version 7.6R1.9; system { host-name ukwM7i; time-zone Europe/London; root-authentication { encrypted-password "$1$X9ZJodaG$GZyz4EHzPxXpFvY57LZ1N/"; ## SECRET-DATA } login { user admin { uid 2000; class super-user; authentication { encrypted-password "$1$vnx0LIjr$tzQ75ia9CguzAc4A2IRhj/"; ## SECRET-DATA } } user soton { uid 2002; class super-user; authentication { encrypted-password "$1$tvAggb46$IvMittiXWSSDxoRCkqtNn0"; ## SECRET-DATA } } } services { ssh { root-login deny; protocol-version v2; rate-limit 5; } } syslog { user * { any emergency; } file messages { any notice; authorization info; } file cli-commands { interactive-commands any; } } } interfaces { ge-0/1/0 { unit 0 { family inet { address 194.81.46.14/30; } family inet6 { address 2001:0630:0081:7000::6/126; } } } fe-0/2/0 { unit 0 { family inet { address 148.88.147.241/30; } family iso; family inet6 { address 2001:0630:0081:0440::1/64; } } } fe-0/2/1 { unit 0 { family inet { address 148.88.147.245/30; } family iso; family inet6 { address 2001:0630:0081:0450::1/64; } } } fe-0/2/2 { unit 0 { family inet { address 148.88.147.249/30; } family iso; family inet6 { address 2001:0630:0081:0460::1/64; } } } fe-0/2/3 { unit 0 { family inet { address 148.88.147.253/30; } family iso; family inet6 { address 2001:0630:0081:0470::1/64; } } } fe-0/3/0 { unit 0 { family inet { address 148.88.147.229/30; } family iso; family inet6 { address 2001:0630:0081:0410::1/64; } } } fe-0/3/1 { unit 0 { family inet { address 148.88.147.233/30; } family iso; family inet6 { address 2001:0630:0081:0420::1/64; } } } fe-0/3/2 { unit 0 { family inet { address 148.88.147.237/30; } family iso; family inet6 { address 2001:0630:0081:0430::1/64; } } } gr-1/2/0 { unit 0 { tunnel { source 148.88.147.220; destination 148.88.147.230; } family inet6 { address 2001:630:81:4a0::1:1/112; } } unit 1 { tunnel { source 148.88.147.220; destination 148.88.147.234; } family inet6 { address 2001:630:81:4a0::2:1/112; } } unit 2 { tunnel { source 148.88.147.220; destination 148.88.147.238; } family inet6 { address 2001:630:81:4a0::3:1/112; } } unit 3 { tunnel { source 148.88.147.220; destination 148.88.147.242; } family inet6 { address 2001:630:81:4a0::4:1/112; } } unit 4 { tunnel { source 148.88.147.220; destination 148.88.147.246; } family inet6 { address 2001:630:81:4a0::5:1/112; } } unit 5 { tunnel { source 148.88.147.220; destination 148.88.147.250; } family inet6 { address 2001:630:81:4a0::6:1/112; } } unit 6 { tunnel { source 148.88.147.220; destination 148.88.147.254; } family inet6 { address 2001:630:81:4a0::7:1/112; } } } ip-1/2/0 { unit 0 { tunnel { source 194.81.46.14; destination 194.82.173.253; } family inet6 { address 2001:630:0:1::9e/126; } } } lo0 { unit 0 { family inet { filter { input protect-router-v4; } address 127.0.0.1/32; address 148.88.147.220/32; } family iso { address 47.fde8.0000.1480.8814.7220.00; } family inet6 { filter { input protect-router-v6; } address 2001:630:81:0400::1/128; } } } } routing-options { interface-routes { rib-group inet6 mc-pseudo-rib; } rib inet6.0 { static { route ::/0 next-hop 2001:630:81:7000::5; } } static { route 0.0.0.0/0 next-hop 194.81.46.13; route 148.88.147.0/28 next-hop 148.88.147.230; route 148.88.147.16/28 next-hop 148.88.147.234; route 148.88.147.32/28 next-hop 148.88.147.238; route 148.88.147.48/28 next-hop 148.88.147.242; route 148.88.147.64/28 next-hop 148.88.147.246; route 148.88.147.80/28 next-hop 148.88.147.250; route 148.88.147.96/28 next-hop 148.88.147.254; } rib-groups { mc-pseudo-rib { export-rib inet6.0; import-rib [ inet6.0 inet6.2 ]; } mcast-rpf6-rg { export-rib inet6.2; import-rib inet6.2; } } router-id 148.88.147.220; autonomous-system 64641; } protocols { bgp { group session-to-AS786 { type external; description "Tunnel to UKERNA"; family inet6 { multicast; } peer-as 786; neighbor 2001:630:0:1::9d; } group session-to-AS65001 { type external; description "BGP Peering with leg 1"; family inet6 { any; } export redistribute-statics; peer-as 65001; neighbor 2001:630:81:4a0::1:2; } group session-to-AS65002 { type external; description "BGP Peering with leg 2"; family inet6 { any; } export redistribute-statics; peer-as 65002; neighbor 2001:630:81:4a0::2:2; } group session-to-AS65003 { type external; description "BGP Peering with leg 3"; family inet6 { any; } export redistribute-statics; peer-as 65003; neighbor 2001:630:81:4a0::3:2; } group session-to-AS65004 { type external; description "BGP Peering with leg 4"; family inet6 { any; } export redistribute-statics; peer-as 65004; neighbor 2001:630:81:4a0::4:2; } group session-to-AS65005 { type external; description "BGP Peering with leg 5"; family inet6 { any; } export redistribute-statics; peer-as 65005; neighbor 2001:630:81:4a0::5:2; } group session-to-AS65006 { type external; description "BGP Peering with leg 6"; family inet6 { any; } export redistribute-statics; peer-as 65006; neighbor 2001:630:81:4a0::6:2; } group session-to-AS65007 { type external; description "BGP Peering with ukw leg"; family inet6 { any; } export redistribute-statics; peer-as 65007; neighbor 2001:630:81:4a0::7:2; } } isis { export [ limit-dist redistribute-statics redistribute-connected ]; rib-group inet6 mc-pseudo-rib; level 1 disable; interface fe-0/2/0.0; interface fe-0/2/1.0; interface fe-0/2/2.0; interface fe-0/2/3.0; interface fe-0/3/0.0; interface fe-0/3/1.0; interface fe-0/3/2.0; interface ip-1/2/0.0; } pim { rib-group inet6 mcast-rpf6-rg; rp { embedded-rp; static { address 2001:660:3007:300:1:: { group-ranges { ff0e::/16; ff1e::/16; } } } } interface ip-1/2/0.0 { mode sparse; } interface all { mode sparse; } } } policy-options { prefix-list management-v4 { 148.88.132.0/23; 148.88.147.0/24; 152.78.0.0/16; 158.38.63.20/32; 194.81.46.13/32; 2001:630:d0::/48; 2001:700:1:7::/64; } prefix-list management-v6 { 2001:630:d0::/48; 2001:700:1:7::/64; } policy-statement limit-dist { from { family inet6; route-filter 2001:630:81:410::/60 longer; route-filter 2001:630:81:420::/60 longer; route-filter 2001:630:81:430::/60 longer; route-filter 2001:630:81:440::/60 longer; route-filter 2001:630:81:450::/60 longer; route-filter 2001:630:81:460::/60 longer; route-filter 2001:630:81:470::/60 longer; route-filter 2001:630:81:400::/60 longer; route-filter 2001:630:0:1::/64 longer; route-filter 2001:630:81:7000::/64 longer; route-filter 2001:630:81:4a0::/64 longer; } then reject; } policy-statement redistribute-connected { from { protocol direct; family inet6; } then accept; } policy-statement redistribute-statics { from { protocol static; family inet6; } then accept; } } firewall { family inet { filter protect-router-v4 { term permit-ssh { from { source-prefix-list { management-v4; } protocol tcp; destination-port ssh; } then accept; } term deny-other-ssh { from { protocol tcp; destination-port ssh; } then { count deny-ssh; discard; } } term else-permit { then accept; } } } family inet6 { filter protect-router-v6 { term permit-ssh { from { source-prefix-list { management-v6; } next-header tcp; destination-port ssh; } then accept; } term deny-other-ssh { from { next-header tcp; destination-port ssh; } then { count deny-ssh6; discard; } } term else-permit { then accept; } } } }