system { login { class monitoring { permissions [ secret view view-configuration ]; } class rancid { permissions [ view view-configuration ]; } user rancid { full-name rancid; uid 2000; class rancid; authentication { encrypted-password "${rancid_hash}"; ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDxzpdRYPiZoGIeo3z2a1rSydf7hplsXQTFoirgj2+LzoxmpUhQ75IpcDMP6AIn3Z5PXxui7oe1yhQNUC7MZGLcpbXzdib/vi+o9zyfsa2PfxjxVpzWpBqDEEh3BAf06oi4eXt6HALary+Rfjss0YrOhcBq9jHl2Qr2uODRj9Xa1peI6th8htxgcmsHTKMs+iyKMXPEYkW9OE5BFHOqec/cyUT8z0+Gux1Z/iLozz4NWsLhCEzNooaI7+5ykYbADYq3+j5aHW1hctGDRV6s1C5g8HEdH4FP+DZjXcht4k4xcY6ffrsFH20E5WlUQU+gJoRd8c1uX774L7dNiNblJjxrsTKgUkxnT/tb+RfD2CeK/fzzG6mCSZ2B1j6pAHBUfPM+qtGH9Y4iD8z6c/UOoVdjIgjSOLWFh68qBeGkO8XhlNILwH51p/R/o7m+XLVnGoGpzuK6GIQLftf7htHP7Ik+BMZLzo+IJpYQE66Zqg52ZotYwzJBqVMUKawFHquIWjhohDRLVspGznZI8uR/BD+956T16hRt44G4LxmVXGWTIDpwRu/YLxisViZUci9eRWXTHhshrShEmCmMl/EiWalO7+ha6S96FrUxl4jH2L25ObNW2mPSS7vRMk5e1fAVi6QGo3GhWjWCYSMT/yHZ793KmiyGhbd6bi8WSC8comjE6Q== rancid@measurementlab.net"; } } user switch-monitoring { uid 2002; class monitoring; authentication { ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC0j429EfMWlP5KVoKnMB9qh0gUaKDpfmSQfOQTpmFSkq1eIhfv8yUEaWLocaNDofk1QYKpl0Yjs5QIPDKo1ovn/V4YsYBZ0+mNBkMXOLe2BT9D6rYYUYHqVcwMBsoQ0CgXy0z49ZL9g7K1lsjRlZHCUIUHHljW0pwQotmlU5dyi5Q9dfCf1ZnSxdLsfVCvU5Et3EwpSwyMvvz0ZYiHiOtwEQYDO4C6yYPmaqysFyvwZzjIvDi4btPQ2rsPiWGiQbVVTAZAv4DvhxGZnN/CGz6TW4TJ94U+zShpZu9hkiL/Y0yGPAdC7hbkJN8J25Lfi/1Gs9kXY1V79+JODU0Hix2QJKt5HCNbTE2FYPA0y2Qc3OjfLowp+FRD6jjF2G5bn1/MuuP/VNSm2qfdneoxC/EkYMycEoCT5aKAOkncwORfr83EKSOpJFjB6ggeBKvgZKr6LR1yOpevWSGV6//WQSd3Ey6oPndHIabQmjjfIjFuJ/C1WPqZF57x36EbS/+9/x/N9z2Dn5rokoyZtg5fpWJsliEnsw1hD+wBvMzjg1tDY6i2GuzqoL6hbDgQKkH26M2hPxLq6emaF67cNGk0qG3P+mYFhgMKCVe/mgOCWrQQjJrW2ZlfHNciFmRVmMsecQP/ovpvxKzYNMTdCseaZNulejqrg5UKJfZqgsc1sPGlKw== switch-monitoring@measurementlab.net"; } } } root-authentication { encrypted-password "${root_hash}"; ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcmNS78HLR2Q/22if7mT8yoICDQbk+wbHJqDAWWGui/V7HrzDZn9X2KtyxLPu6sdD3oohmZWYSQ9JVnIT/XQCCKrYiQt5Q/Jof4MG/evJnQEgNcmF6Cb6cFcG7dichGRiWqlNMwMG7GuvDXAsNQ/unrZFfeQTPHpKkDJkspcwxKH0+9fLgerLsJRlcAsyCb1AWtG8pwD2yKyispWhVCDKU1RbEfohxSj9tUcJJewXaiMGfn5T/t3dCLAx3zv3YrAtETAmRqfRwdztKevwqVTXU78rr9HRBwD2+YC0T0mdVUljeGhU3UzQlxSa4ZeIu1FimpyAv7jz1hu/hliQkl8BN kinkade@measurementlab.net"; ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhnC8VDQyHUHBsmwTmprMSrPQ3qkuFyemkNO1OBSWEyhVRPdp7M+tvCY0QqbKhnMY0ImEV/g8+zubnA1TAI4JQVbfDStEi5TBGONRyUk/B10sV9uNRGFqmBJZmEE6XcsHvWuBgX4icWCz+XPXnqWHqyTUY4YGkPAeKVjQD9zZjK581hFUKowrSZC9SUagJ160h0zcG1O4n14EkKlwDfYp4DDbYHI5QF+KTjr6xwbK5IZDr4K2GzvcKq8SHj+g5zaWhuBB8ruqvgBwqOF7ZNvXfTH45hUjL+BY0e6IZUPv7kW0yFzcvBiPmBpkPYCtY0SDd8wFPKjYyYshfeuTNE+eN roberto@measurementlab.net"; ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCWPW991TcheUTygLjpTH9qtqqNVghptt+TxfnIW7X5UVKLpYhvwzMnfugN0MMsUbr7bZpAWFiVWc+mkWwYYcfIttXFour6fDVABmsIGLf8wKrQBYh+iQZ8JhLl5N9GWV+kzm5/MLAgzd3mdf41gakdhgc7icNyIMotcGa/exnU/4tAtXneGpwBrKOT3g/768jlWoLV7AKYjQzQlOZIJgqJ1Ye0VxU+4gHFXU7cy8mrpBhdfPJqWaD1CZqpu6SWDn884frFuMpOqfIjyPIOSa5J2gfCkY6wuTqMKZplfXJYpdxMjPneM9pCUYmI9UlqBWm8CBlfsFCxLwtEbdLRlBokouUzavZ/88AAgO4CALPhPKnYHP+XQUaBpW5IPmg5eBNjCqkpBpDvJGq7g0wJFa8rWCwmKgv69rhwbKkZdopEgKF0AWQRC3wH3m7+It3wH518Iibav6+VV3hKMqs+tZQRx+F2dmkjpeGfp/eaG188E3XjzfYqzkaRVsQxn4CAAIc= mlab-switch-access"; } services { ssh { root-login deny-password; no-passwords; ciphers [ aes128-ctr "aes128-gcm@openssh.com" aes192-ctr aes256-ctr "aes256-gcm@openssh.com" ]; macs [ "hmac-sha2-256-etm@openssh.com" hmac-sha2-256 hmac-sha2-512 "hmac-sha2-512-etm@openssh.com" "umac-128@openssh.com" "umac-128-etm@openssh.com" ]; key-exchange [ group-exchange-sha2 curve25519-sha256 ]; hostkey-algorithm { no-ssh-dss; no-ssh-ecdsa; } } netconf { ssh; } } host-name s1.${site}.measurement-lab.org; name-server { 8.8.8.8; 8.8.4.4; } syslog { user * { any emergency; } file messages { any notice; authorization info; } file interactive-commands { interactive-commands any; } } ntp { /* JunOS doesn't allow hostnames for servers, only IPs. The following are time{1,2,3,4}.google.com, respectively. */ server 216.239.35.0; server 216.239.35.4; server 216.239.35.8; server 216.239.35.12; } } interfaces { /* Ports that M-Lab uses and should be enabled. */ interface-range mlab { /* 1Gbps interfaces */ member ge-0/0/1; member ge-0/0/13; member ge-0/0/25; member ge-0/0/37; member ge-0/0/47; /* 10Gbps interfaces */ member xe-0/0/0; member xe-0/0/12; member xe-0/0/24; member xe-0/0/36; member xe-0/0/45; unit 0 { family ethernet-switching { vlan { members mlab; } storm-control default; } } } /* Ports that M-Lab *does not* use and should be disabled. */ interface-range disabled { /* 1Gbps interfaces */ member ge-0/0/0; member ge-0/0/2; member ge-0/0/14; member-range ge-0/0/4 to ge-0/0/12; member-range ge-0/0/16 to ge-0/0/24; member-range ge-0/0/26 to ge-0/0/36; member-range ge-0/0/38 to ge-0/0/46; /* 10Gbps interfaces */ member-range xe-0/0/1 to xe-0/0/11; member-range xe-0/0/13 to xe-0/0/23; member-range xe-0/0/25 to xe-0/0/35; member-range xe-0/0/37 to xe-0/0/44; member-range xe-0/0/46 to xe-0/0/47; /* QSPF+ interfaces */ member-range et-0/0/48 to et-0/0/53; disable; } /* PDUs (Power Distribution Units) */ interface-range pdus { member ge-0/0/3; member ge-0/0/15; /* The PDUs only have 10/100 Ethernet interfaces */ speed 100m; unit 0 { family ethernet-switching { vlan { members pdus; } storm-control default; } } } /* DRACs */ interface-range dracs { member ge-0/0/1; member ge-0/0/13; member ge-0/0/25; member ge-0/0/37; unit 0 { family ethernet-switching { filter { input mlab-dracs; } } } } xe-0/0/0 { description mlab1; ether-options { ${flow_control}; } } xe-0/0/12 { description mlab2; ether-options { ${flow_control}; } } xe-0/0/24 { description mlab3; ether-options { ${flow_control}; } } xe-0/0/36 { description mlab4; ether-options { ${flow_control}; } } ${uplink_port} { /* This description is used by our Grafana configs to identify the uplink port of the switch. Do not change this without first making sure the Grafana configs are also changed. */ description uplink-${uplink_speed}; ${speed} ${link_mode} ether-options { ${link_negotiation}; } } irb { unit 100 { family inet { filter { input mlab; } /* The address should use CIDR notation */ address ${ip_address}; } } unit 200 { family inet { address 192.168.1.100/24; } } } } snmp { client-list allowed-clients { /* This site's subnet. */ ${ipv4_subnet}; } /* Disco community string */ community ${disco_community} { authorization read-only; client-list-name allowed-clients; } } forwarding-options { storm-control-profiles default { all; } } class-of-service { shared-buffer { ingress { percent 100; buffer-partition lossless { percent 5; } buffer-partition lossless-headroom { percent 0; } buffer-partition lossy { percent 95; } } egress { percent 100; buffer-partition lossless { percent 5; } buffer-partition multicast { percent 5; } buffer-partition lossy { percent 90; } } } } firewall { family inet { filter mlab { term allow-google-ntp { from { source-address { /* A loose approximation of Google's NTP servers */ 216.239.35.0/28; } source-port ntp; } then accept; } term blocked-ports { from { /* 1127=?, 1128=netcored, 1129=loggerd */ destination-port [ 1127-1129 ntp ]; } then { discard; } } term default { then accept; } } } /* Restrict access to DRACs. */ family ethernet-switching { filter mlab-dracs { term allow-arp { from { arp-type [ arp-request arp-reply ]; } then accept; } term allow-drac-access { from { ip-destination-address { /* eb.measurementlab.net */ 45.56.98.222/32; /* kubeip-ip1 in mlab-sandbox */ 35.224.169.63/32; /* kubeip-ip2 in mlab-sandbox */ 35.226.122.118/32; /* kubeip-ip1 in mlab-staging */ 35.185.54.7/32; /* kubeip-ip2 in mlab-staging */ 35.243.193.167/32; /* kubeip-ip1 in mlab-oti */ 35.188.150.110/32; /* kubeip-ip2 in mlab-oti */ 35.202.153.90/32; } } then accept; } term default { then discard; } } } } routing-options { static { route 0.0.0.0/0 { next-hop ${default_gateway}; retain; no-readvertise; } } } protocols { rstp { ${rstp}; } } vlans { mlab { vlan-id 100; l3-interface irb.100; } pdus { vlan-id 200; l3-interface irb.200; } }