version "5.7I0 [builder]"; groups { bgp-prefix-limit-small { protocols { bgp { group <*> { neighbor <*> { family inet { any { prefix-limit { maximum 100; teardown 90 idle-timeout 30; /* ... */ bgp-prefix-limit-transit { protocols { bgp { group <*> { neighbor <*> { family inet { any { prefix-limit { maximum 150000; teardown 90 idle-timeout 30; } } } } } } } } exchange-pvcs { interfaces { at-0/1/0 { unit <*> { shaping { vbr peak 135600000 sustained 135600000 burst 4k; } atm-scheduler-map egress; } } } } } system { host-name rtr-int; domain-name example.com; backup-router [backup_rtr_ipaddr] destination [our_netblock]; time-zone [timezone]; no-redirects; dump-on-panic; location { country-code [country_code]; postal-code [zip_code]; npa-nxx [npa_nxx]; } diag-port-authentication { encrypted-password "#REMOVED#"; } root-authentication { encrypted-password "#REMOVED#"; } name-server { [dns1_ipaddr]; [dns2_ipaddr]; [dns3_ipaddr]; } login { message "Unauthorized Access Prohibited!"; class admin { idle-timeout 15; permissions all; } class view-only { idle-timeout 10; permissions [ configure interface network routing snmp system trace view firewall ]; } user user1 { full-name "User 1"; uid 200; class admin; authentication { encrypted-password "#REMOVED#"; } } inactive: user user2 { full-name "User 2"; uid 103; class admin; authentication { encrypted-password "#REMOVED#"; } } inactive: user jtac { full-name "Juniper TAC support engineer"; uid 3000; class admin; authentication { encrypted-password "#REMOVED#"; } } /* ... * } services { ssh { root-login deny; protocol-version v2; connection-limit 5; rate-limit 10; } } syslog { user * { any emergency; } host [syslog_host] { any any; facility-override [facility]; } file messages { any notice; authorization info; } } ntp { /* [ntp1_host] */ boot-server [ntp1_ipaddr]; /* [ntp1_host] */ server [ntp1_ipaddr] prefer; /* [ntp2_host] */ server [ntp2_ipaddr]; } } chassis { source-route; dump-on-panic; } interfaces { ge-0/0/0 { description "1000BASE-SX to internal"; no-traps; link-mode full-duplex; no-gratuitous-arp-reply; no-gratuitous-arp-request; gigether-options { no-flow-control; } unit 0 { family inet { no-redirects; filter { input lan-ingress; } address [ge0/0/0.0_ipaddr+mask]; } } } at-0/1/0 { apply-groups exchange-pvcs; description "OC3c to exchange (Our VPI/VCI: [vpi].[vci])"; no-traps; encapsulation atm-pvc; atm-options { vpi 0; vpi 1; vpi 2; vpi 3; vpi 4; vpi 5; vpi 6; ilmi; linear-red-profiles { red-queue queue-depth 1k high-plp-threshold 10 low-plp-threshold 90; } scheduler-maps { egress { forwarding-class assured-forwarding { linear-red-profile red-queue; } forwarding-class best-effort { linear-red-profile red-queue; } forwarding-class expedited-forwarding { linear-red-profile red-queue; } forwarding-class network-control { linear-red-profile red-queue; } } } } inactive: unit [unit_id] { description "Exchange test box"; encapsulation atm-snap; vci [vci].[vpi]; family inet { no-redirects; filter { input standard-peer-ingress; } address [our_exchange_pub_ipaddr]/32 { destination [remote_peer_ipaddr]; } } } unit [unit_id] { description "[peer]"; encapsulation atm-snap; vci [vpi].[vci]; family inet { no-redirects; filter { input standard-peer-ingress; } address [our_exchange_pub_ipaddr]/32 { destination [remote_peer_ipaddr]; } } } unit [unit_id] { description [peer]; encapsulation atm-snap; vci [vpi].[vci]; family inet { no-redirects; filter { input standard-peer-ingress; } address [a_private_peer_ipaddr]/32 { destination [remote_peer_ipaddr]; } } } unit [unit] { description [peer]; encapsulation atm-snap; vci [vpi].[vci]; family inet { no-redirects; filter { input [research_upstream_ingress]; } address [our_research_ipv4addr] { destination [peer_research_ipv4addr]; } } family inet6 { address [our_research_ipv6addr] { destination [peer_research_ipv6addr]; } } } } at-0/1/1 { disable; } /* IPv6 Tunnels */ ip-0/2/0 { /* Lab IPv6 Tunnel */ unit 0 { tunnel { source [lo0_ipaddr]; destination [lab1_tunnel_dstipaddr]; } family inet6 { mtu 1514; address [local2lab1_ipv6addr]; } } unit 1 { tunnel { source [lo0_ipaddr]; destination [lab2_tunnel_dstipaddr]; } family inet6 { mtu 1514; address [local2lab2_ipv6addr]; } } } fxp0 { disable; } lo0 { description "Internet router"; no-traps; unit 0 { family inet { no-redirects; filter { input router-protect; } address 127.0.0.1/32; address [lo0_ipaddr]/32 { primary; } } family inet6 { filter { input router6-protect; } } } } } forwarding-options { sampling { input { family inet { rate 96; } } output { /* flow collector */ cflowd [flowd_ipaddr] { port [dport]; version 5; } } } } snmp { description "Internet router"; location "voice/data center"; contact [contact]; interface ge-0/0/0.0; community [community_ro] { authorization read-only; clients { /* Deny All by Default */ 0.0.0.0/0 restrict; /* SNMP manager */ [snmp_manager_ipaddr]; /* ... */ } } } routing-options { options { syslog { level debug; } } interface-routes { rib-group { inet if-rib; inet6 if6-rib; } } /* Multicast source RIB (RPF) */ rib inet.2 { static { /* default upstream */ route 0.0.0.0/0 next-hop [inet.2_default_nexthop]; route [our_netblock] discard; route [our_netblock] discard; } } rib inet6.0 { aggregate { route [our_ipv6_netblock]; } } static { route [our_netblock] discard; route [our_netblock] discard; /* default upstream provider*/ route 0.0.0.0/0 next-hop [default_upstream_nexthop]; } martians { 0.0.0.0/8 orlonger; 1.0.0.0/8 orlonger; /* ... */ 240.0.0.0/4 orlonger; } rib-groups { if-rib { import-rib [ inet.0 inet.2 ]; } mcast-rib { export-rib inet.2; import-rib inet.2; } if6-rib { import-rib [ inet6.0 inet6.2 ]; } } autonomous-system [our_asn]; /* Multicast boundary filters */ multicast { scope ntp { prefix 224.0.1.1/32; interface all; } /* ... */ scope reserved-238 { prefix 238.0.0.0/8; interface all; } /* Local groups are active internally */ inactive: scope admin-scoped { prefix 239.0.0.0/8; interface all; } } } protocols { igmp { interface ge-0/0/0.0 { version 2; } } sap; bgp { local-address [our_exchange_pub_ipaddr]; log-updown; damping; import [ peer-import damping ]; family inet { any { prefix-limit { maximum 1000; teardown 90 idle-timeout 30; } } } family inet6 { any { prefix-limit { maximum 1000; teardown 90 idle-timeout 30; } } } export peer-export; remove-private; local-as [our_asn]; group aads-peer { type external; description "Exchange peers"; neighbor [backup_transit_ipaddr] { apply-groups bgp-prefix-limit-transit; description "[backup_transit provider]"; authentication-key "#REMOVED#"; peer-as [peer_asn]; } neighbor [peer_ipaddr] { apply-groups bgp-prefix-limit-small; description [peer]; authentication-key "#REMOVED#"; peer-as [peer_asn]; } neighbor [peer_ipaddr] { apply-groups bgp-prefix-limit-medium; description [peer]; authentication-key "#REMOVED#"; peer-as [peer_asn]; } neighbor [peer_ipaddr] { apply-groups bgp-prefix-limit-large; description [peer]; authentication-key "#REMOVED#"; peer-as [peer_asn]; } neighbor [peer_research_ipv4addr] { apply-groups bgp-prefix-limit-xlarge; description "[peer]"; local-address [private_peer_localaddr]; import [ i2-localpref peer-import damping ]; family inet { any; } authentication-key "#REMOVED#"; peer-as [peer_asn]; } neighbor [default_upstream_nexthop] { apply-groups bgp-prefix-limit-transit; description "[upstream] primary transit"; local-address [private_peer_localaddr]; authentication-key "#REMOVED#"; peer-as [peer_asn]; } /* ... */ } group research { type external; description "Research BGP sessions - disable if necessary"; local-address [lo0_ipaddr]; import [ denyall-bgp damping ]; export denyall-bgp; /* [research partner] */ neighbor [peer_ipaddr] { description "BGP routing analysis"; multihop; advertise-inactive; authentication-key "#REMOVED#"; export [research_partner_bgp_export]; peer-as [peer_asn]; } } group ipv6 { type external; import peer6-import; family inet6 { any; } export peer6-export; neighbor [peer_research_ipv6addr] { description "[research upstream]"; local-address [our_ipv6addr]; family inet6 { any { prefix-limit { maximum 10000; teardown 90 idle-timeout 30; } } } authentication-key "#REMOVED#"; peer-as [peer_asn]; } } } msdp { rib-group mcast-rib; export [ pim-join-filter no-ssm ]; import [ pim-join-filter no-ssm ]; local-address [lo0_ipaddr]; group exchange-peer { local-address [lo0_ipaddr]; /* [research upstream] */ peer [inet.2_default_nexthop]; /* [research_partner2] */ inactive: peer [peer_ipaddr]; } } ospf { rib-group if-rib; export stat-to-ospf; reference-bandwidth 10g; area 0.0.0.0 { authentication-type md5; interface ge-0/0/0.0 { authentication-key "#REMOVED#" key-id 1; } } } pim { rib-group inet mcast-rib; inactive: import pim-join-filter; rp { bootstrap-import no-bsr; bootstrap-export no-bsr; local { family inet { address [lo0_ipaddr]; } } } interface all { mode sparse; version 2; } } } policy-options { /* Reserved per http://www.iana.org/assignments/ipv4-address-space */ prefix-list martians { 0.0.0.0/8; 1.0.0.0/8; /* ... */ /* Class E */ 240.0.0.0/4; } /* See ftp://rs.internic.net/domain/named.root */ prefix-list root-servers.net { 128.8.0.0/16; 128.9.0.0/16; /* ... */ } /* [MGMT subnets] */ prefix-list [mgmt-nets] { /* [mgmtnet1] */ [mgmtnet1_netblock]; /* [mgmtnet2] */ [mgmtnet2_netblock]; /* ... */ } /* Juniper TAC customer support hosts for remote assistance */ prefix-list jtac-hosts { /* JTAC Utah */ 63.115.83.162/32; /* JTAC Virginia */ 63.115.198.4/32; /* ... */ } /* All hosts on all nets */ prefix-list all-hosts { 0.0.0.0/0; } /* SNMP manager hosts */ prefix-list [snmp-managers] { /* SNMP manager */ [snmp_manager_ipaddr]; /* ... */ } /* NTP servers */ prefix-list [ntp-servers] { /* NTP server */ [ntp1_ipaddr]; /* NTP server */ [ntp2_ipaddr]; } /* our assigned prefixes */ prefix-list [our_nets] { /* SWIP'd to us from upstream */ [our_netblock]; /* our_netblock */ [our_netblock]; } /* Exchange netblock(s) */ prefix-list [exchange_nets] { [exchange_netblock]; } /* IP multicast netblocks */ prefix-list multicast-nets { 224.0.0.0/4; } /* our exchange address */ prefix-list [our_exchange_ipaddr] { [our_exchange_pub_ipaddr]/32; } prefix-list interdomain-mcast-martians { 224.0.1.1/32; /* ... */ } /* Research peering */ prefix-list [research_exchange_address] { [peer_research_ipv4addr]/32; } /* upstream transit */ prefix-list [upstream-exchange-address] { [default_upstream_nexthop]/32; } /* ... */ policy-statement peer-export { term [us] { from { protocol static; route-filter [our_netblock] exact; route-filter [our_netblock] exact; } then { next-hop self; accept; } } term Any { then reject; } } policy-statement peer-import { /* Reject: routes that we are not willing to accept */ term reject-routes { from { /* Special use */ route-filter 0.0.0.0/8 orlonger; /* RFC 1918 */ route-filter 10.0.0.0/8 orlonger; /* ... */ } then reject; } term accept-prefixes { from { route-filter 0.0.0.0/0 upto /27 accept; } then accept; } term reject-small-prefixes { then reject; } } policy-statement damping { term no-penalty { from { prefix-list root-servers.net; } then { damping damp-none; next policy; } } term low-penalty { from { route-filter 0.0.0.0/0 upto /21; } then { damping damp-short; next policy; } } term medium-penalty { from { route-filter 0.0.0.0/22 upto /23; } then { damping damp-medium; next policy; } } term high-penalty { from { route-filter 0.0.0.0/24 orlonger; } then { damping damp-long; next policy; } } } policy-statement stat-to-ospf { term advertise-default { from { protocol static; route-filter 0.0.0.0/0 exact; } then accept; } term deny-all { then reject; } } policy-statement denyall-bgp { term deny-all { from { route-filter 0.0.0.0/0 orlonger; } then reject; } } policy-statement [research_partner_bgp_export] { term [us] { from { protocol static; route-filter [our_netblock] exact; route-filter [our_netblock] exact; } then accept; } term full-routes { from { protocol bgp; route-filter 0.0.0.0/0 orlonger; } then accept; } } /* Filter PIM join messages */ policy-statement pim-join-filter { term bad-groups { from { /* Network Time Protocol (NTP) */ route-filter 224.0.1.1/32 exact; /* ... */ } then reject; } term bad-sources { /* Reserved, private, loopback, martian and multicast addresses */ from { source-address-filter 0.0.0.0/8 orlonger; /* ... */ } then reject; } /* Accept all unfiltered MSDP SA messages by default */ term default { then accept; } } /* Disable all PIM bootstrap router (BSR) messages */ policy-statement no-bsr { then reject; } /* Reject all Single Source Multicast */ policy-statement no-ssm { term ssm { from { route-filter 232.0.0.0/8 orlonger; } then reject; } } policy-statement peer6-export { term accept-aggregate { from { route-filter [our_ipv6_netblock] exact; } then accept; } term reject { then reject; } } policy-statement i2-localpref { from as-path 3-or-more; then { local-preference add 100; } } /* IPv6 route import policy */ policy-statement peer6-import { term accept-routes { from { /* RIRs */ route-filter 2001::/16 prefix-length-range /24-/48; /* 6to4 */ route-filter 2002::/16 prefix-length-range /24-/48; /* 6bone */ route-filter 3ffe::/16 prefix-length-range /24-/48; } then accept; } term reject-routes { then reject; } } as-path 3-or-more ....*; damping damp-none { disable; } damping damp-short { half-life 10; reuse 1500; suppress 3000; max-suppress 30; } damping damp-medium { half-life 15; reuse 750; suppress 3000; max-suppress 45; } damping damp-long { half-life 30; reuse 750; suppress 3000; max-suppress 60; } } firewall { policer 1Mbps { if-exceeding { bandwidth-limit 1m; burst-size-limit 100k; } then discard; } policer 2Mbps { if-exceeding { bandwidth-limit 2m; burst-size-limit 200k; } then discard; } policer 5Mbps { if-exceeding { bandwidth-limit 5m; burst-size-limit 500k; } then discard; } policer 10Mbps { if-exceeding { bandwidth-limit 10m; burst-size-limit 1m; } then discard; } policer 1Mbps-plp-threshold { filter-specific; if-exceeding { bandwidth-limit 1m; burst-size-limit 50k; } then loss-priority high; } policer 15Mbps { if-exceeding { bandwidth-limit 15m; burst-size-limit 1500000; } then discard; } family inet { prefix-action [psa-limit-heavy-users] { policer 1Mbps; count; filter-specific; subnet-prefix-length 24; source-prefix-length 32; } prefix-action [our_plp_threshold] { policer 1Mbps-plp-threshold; count; filter-specific; subnet-prefix-length 16; source-prefix-length 32; } filter standard-peer-ingress { interface-specific; term no-bogons { from { source-prefix-list { [our_nets]; martians; multicast-nets; } } then { count bogons; sample; discard; } } term no-icmp-redirects { from { protocol icmp; icmp-type redirect; } then { count icmp-redirects; sample; discard; } } term no-ospf { from { protocol ospf; } then { count ospf; sample; discard; } } term restrict-bgp { from { source-prefix-list { all-hosts; [exchanges_nets] except; [upstream-exchange-address] except; /* ... */ } destination-prefix-list { [our_exchange_ipaddr]; /* ... */ } protocol tcp; port bgp; } then { count unauthorized-bgp; sample; discard; } } term detect-syn-attack { from { protocol tcp; tcp-flags syn; } then { count tcp-syn-segments; sample; next term; } } term count-tcp-segments { from { protocol tcp; } then { count tcp-segments; sample; next term; } } term limit-icmp { from { protocol icmp; } then { policer 2Mbps; count icmp; sample; next term; } } term limit-multicast { from { destination-prefix-list { multicast-nets; interdomain-mcast-martians except; } } then { policer 5Mbps; count multicast; sample; next term; } } term limit-unicast-udp { from { destination-prefix-list { [our_nets]; } protocol udp; } then { policer 15Mbps; count unicast-udp; sample; next term; } } term pass-unicast { from { destination-prefix-list { [our_nets]; [our_exchange_ipaddr]; /* ... */ } protocol-except [ 53 55 77 103 ]; } then { count unicast; sample; accept; } } term pass-multicast { from { destination-prefix-list { multicast-nets; interdomain-mcast-martians except; } protocol [ udp pim ]; } then { sample; accept; } } term default-deny { then { count default-deny; sample; discard; } } } filter [research_upstream_ingress] { interface-specific; term no-bogons { from { source-prefix-list { [research_exchange_address] except; [our_nets]; martians; multicast-nets; } } then { count bogons; sample; discard; } } term no-icmp-redirects { from { protocol icmp; icmp-type redirect; } then { count icmp-redirects; sample; discard; } } term no-ospf { from { protocol ospf; } then { count ospf; sample; discard; } } term restrict-bgp { from { source-prefix-list { all-hosts; [research_exchange_address] except; } destination-prefix-list { [our_exchange_ipaddr]-mren; } protocol tcp; port bgp; } then { count unauthorized-bgp; sample; discard; } } term detect-syn-attack { from { protocol tcp; tcp-flags syn; } then { count tcp-syn-segments; sample; next term; } } term count-tcp-segments { from { protocol tcp; } then { count tcp-segments; sample; next term; } } term limit-icmp { from { protocol icmp; } then { policer 2Mbps; count icmp; sample; next term; } } term limit-multicast { from { destination-prefix-list { multicast-nets; interdomain-mcast-martians except; } } then { policer 5Mbps; count multicast; sample; next term; } } term limit-unicast-udp { from { destination-prefix-list { [our_nets]; } protocol udp; } then { policer 15Mbps; count unicast-udp; sample; next term; } } /* Cisco DoS shielding (tmp: [DATE] by jtk) */ inactive: term cisco-shield-pim { from { prefix-list { [research_exchange_address] except; } protocol 103; } then { count cisco-shield-pim; sample; discard; } } term pass-unicast { from { destination-prefix-list { [our_nets]; } protocol-except [ 53 55 77 ]; } then { count unicast; sample; accept; } } term pass-multicast { from { destination-prefix-list { multicast-nets; interdomain-mcast-martians except; } protocol [ udp pim ]; } then { sample; accept; } } term default-deny { then { count default-deny; sample; discard; } } } filter lan-ingress { interface-specific; term no-spoofs { from { source-prefix-list { all-hosts; [our_nets] except; } } then { count spoofs; sample; discard; } } term no-bogons { from { destination-prefix-list { martians; } } then { count bogons; sample; discard; } } term no-icmp-redirects { from { protocol icmp; icmp-type redirect; } then { count icmp-redirects; sample; discard; } } term restrict-bgp { from { destination-prefix-list { loopback-addresses; local-lan-addresses; [our_exchange_ipaddr]; /* ... */ } protocol tcp; port bgp; } then { count restrict-bgp; log; sample; discard; } } term detect-syn-attack { from { protocol tcp; tcp-flags syn; } then { count tcp-syn-segments; sample; next term; } } term count-tcp-segments { from { protocol tcp; } then { count tcp-segments; sample; next term; } } inactive: term [limit-heavyusers] { from { source-address { [heavy_user_netblock]; /* ... */ } protocol tcp; } then { sample; next term; prefix-action [psa-limit-heavy-users]; } } term prefix-specific-threshold { from { source-address { [our_netblock]; } protocol tcp; } then { sample; next term; prefix-action [our_plp_threshold]; } } term limit-icmp { from { protocol icmp; } then { policer 2Mbps; count icmp; sample; next term; } } term limit-multicast { from { destination-prefix-list { multicast-nets; } protocol udp; } then { policer 5Mbps; count multicast; sample; next term; } } term limit-unicast-udp { from { destination-prefix-list { all-hosts; multicast-nets except; } protocol udp; } then { policer 15Mbps; count unicast-udp; sample; next term; } } term pass-unicast { from { source-prefix-list { [our_nets]; } destination-prefix-list { all-hosts; martians except; multicast-nets except; } } then { count unicast; sample; accept; } } term pass-multicast { from { source-prefix-list { [our_nets]; } destination-prefix-list { multicast-nets; } protocol [ udp ospf pim igmp ]; } then { count multicast; sample; accept; } } term default-deny { then { count default-deny; sample; /* Discards are probably invalid multicast (e.g. TCP) */ discard; } } } filter router-protect { term protect-ssh { from { source-prefix-list { all-hosts; [mgmt-nets] except; jtac-hosts except; } protocol tcp; destination-port ssh; } then { count protect-ssh; log; discard; } } term protect-snmp { from { source-prefix-list { all-hosts; [snmp-managers] except; } protocol udp; destination-port snmp; } then { count protect-snmp; log; discard; } } term protect-ntp { from { source-prefix-list { all-hosts; [ntp-servers] except; loopback-nets except; } protocol udp; port ntp; } then { count protect-ntp; log; discard; } } term protect-bgp { from { source-prefix-list { all-hosts; [exchanges_nets] except; [research_exchange_address] except; [upstream-exchange-address] except; /* ... */ } protocol tcp; port bgp; } then { count protect-bgp; log; discard; } } term protect-msdp { from { source-prefix-list { all-hosts; mren-msdp-peer-address except; } protocol tcp; port msdp; } then { count protect-msdp; log; discard; } } term protect-ospf { from { source-prefix-list { all-hosts; [our_nets] except; } protocol ospf; } then { count protect-ospf; log; discard; } } term protect-sap { from { destination-prefix-list { all-hosts; sap-nets except; } protocol udp; destination-port 9875; } then { count protect-sap; log; discard; } } term protect-isakmp { from { source-prefix-list { all-hosts; } protocol udp; destination-port 500; } then { count protect-isakmp; log; discard; } } term protect-syslog { from { source-prefix-list { all-hosts; } protocol udp; destination-port syslog; } then { count protect-syslog; log; discard; } } term allow-all { then { count allow-all; accept; } } } } family inet6 { filter router6-protect { term allow-icmp6 { from { next-header icmpv6; } then accept; } term protect-bgp { from { source-address { /* [research_upstream] */ [peer_research_ipv6addr]/128; } next-header tcp; port bgp; } then accept; } term reject-all { then { reject; } } } } }