[j-nsp] SRX and loopback devices

Chris Kawchuk juniperdude at gmail.com
Sat May 29 12:05:26 EDT 2010


Hi Thomas,

Yes you can put it in a zone. I put in the zone that's appropriate for it.

i.e. I have an SRX which is an Internet firewall, which needs a loopback address for OSPF/BGP/RouterID etc.. so I stickit into the Internet zone, but I manage the device via another interface in trust.


--->

zones {
    security-zone Management {
        tcp-rst;
        interfaces {
            ge-0/0/0.0 {			/* Manage via ge-0/0/0 */
                host-inbound-traffic {
                    system-services {
                        ssh;
                        ping;
                        traceroute;
                        snmp;
                    }
                }
            }
        }
    }
    security-zone Internet {
        interfaces {
            ge-0/0/1.0 {			/* here's a public Internet interface */
                host-inbound-traffic {
                    system-services {
                        ping;
                        traceroute;
                    }
                    protocols {
                        ospf;
                        bgp;
                        vrrp;
                    }
                }   
            }       
            lo0.0 { 				/* and here's the loopback, needed for iBGP & OSPFRouterID=Loopback */
                host-inbound-traffic {
                    system-services {
                        ping;
                        traceroute;
                    }
                    protocols {
                        ospf;
                        bgp;
                    }
                }   
            }       



So no, no issues moving the loopback - you'll still be able to manage your SRX from another zone (assuming you allow it on that interface associated w/that interface). Just dont try to manage "to the loopback" from the trust zone if lo0 is in a different zone =)
	
- Chris.




On 2010-05-29, at 3:52 AM, Thomas Eichhorn wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi all,
> 
> I'm currently having a conceptual problem with the SRX series:
> 
> All of my interfaces are in a zone - but not lo0. It seems even
> in default config it has no zone assigned... Now I just wonder what
> happens if I assign it to a zone - should I put it into trust or
> just create a new zone loopback? If I do this, do I need special
> rules for allowing some stuff?
> 
> I just remember the very bad effects on MX series, if you put a
> filter on loopback and don't remember which internal services
> needs this..
> 
> Any ideas and comments?




More information about the juniper-nsp mailing list