[j-nsp] SRX and loopback devices
Chris Kawchuk
juniperdude at gmail.com
Sat May 29 12:05:26 EDT 2010
Hi Thomas,
Yes you can put it in a zone. I put in the zone that's appropriate for it.
i.e. I have an SRX which is an Internet firewall, which needs a loopback address for OSPF/BGP/RouterID etc.. so I stickit into the Internet zone, but I manage the device via another interface in trust.
--->
zones {
security-zone Management {
tcp-rst;
interfaces {
ge-0/0/0.0 { /* Manage via ge-0/0/0 */
host-inbound-traffic {
system-services {
ssh;
ping;
traceroute;
snmp;
}
}
}
}
}
security-zone Internet {
interfaces {
ge-0/0/1.0 { /* here's a public Internet interface */
host-inbound-traffic {
system-services {
ping;
traceroute;
}
protocols {
ospf;
bgp;
vrrp;
}
}
}
lo0.0 { /* and here's the loopback, needed for iBGP & OSPFRouterID=Loopback */
host-inbound-traffic {
system-services {
ping;
traceroute;
}
protocols {
ospf;
bgp;
}
}
}
So no, no issues moving the loopback - you'll still be able to manage your SRX from another zone (assuming you allow it on that interface associated w/that interface). Just dont try to manage "to the loopback" from the trust zone if lo0 is in a different zone =)
- Chris.
On 2010-05-29, at 3:52 AM, Thomas Eichhorn wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi all,
>
> I'm currently having a conceptual problem with the SRX series:
>
> All of my interfaces are in a zone - but not lo0. It seems even
> in default config it has no zone assigned... Now I just wonder what
> happens if I assign it to a zone - should I put it into trust or
> just create a new zone loopback? If I do this, do I need special
> rules for allowing some stuff?
>
> I just remember the very bad effects on MX series, if you put a
> filter on loopback and don't remember which internal services
> needs this..
>
> Any ideas and comments?
More information about the juniper-nsp
mailing list