[j-nsp] in-band management interface vs. re firewall concepts/bcp

Jason Lixfeld jason-jnsp at lixfeld.ca
Fri Jul 8 13:34:47 EDT 2016 

Sorry, I wasn’t trying to suggest I got an error, it was more of a conceptual config paste.

This is on an EX9200, which I don’t think support security zones?

> On Jul 8, 2016, at 1:25 PM, Aaron Dewell <aaron.dewell at gmail.com> wrote:
> 
> 
> Did you write those firewall filters that you list?  What was the error that you got?
> 
> You’ll have to assign lo0 into a security zone, that might be what’s missing.  
> 
> "security zones functional-zone management” must be in inet.0.  You can do other zones in a VRF and do in-band management within them (though it’s slightly recommended against, due to potential of misconfiguration causing a security issue), but this should work.  That’s what Clinton was saying.  
> 
>> On Jul 8, 2016, at 11:20 AM, Jason Lixfeld <jason-jnsp at lixfeld.ca> wrote:
>> 
>> I’m not quite following.  This won’t work:
>> 
>> set interfaces lo0 unit 0 family inet address 10.219.60.54/32
>> set interfaces lo0 unit 0 family inet filter input-list V4-ACCEPT-COMMON-SERVICES
>> set interfaces lo0 unit 0 family inet filter input-list V4-ACCEPT-ESTABLISHED
>> set interfaces lo0 unit 0 family inet filter input-list V4-DISCARD-ALL
>> set routing-instances MANAGEMENT instance-type vrf
>> set routing-instances MANAGEMENT interface lo0.0
>> set routing-instances MANAGEMENT route-distinguisher 21949:21949
>> set routing-instances MANAGEMENT vrf-target target:21949:21949
>> 
>>> On Jul 7, 2016, at 6:07 PM, Clinton Work <clinton at scripty.com> wrote:
>>> 
>>> I would still use lo0.0 as your always up in-band mgmt interface.  
>>> JunOS doesn't support putting management into a routing-instance and I
>>> have been pushing Juniper for this.   You can use inet.0 for management
>>> and additional logical routers for data traffic, but that is different
>>> than a Cisco management VRF.   
>>> 
>>> JunOS doesn't have an explicit control-plane interface and you attach
>>> your control-plane filter to lo0.0 instead.   
>>> 
>>> --
>>> Clinton Work
>>> Airdrie, AB
>>> 
>>> On Thu, Jul 7, 2016, at 11:52 AM, Jason Lixfeld wrote:
>>>> Hey there,
>>>> 
>>>> Coming from a Cisco background, I generally assign a loopback interface
>>>> as my in-band management channel.  I stick that into my management VRF
>>>> and that’s that.  Without knowing any better, my instinct would be to do
>>>> the same in JunOS, but it seems as though lo0 is the control plane
>>>> interface between user space and the re.  That feels somewhat different
>>>> to me, because the Cisco equivalent is generally the control-plane
>>>> “interface”.
>>> 
>>>> 
>>>> So my question is what the best common practise is for an always-up,
>>>> in-band management channel on JunOS in an exclusively L3 environment
>>>> (i.e.:  no vlan or irb interfaces used at all in the system) without
>>>> fully understanding whether that could also be lo0.0, or whether it
>>>> should be lo0.somethingelse, or whether it should be something else
>>>> entirely.
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>> 
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list