Ex4600 Core Switch Template 1.3

Version Date Prepared by
1.0 10/1/2018 Elad Lebovich

Changes
change bridge priority

add no root port
add edge interfaces
adding routing instances and vlans
change snmp description
add protect-re allow ospf
added unused port range
added guest VR
added management interface
remove VRs
name servers - the switch should always have 2 name servers. 1 local if possible and one from the neares
syslog server - the switch should always have 1 syslog server, based on https://wiki.transportation.bomba
ntp servers - exactly like the name servers
ossible and one from the nearest DC based on https://wiki.transportation.bombardier.com/display/AR/DNS+and+DHCP+Servers+List
ttps://wiki.transportation.bombardier.com/pages/viewpage.action?pageId=14813996
S+and+DHCP+Servers+List
set system host-name XXXXXXXXX
set system auto-snapshot
set system domain-name bt.bombardier.net
set system domain-search bt.bombardier.net
set system time-zone UTC
set system no-multicast-echo
set system no-redirects
set system no-ping-record-route
set system no-ping-time-stamp
set system internet-options icmpv4-rate-limit packet-rate 1000
set system internet-options icmpv4-rate-limit bucket-size 5
set system internet-options source-quench
set system internet-options tcp-drop-synfin-set
set system authentication-order tacplus
set system authentication-order password
set system ports console log-out-on-disconnect
set system ports auxiliary disable
set system root-authentication encrypted-password "$5$uQqi3xlx$QTZQRTWqLxPokzJZn0VmtGAZGw
set system name-server X.X.X.X
set system name-server X.X.X.X
set system tacplus-server 10.169.66.28 port 49
set system tacplus-server 10.169.66.28 secret "$9$J.ZHmPfQn6Ap07VbsZGmfT3CtleW7dwtpBREhleoJ
set system tacplus-server 10.169.66.28 timeout 10
set system tacplus-server 10.169.194.28 port 49
set system tacplus-server 10.169.194.28 secret "$9$dFVgJZGjq.5QFrvM8VbJGDkfTOBErKWTQn9CAOB
set system tacplus-server 10.169.194.28 timeout 10
set system login message "\n\n\t\tATTENTION\n\nIf you are not authorized to access this system, disc
set system login retry-options tries-before-disconnect 3
set system login retry-options backoff-threshold 2
set system login retry-options backoff-factor 5
set system login retry-options minimum-time 20
set system login class operator-local idle-timeout 30
set system login class operator-local permissions clear
set system login class operator-local permissions network
set system login class operator-local permissions reset
set system login class operator-local permissions trace
set system login class operator-local permissions view
set system login class operator-local deny-commands "(start shell)"
set system login class read-only-local idle-timeout 20
set system login class read-only-local permissions interface
set system login class read-only-local permissions network
set system login class read-only-local permissions system
set system login class read-only-local permissions view
set system login class read-only-local permissions view-configuration
set system login class read-only-local allow-commands "(show interfaces *)"
set system login class read-only-local deny-commands "(start *)|(set cli idle-timeout)|(request system
set system login class super-user-local idle-timeout 30
set system login class super-user-local permissions all
set system login class super-user-local deny-commands "(start shell)"
set system login user j-space class super-user-local
set system login user j-space authentication encrypted-password "$sha1$23143$LMWAENnm$cADgv
set system login user tacacs-ro class read-only-local
set system login user tacacs-sec class read-only-local
set system login user tacacs-su class super-user-local
set system login user tcs_cc full-name "TCS Fallback User"
set system login user tcs_cc class super-user-local
set system login user tcs_cc authentication encrypted-password "$sha1$22580$/qysStsV$FheL8nGr.g
set system login password minimum-length 8
set system login password change-type character-sets
set system login password minimum-changes 4
set system login password format sha1
set system services ssh root-login deny
set system services ssh protocol-version v2
set system services ssh max-sessions-per-connection 32
set system services netconf ssh
set system syslog archive size 1m
set system syslog archive files 10
set system syslog user * any emergency
set system syslog host X.X.X.X any any
set system syslog host X.X.X.X structured-data
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file messages firewall any
set system syslog file interactive-commands interactive-commands any
set system syslog file default-log-messages any any
set system syslog file default-log-messages match "(FRU Offline)|(FRU Online)|(FRU insertion)|(FRU p
set system syslog file default-log-messages structured-data
set system syslog file wtmp archive size 1m
set system syslog file wtmp archive files 10
set system syslog file wtmp archive binary-data
set system syslog source-address X.X.X.X
set system commit synchronize
set system ntp boot-server X.X.X.X
set system ntp server X.X.X.X
set system ntp server X.X.X.X prefer
set chassis redundancy graceful-switchover
set chassis aggregated-devices ethernet device-count 1
set chassis alarm management-ethernet link-down ignore
set interfaces interface-range Unused_Ports member-range ge-0/0/X to ge-0/0/X
set interfaces interface-range Unused_Ports member-range ge-X/0/X to ge-X/0/X
set interfaces interface-range Unused_Ports description UNUSED
set interfaces interface-range Unused_Ports disable
set interfaces ge-X/X/X description "Uplink-to-XXXXXXXXXXXXXX ge-X/X/X"
set interfaces ge-X/X/X ether-options 802.3ad ae1
set interfaces ge-X/X/X description "Uplink-to-XXXXXXXXXXXXXX ge-X/X/X"
set interfaces ge-X/X/X ether-options 802.3ad ae1
set interfaces xe-X/X/X description "Uplink-to-XXXXXXXXXXXXXX xe-X/X/X"
set interfaces xe-0/1/0 ether-options 802.3ad ae0
set interfaces xe-X/X/X description "Uplink-to-XXXXXXXXXXXXXX xe-X/X/X"
set interfaces xe-X/X/X ether-options 802.3ad ae0
set interfaces ae0 description "Uplink-to-XXXXXXXXXXXXXX aeX"
set interfaces ae0 aggregated-ether-options minimum-links 1
set interfaces ae0 aggregated-ether-options link-speed 10g
set interfaces ae0 aggregated-ether-options lacp active
set interfaces ae0 aggregated-ether-options lacp periodic fast
set interfaces ae0 unit 0 family ethernet-switching interface-mode trunk
set interfaces ae0 unit 0 family ethernet-switching vlan members all
set interfaces ae0 unit 0 family ethernet-switching storm-control sc
set interfaces ae0 description "Uplink-to-XXXXXXXXXXXXXX aeX"
set interfaces ae1 aggregated-ether-options minimum-links 1
set interfaces ae1 aggregated-ether-options link-speed 1g
set interfaces ae1 aggregated-ether-options lacp active
set interfaces ae1 aggregated-ether-options lacp periodic fast
set interfaces ae1 unit 0 family ethernet-switching interface-mode trunk
set interfaces ae1 unit 0 family ethernet-switching vlan members X
set interfaces ae1 unit 0 family ethernet-switching vlan members X
set interfaces ae1 unit 0 family ethernet-switching storm-control sc
set interfaces lo0 unit 0 family inet filter input protect-re
set interfaces irb unit 100 family inet address X.X.X.X
set snmp name XXXXXXXXX
set snmp description EX4600-40F
set snmp location "site name, building, floor, room, cabinet "
set snmp contact "Contact TCS_Control Center"
set snmp interface irb.990
set snmp filter-duplicates
set snmp engine-id use-mac-address
set snmp client-list SNMP_Read_Access 10.169.33.64/28
set snmp client-list IBM_IPSoft_Ops 10.0.65.64/26
set snmp client-list IBM_TADDM 10.0.64.128/27
set snmp client-list SNMP_Write-Access 10.169.33.64/28
set snmp client-list JSPACE 10.169.112.190/32
set snmp community JnP2EdCP authorization read-only
set snmp community JnP2EdCP client-list-name SNMP_Read_Access
set snmp community SwtgTAfp2ctS authorization read-write
set snmp community SwtgTAfp2ctS client-list-name SNMP_Write-Access
set snmp community waSwalTCS@2018 authorization read-only
set snmp community waSwalTCS@2018 client-list-name IBM_IPSoft_Ops
set snmp community TaDdMdiscover! authorization read-only
set snmp community TaDdMdiscover! client-list-name IBM_TADDM
set snmp community juniper123 authorization read-only
set snmp community juniper123 client-list-name JSPACE
set snmp trap-options source-address X.X.X.X
set snmp trap-group JnP2EdCP version v2
set snmp trap-group JnP2EdCP categories authentication
set snmp trap-group JnP2EdCP categories chassis
set snmp trap-group JnP2EdCP categories link
set snmp trap-group JnP2EdCP categories remote-operations
set snmp trap-group JnP2EdCP categories routing
set snmp trap-group JnP2EdCP categories startup
set snmp trap-group JnP2EdCP categories vrrp-events
set snmp trap-group JnP2EdCP categories configuration
set snmp trap-group JnP2EdCP categories services
set snmp trap-group juniper123 targets 10.169.112.190
set snmp trap-group JnP2EdCP targets 10.169.33.69
set snmp health-monitor interval 600
set forwarding-options storm-control-profiles sc all bandwidth-percentage 10
set routing-options nonstop-routing
set protocols igmp-snooping vlan all
set protocols rstp bridge-priority 4k
set protocols rstp interface ae0 mode point-to-point
set protocols rstp interface ae0 no-root-port
set protocols rstp interface ae1 mode point-to-point
set protocols rstp interface ae1 no-root-port
set protocols rstp interface ge-0/0/X edge
set protocols rstp bpdu-block-on-edge
set protocols layer2-control nonstop-bridging
set protocols layer2-control bpdu-block disable-timeout 900
set protocols lldp interface all disable
set policy-options prefix-list ntp-servers apply-path "system ntp server <*>"
set policy-options prefix-list dns-servers apply-path "system name-server <*>"
set policy-options prefix-list snmp_client apply-path "snmp client-list <*> <*>"
set policy-options prefix-list tacplus-servers apply-path "system tacplus-server <*>"
set policy-options prefix-list sys-radius apply-path "system radius-server <*>"
set policy-options prefix-list nac-radius apply-path "access radius-server <*>"
set policy-options prefix-list localhost 127.0.0.0/8
set policy-options prefix-list mgmt-nets 10.0.65.64/26
set policy-options prefix-list ipv4-interfaces apply-path "interfaces <*> unit <*> family inet address <*
set policy-options prefix-list ospf-all-rtr 224.0.0.5/32
set policy-options prefix-list ospf-all-rtr 224.0.0.6/32
set firewall family inet filter protect-re term allow-tacplus from source-prefix-list tacplus-servers
set firewall family inet filter protect-re term allow-tacplus from protocol tcp
set firewall family inet filter protect-re term allow-tacplus from source-port 49
set firewall family inet filter protect-re term allow-tacplus then accept
set firewall family inet filter protect-re term allow-ssh from source-prefix-list mgmt-nets
set firewall family inet filter protect-re term allow-ssh from protocol tcp
set firewall family inet filter protect-re term allow-ssh from destination-port ssh
set firewall family inet filter protect-re term allow-ssh then accept
set firewall family inet filter protect-re term allow-ospf from source-prefix-list ipv4-interfaces
set firewall family inet filter protect-re term allow-ospf from destination-prefix-list ospf-all-rtr
set firewall family inet filter protect-re term allow-ospf from destination-prefix-list ipv4-interfaces
set firewall family inet filter protect-re term allow-ospf from protocol ospf
set firewall family inet filter protect-re term allow-ospf then accept
set firewall family inet filter protect-re term allow-dns from source-prefix-list dns-servers
set firewall family inet filter protect-re term allow-dns from protocol udp
set firewall family inet filter protect-re term allow-dns from source-port domain
set firewall family inet filter protect-re term allow-dns from destination-port 1024-65535
set firewall family inet filter protect-re term allow-dns then accept
set firewall family inet filter protect-re term allow-tcp-established from protocol tcp
set firewall family inet filter protect-re term allow-tcp-established from source-port ssh
set firewall family inet filter protect-re term allow-tcp-established from tcp-established
set firewall family inet filter protect-re term allow-tcp-established then accept
set firewall family inet filter protect-re term allow-ntp from source-prefix-list ntp-servers
set firewall family inet filter protect-re term allow-ntp from source-prefix-list localhost
set firewall family inet filter protect-re term allow-ntp from protocol udp
set firewall family inet filter protect-re term allow-ntp from destination-port ntp
set firewall family inet filter protect-re term allow-ntp then accept
set firewall family inet filter protect-re term allow-radius from source-prefix-list sys-radius
set firewall family inet filter protect-re term allow-radius from source-prefix-list nac-radius
set firewall family inet filter protect-re term allow-radius from protocol udp
set firewall family inet filter protect-re term allow-radius from source-port 1812
set firewall family inet filter protect-re term allow-radius then accept
set firewall family inet filter protect-re term icmp-frags from is-fragment
set firewall family inet filter protect-re term icmp-frags from protocol icmp
set firewall family inet filter protect-re term icmp-frags then discard
set firewall family inet filter protect-re term allow-icmp from protocol icmp
set firewall family inet filter protect-re term allow-icmp from icmp-type echo-request
set firewall family inet filter protect-re term allow-icmp from icmp-type echo-reply
set firewall family inet filter protect-re term allow-icmp from icmp-type unreachable
set firewall family inet filter protect-re term allow-icmp from icmp-type time-exceeded
set firewall family inet filter protect-re term allow-icmp then accept
set firewall family inet filter protect-re term allow-traceroute from protocol udp
set firewall family inet filter protect-re term allow-traceroute from destination-port 33434-33523
set firewall family inet filter protect-re term allow-traceroute then accept
set firewall family inet filter protect-re term allow-snmp-client from source-prefix-list snmp_client
set firewall family inet filter protect-re term allow-snmp-client from protocol udp
set firewall family inet filter protect-re term allow-snmp-client from destination-port snmp
set firewall family inet filter protect-re term allow-snmp-client then accept
set firewall family inet filter protect-re term allow-dhcp from protocol udp
set firewall family inet filter protect-re term allow-dhcp from source-port 67
set firewall family inet filter protect-re term allow-dhcp from source-port 68
set firewall family inet filter protect-re term allow-dhcp from destination-port 67
set firewall family inet filter protect-re term allow-dhcp from destination-port 68
set firewall family inet filter protect-re term allow-dhcp then accept
set firewall family inet filter protect-re term default-deny then discard
set routing-options router-id x.x.x.x
set forwarding-options dhcp-relay forward-snooped-clients all-interfaces
set forwarding-options dhcp-relay overrides allow-snooped-clients
set forwarding-options dhcp-relay overrides delete-binding-on-renegotiation
set forwarding-options dhcp-relay server-group Central 10.169.66.30
set forwarding-options dhcp-relay server-group Central 10.169.194.31
set forwarding-options dhcp-relay server-group PXE 10.169.66.30
set forwarding-options dhcp-relay server-group PXE 10.169.194.31
set forwarding-options dhcp-relay server-group PXE X.X.X.X
set forwarding-options dhcp-relay active-server-group Central
set forwarding-options dhcp-relay group Central interface irb.420
set forwarding-options dhcp-relay group PXE active-server-group PXE
set forwarding-options dhcp-relay group PXE interface irb.1
set protocols ospf reference-bandwidth 10g
set protocols ospf area 0.0.0.120 stub
set protocols ospf area 0.0.0.120 interface irb.901
set protocols ospf area 0.0.0.120 interface irb.1 passive
set virtual-chassis preprovisioned
set virtual-chassis no-split-detection
set virtual-chassis member 0 role routing-engine
set virtual-chassis member 0 serial-number XXXXXXXXXXXXX
set virtual-chassis member 1 role routing-engine
set virtual-chassis member 1 serial-number XXXXXXXXXXXXX
set vlans Data vlan-id 100
set vlans Data l3-interface irb.100
set vlans Guest_WLAN_520 description wireless_Guest_VLAN
set vlans HCL-Server-AV vlan-id 783
set vlans HCL-Server-AV l3-interface irb.783
set vlans HCL-Server-Apps vlan-id 790
set vlans HCL-Server-Apps l3-interface irb.790
set vlans HCL-Server-Backup vlan-id 782
set vlans HCL-Server-Backup l3-interface irb.782
set vlans HCL-Server-ILO vlan-id 780
set vlans HCL-Server-ILO l3-interface irb.780
set vlans HCL-Server-InService vlan-id 786
set vlans HCL-Server-InService l3-interface irb.786
set vlans HCL-Server-Linux vlan-id 787
set vlans HCL-Server-Linux l3-interface irb.787
set vlans HCL-Server-Mgmt-ESXi vlan-id 781
set vlans HCL-Server-Mgmt-ESXi l3-interface irb.781
set vlans HCL-Server-VMotion vlan-id 785
set vlans HCL-Server-VMotion l3-interface irb.785
set vlans HCL-Server-VSAN vlan-id 784
set vlans HCL-Server-VSAN l3-interface irb.784
set vlans HCL-Server-Workplace vlan-id 789
set vlans HCL-Server-Workplace l3-interface irb.789
set vlans HCL-Server-windows vlan-id 788
set vlans HCL-Server-windows l3-interface irb.788
set vlans Internet vlan-id 905
set vlans LAN_Management vlan-id 990
set vlans LAN_Management l3-interface irb.990
set vlans MPLS vlan-id 900
set vlans PDAWLAN vlan-id 440
set vlans PDAWLAN l3-interface irb.440
set vlans T_A_Clocks vlan-id 653
set vlans Transit_901 vlan-id 901
set vlans Transit_901 l3-interface irb.901
set vlans VLAN0650 vlan-id 650
set vlans default vlan-id 1
set vlans default l3-interface irb.1
RTWqLxPokzJZn0VmtGAZGwClkgJWE5R1ccRwfo3"
GmfT3CtleW7dwtpBREhleoJGDHmP5Q9Au4o"
VbJGDkfTOBErKWTQn9CAOBNdbsgJZUjP5z7N"
ed to access this system, disconnect NOW!\n\nThis system is for the use of authorized users only. By accessing\nand using this comput
le-timeout)|(request system software)|(request system zeroize)|(request chassis)"

$23143$LMWAENnm$cADgvnFNk6DlpIOmA4Vt87TpkKxc"
22580$/qysStsV$FheL8nGr.gNz42819P9b5t0eSVtV"
line)|(FRU insertion)|(FRU power)|(FRU removal)|(commit complete)|(copying configuration to juniper.save)|(license add)|(license de
/X to ge-0/0/X
/X to ge-X/0/X
it <*> family inet address <*>"
efix-list tacplus-servers
list mgmt-nets
x-list ipv4-interfaces
prefix-list ospf-all-rtr
prefix-list ipv4-interfaces
list dns-servers
ort 1024-65535
ource-port ssh
p-established
list ntp-servers
list localhost
fix-list sys-radius
fix-list nac-radius
cho-request
me-exceeded
ation-port 33434-33523
e-prefix-list snmp_client
nation-port snmp
sing\nand using this computer system you are consenting to system\nmonitoring, including the monitoring of keystrokes. Unauthorize
ve)|(license add)|(license delete)|(link UP)|(package -X delete)|(package -X update)|(plugged in)|(requested 'commit' operation)|(un
g of keystrokes. Unauthorized\nuse of, or access to, this computer system may subject you to\ndisciplinary action and/or criminal prose
ted 'commit' operation)|(unplugged)|Transferred|ifAdminStatus|transfer-file|transitioned|CFMD_CCM_DEFECT| LFMD_3AH | RPD_M
action and/or criminal prosecution.\n\n\t\Property of Bombardier Transportation\n\n\tUnauthorized access is strictly prohibited!\n\n
DEFECT| LFMD_3AH | RPD_MPLS_PATH_BFD|(Master Unchanged, Members Changed)|(Master Changed, Members Changed)|(Master
ess is strictly prohibited!\n\n"
Members Changed)|(Master Detected, Members Changed)|(vc add)|(vc delete)|(Master detected)|(Master changed)|(Backup detecte
er changed)|(Backup detected)|(Backup changed)|(interface vcp-)|(AIS_DATA_AVAILABLE)"

Ex4600 Core Switch Template 1.3

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Ex4600 Core Switch Template 1.3

Încărcat de

Drepturi de autor:

Formate disponibile

Version Date Prepared by

1.0 10/1/2018 Elad Lebovich

1.1 1/2/2018 Elad Lebovich

1.2 2/11/2019 Elad Lebovich

change bridge priority

le-timeout)|(request system software)|(request system zeroize)|(request chassis)"

line)|(FRU insertion)|(FRU power)|(FRU removal)|(commit complete)|(copying configuration to juniper.save)|(license add)|(license de

S-ar putea să vă placă și