORE" | |
} | |
neighbor 198.18.15.5 { | |
peer-group "CORE" | |
} | |
neighbor 2001:db8:1:6e::1 { | |
peer-group "COREv6" | |
} | |
neighbor 2001:db8:1:6e::3 { | |
peer-group "COREv6" | |
} | |
neighbor 2001:db8:1:6e::5 { | |
peer-group "COREv6" | |
} | |
neighbor wg0 { | |
interface { | |
v6only { | |
peer-group "BACKBONE" | |
remote-as "4242420669" | |
} | |
} | |
} | |
neighbor wg1 { | |
interface { | |
v6only { | |
peer-group "BACKBONE" | |
remote-as "4242420669" | |
} | |
} | |
} | |
neighbor wg2 { | |
interface { | |
v6only { | |
peer-group "BACKBONE" | |
remote-as "4242420668" | |
} | |
} | |
} | |
neighbor wg3 { | |
interface { | |
v6only { | |
peer-group "BACKBONE" | |
remote-as "4242420668" | |
} | |
} | |
} | |
neighbor wg4 { | |
interface { | |
v6only { | |
peer-group "BACKBONE" | |
remote-as "4242420668" | |
} | |
} | |
} | |
neighbor wg5 { | |
interface { | |
v6only { | |
peer-group "BACKBONE" | |
remote-as "4242420668" | |
} | |
} | |
} | |
neighbor wg6 { | |
interface { | |
v6only { | |
peer-group "BACKBONE" | |
remote-as "4242420670" | |
} | |
} | |
} | |
neighbor wg7 { | |
interface { | |
v6only { | |
peer-group "BACKBONE" | |
remote-as "4242420670" | |
} | |
} | |
} | |
neighbor wg8 { | |
interface { | |
v6only { | |
peer-group "BACKBONE" | |
remote-as "4242420670" | |
} | |
} | |
} | |
neighbor wg9 { | |
interface { | |
v6only { | |
peer-group "BACKBONE" | |
remote-as "4242420670" | |
} | |
} | |
} | |
parameters { | |
bestpath { | |
as-path { | |
confed | |
multipath-relax | |
} | |
} | |
confederation { | |
identifier "4242420696" | |
peers "4242420668" | |
peers "4242420669" | |
peers "4242420670" | |
} | |
fast-convergence | |
graceful-restart | |
network-import-check | |
router-id "198.18.253.3" | |
} | |
peer-group BACKBONE { | |
address-family { | |
ipv4-unicast { | |
nexthop-self | |
route-map { | |
export "BGP-BACKBONE-OUT" | |
import "BGP-BACKBONE-IN" | |
} | |
soft-reconfiguration { | |
inbound | |
} | |
} | |
ipv6-unicast { | |
nexthop-self | |
route-map { | |
export "BGP-BACKBONE-OUT" | |
import "BGP-BACKBONE-IN" | |
} | |
soft-reconfiguration { | |
inbound | |
} | |
} | |
} | |
bfd { | |
profile "FAR" | |
} | |
capability { | |
extended-nexthop | |
} | |
} | |
peer-group CORE { | |
address-family { | |
ipv4-unicast { | |
default-originate | |
nexthop-self | |
route-map { | |
export "BGP-CORE-OUT" | |
import "BGP-CORE-IN" | |
} | |
soft-reconfiguration { | |
inbound | |
} | |
} | |
} | |
bfd { | |
profile "NEAR" | |
} | |
remote-as "4242420666" | |
} | |
peer-group COREv6 { | |
address-family { | |
ipv6-unicast { | |
default-originate | |
nexthop-self | |
route-map { | |
export "BGP-CORE-OUT" | |
import "BGP-CORE-IN" | |
} | |
soft-reconfiguration { | |
inbound | |
} | |
} | |
} | |
bfd { | |
profile "NEAR" | |
} | |
remote-as "4242420666" | |
} | |
system-as "4242420666" | |
} | |
static { | |
route 0.0.0.0/0 { | |
next-hop 198.19.52.1 { | |
} | |
} | |
route 10.0.0.0/8 { | |
blackhole { | |
distance "253" | |
} | |
} | |
route 192.0.2.224/28 { | |
blackhole | |
} | |
route 192.0.2.225/32 { | |
next-hop 198.18.253.2 { | |
} | |
} | |
route 100.64.0.0/10 { | |
blackhole | |
} | |
route 198.19.52.0/22 { | |
interface bond0.20 { | |
} | |
} | |
route 169.254.0.0/16 { | |
blackhole | |
} | |
route 172.16.0.0/12 { | |
blackhole | |
} | |
route 198.18.0.0/15 { | |
blackhole | |
} | |
route6 2001:db8:3a01:2::/64 { | |
blackhole { | |
distance "253" | |
} | |
} | |
route6 2001:db8:2701:1ad::/64 { | |
blackhole { | |
distance "253" | |
} | |
} | |
route6 2001:db8:2701:1c9::/64 { | |
blackhole { | |
distance "253" | |
} | |
} | |
route6 ::/0 { | |
next-hop 2001:db8:6ec:b000::1 { | |
} | |
} | |
route6 fc00::/7 { | |
blackhole | |
} | |
table 100 { | |
route6 ::/0 { | |
next-hop 2001:db8:1:fffe::6 { | |
} | |
next-hop 2001:db8:1:fffe::7 { | |
} | |
} | |
} | |
table 110 { | |
route 0.0.0.0/0 { | |
next-hop 198.18.253.12 { | |
} | |
} | |
route6 ::/0 { | |
next-hop 2001:db8:1:fffe::12 { | |
} | |
} | |
} | |
} | |
} | |
service { | |
conntrack-sync { | |
disable-external-cache | |
failover-mechanism { | |
vrrp { | |
sync-group "CR01.INT" | |
} | |
} | |
ignore-address "fe80::/10" | |
ignore-address "ff00::/8" | |
ignore-address "169.254.0.0/16" | |
ignore-address "224.0.0.0/4" | |
ignore-address "127.0.0.0/8" | |
interface bond0.110 { | |
} | |
sync-queue-size "10" | |
} | |
https { | |
api { | |
graphql { | |
authentication { | |
type "token" | |
} | |
introspection | |
} | |
keys { | |
id CR01A-VYOS.INT { | |
key "Key123" | |
} | |
} | |
} | |
virtual-host CONFIG-SYNC { | |
allow-client { | |
address "198.18.253.2" | |
} | |
listen-address "198.18.253.3" | |
server-name "cr01b-vyos.int.rtr.trae32566.org" | |
} | |
virtual-host CONFIG-SYNC-V6 { | |
allow-client { | |
address "2001:db8:1:fffe::2" | |
} | |
listen-address "2001:db8:1:fffe::3" | |
server-name "cr01b-vyos.int.rtr.trae32566.org" | |
} | |
} | |
lldp | |
ntp { | |
allow-client { | |
address "0.0.0.0/0" | |
address "::/0" | |
} | |
server ntp01.ac.trae32566.org { | |
prefer | |
} | |
server sec01-cs9.dal10.trae32566.org { | |
} | |
server sec01-cs9.int.trae32566.org { | |
} | |
} | |
snmp { | |
community REDACTED { | |
client "198.18.15.12" | |
client "198.18.31.5" | |
client "198.18.63.5" | |
client "2001:db8:1:64::12" | |
client "2001:db8:1:150b::5" | |
client "2001:db8:1:23e3::5" | |
} | |
contact "Trae Santiago <[email protected]>" | |
listen-address 198.18.253.3 { | |
} | |
listen-address 2001:db8:1:fffe::3 { | |
} | |
location "A LAND FAR FAR AWAY" | |
trap-target 198.18.255.4 { | |
community "REDACTED" | |
} | |
trap-target 2001:db8:1:ffff::4 { | |
community "REDACTED" | |
} | |
} | |
ssh { | |
disable-host-validation | |
listen-address "198.18.253.3" | |
listen-address "2001:db8:1:fffe::3" | |
} | |
} | |
system { | |
config-management { | |
commit-archive { | |
location "sftp://SOMEUSER:[email protected]/int/cr01b-vyos" | |
source-address "198.18.253.3" | |
} | |
commit-revisions "10000" | |
} | |
conntrack { | |
flow-accounting | |
table-size "1000000" | |
timeout { | |
icmp "10" | |
other "60" | |
tcp { | |
close-wait "20" | |
established "3600" | |
fin-wait "30" | |
syn-recv "30" | |
syn-sent "60" | |
} | |
udp { | |
stream "60" | |
} | |
} | |
} | |
console { | |
device ttyS0 { | |
speed "115200" | |
} | |
} | |
domain-name "int.trae32566.org" | |
domain-search { | |
domain "int.trae32566.org" | |
domain "rtr.trae32566.org" | |
domain "trae32566.org" | |
} | |
frr { | |
snmp { | |
bgpd | |
zebra | |
} | |
} | |
host-name "cr01b-vyos" | |
ip { | |
multipath { | |
layer4-hashing | |
} | |
protocol bgp { | |
route-map "DEFAULT-ZEBRA-IN" | |
} | |
protocol static { | |
route-map "DEFAULT-ZEBRA-IN" | |
} | |
} | |
ipv6 { | |
multipath { | |
layer4-hashing | |
} | |
protocol bgp { | |
route-map "DEFAULT-ZEBRA-IN-V6" | |
} | |
protocol static { | |
route-map "DEFAULT-ZEBRA-IN-V6" | |
} | |
} | |
login { | |
radius { | |
server 198.18.15.11 { | |
key "someKey123!" | |
} | |
server 198.18.31.4 { | |
key "someKey123!" | |
} | |
server 198.18.255.2 { | |
key "someKey123!" | |
priority "10" | |
} | |
source-address "198.18.253.3" | |
} | |
user vyos { | |
authentication { | |
plaintext-password "vyos" | |
} | |
} | |
} | |
name-server "2001:db8:1:ffff::1" | |
name-server "198.18.255.1" | |
name-server "2001:db8:1:64::10" | |
name-server "198.18.15.10" | |
name-server "2001:db8:1:150b::3" | |
name-server "198.18.31.3" | |
option { | |
ctrl-alt-delete "reboot" | |
performance "latency" | |
reboot-on-panic | |
time-format "24-hour" | |
} | |
sysctl { | |
parameter net.core.rmem_default { | |
value "1703936" | |
} | |
parameter net.core.rmem_max { | |
value "8388608" | |
} | |
parameter net.ipv4.fib_multipath_use_neigh { | |
value "1" | |
} | |
} | |
syslog { | |
global { | |
facility all { | |
level "info" | |
} | |
facility local7 { | |
level "debug" | |
} | |
preserve-fqdn | |
} | |
host log01.ac.trae32566.org { | |
facility all { | |
level "all" | |
} | |
} | |
} | |
time-zone "US/Central" | |
} | |
// Warning: Do not remove the following line. | |
// vyos-config-version: "bgp@4:broadcast-relay@1:cluster@2:config-management@1:conntrack@4:conntrack-sync@2:container@1:dhcp-relay@2:dhcp-server@7:dhcpv6-server@2:dns-dynamic@3:dns-forwarding@4:firewall@13:flow-accounting@1:https@5:ids@1:interfaces@32:ipoe-server@2:ipsec@12:isis@3:l2tp@5:lldp@1:mdns@1:monitoring@1:nat@7:nat66@2:ntp@3:openconnect@2:openvpn@1:ospf@2:pim@1:policy@7:pppoe-server@7:pptp@3:qos@2:quagga@11:rip@1:rpki@1:salt@1:snmp@3:ssh@2:sstp@5:system@26:vrf@3:vrrp@4:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2" | |
// Release version: 1.5-rolling-202312130023 |
File Metadata
File Metadata
- Mime Type
- text/plain
- Storage Engine
- blob
- Storage Format
- Raw Data
- Storage Handle
- 333663
- Default Alt Text
- config-sanitized.boot (77 KB)