[j-nsp] in-band management interface vs. re firewall concepts/bcp

Aaron Dewell aaron.dewell at gmail.com
Fri Jul 8 13:25:57 EDT 2016 

Did you write those firewall filters that you list?  What was the error that you got?

You’ll have to assign lo0 into a security zone, that might be what’s missing.  

"security zones functional-zone management” must be in inet.0.  You can do other zones in a VRF and do in-band management within them (though it’s slightly recommended against, due to potential of misconfiguration causing a security issue), but this should work.  That’s what Clinton was saying.  

> On Jul 8, 2016, at 11:20 AM, Jason Lixfeld <jason-jnsp at lixfeld.ca> wrote:
> 
> I’m not quite following.  This won’t work:
> 
> set interfaces lo0 unit 0 family inet address 10.219.60.54/32
> set interfaces lo0 unit 0 family inet filter input-list V4-ACCEPT-COMMON-SERVICES
> set interfaces lo0 unit 0 family inet filter input-list V4-ACCEPT-ESTABLISHED
> set interfaces lo0 unit 0 family inet filter input-list V4-DISCARD-ALL
> set routing-instances MANAGEMENT instance-type vrf
> set routing-instances MANAGEMENT interface lo0.0
> set routing-instances MANAGEMENT route-distinguisher 21949:21949
> set routing-instances MANAGEMENT vrf-target target:21949:21949
> 
>> On Jul 7, 2016, at 6:07 PM, Clinton Work <clinton at scripty.com> wrote:
>> 
>> I would still use lo0.0 as your always up in-band mgmt interface.  
>> JunOS doesn't support putting management into a routing-instance and I
>> have been pushing Juniper for this.   You can use inet.0 for management
>> and additional logical routers for data traffic, but that is different
>> than a Cisco management VRF.   
>> 
>> JunOS doesn't have an explicit control-plane interface and you attach
>> your control-plane filter to lo0.0 instead.   
>> 
>> --
>> Clinton Work
>> Airdrie, AB
>> 
>> On Thu, Jul 7, 2016, at 11:52 AM, Jason Lixfeld wrote:
>>> Hey there,
>>> 
>>> Coming from a Cisco background, I generally assign a loopback interface
>>> as my in-band management channel.  I stick that into my management VRF
>>> and that’s that.  Without knowing any better, my instinct would be to do
>>> the same in JunOS, but it seems as though lo0 is the control plane
>>> interface between user space and the re.  That feels somewhat different
>>> to me, because the Cisco equivalent is generally the control-plane
>>> “interface”.
>> 
>>> 
>>> So my question is what the best common practise is for an always-up,
>>> in-band management channel on JunOS in an exclusively L3 environment
>>> (i.e.:  no vlan or irb interfaces used at all in the system) without
>>> fully understanding whether that could also be lo0.0, or whether it
>>> should be lo0.somethingelse, or whether it should be something else
>>> entirely.
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list