[j-nsp] in-band management interface vs. re firewall concepts/bcp
Alexander Arseniev
arseniev at btinternet.com
Fri Jul 8 03:06:13 EDT 2016
Hello,
On 07/07/2016 23:07, Clinton Work wrote:
> JunOS doesn't have an explicit control-plane interface
Not exactly true. It does but You cannot attach filters directly to it.
It is called fxp1/em1.
> and you attach
> your control-plane filter to lo0.0 instead.
>
Depending on platform and expected load, lo0 may not be the best place.
I.e. in branch SRX, lo0 filter evaluation comes AFTER incoming interface
filter & policy evaluations,
and as a result, the flows are established even for those packets that
are eventually denied by lo0 filter.
Therefore, on branch SRX the best place is a control-plane filter
attached as incoming interface filter.
HTH
Thx
Alex
More information about the juniper-nsp
mailing list