Sorry, I wasn’t trying to suggest I got an error, it was more of a conceptual config paste.
This is on an EX9200, which I don’t think support security zones? > On Jul 8, 2016, at 1:25 PM, Aaron Dewell <aaron.dew...@gmail.com> wrote: > > > Did you write those firewall filters that you list? What was the error that > you got? > > You’ll have to assign lo0 into a security zone, that might be what’s missing. > > > "security zones functional-zone management” must be in inet.0. You can do > other zones in a VRF and do in-band management within them (though it’s > slightly recommended against, due to potential of misconfiguration causing a > security issue), but this should work. That’s what Clinton was saying. > >> On Jul 8, 2016, at 11:20 AM, Jason Lixfeld <jason-j...@lixfeld.ca> wrote: >> >> I’m not quite following. This won’t work: >> >> set interfaces lo0 unit 0 family inet address 10.219.60.54/32 >> set interfaces lo0 unit 0 family inet filter input-list >> V4-ACCEPT-COMMON-SERVICES >> set interfaces lo0 unit 0 family inet filter input-list V4-ACCEPT-ESTABLISHED >> set interfaces lo0 unit 0 family inet filter input-list V4-DISCARD-ALL >> set routing-instances MANAGEMENT instance-type vrf >> set routing-instances MANAGEMENT interface lo0.0 >> set routing-instances MANAGEMENT route-distinguisher 21949:21949 >> set routing-instances MANAGEMENT vrf-target target:21949:21949 >> >>> On Jul 7, 2016, at 6:07 PM, Clinton Work <clin...@scripty.com> wrote: >>> >>> I would still use lo0.0 as your always up in-band mgmt interface. >>> JunOS doesn't support putting management into a routing-instance and I >>> have been pushing Juniper for this. You can use inet.0 for management >>> and additional logical routers for data traffic, but that is different >>> than a Cisco management VRF. >>> >>> JunOS doesn't have an explicit control-plane interface and you attach >>> your control-plane filter to lo0.0 instead. >>> >>> -- >>> Clinton Work >>> Airdrie, AB >>> >>> On Thu, Jul 7, 2016, at 11:52 AM, Jason Lixfeld wrote: >>>> Hey there, >>>> >>>> Coming from a Cisco background, I generally assign a loopback interface >>>> as my in-band management channel. I stick that into my management VRF >>>> and that’s that. Without knowing any better, my instinct would be to do >>>> the same in JunOS, but it seems as though lo0 is the control plane >>>> interface between user space and the re. That feels somewhat different >>>> to me, because the Cisco equivalent is generally the control-plane >>>> “interface”. >>> >>>> >>>> So my question is what the best common practise is for an always-up, >>>> in-band management channel on JunOS in an exclusively L3 environment >>>> (i.e.: no vlan or irb interfaces used at all in the system) without >>>> fully understanding whether that could also be lo0.0, or whether it >>>> should be lo0.somethingelse, or whether it should be something else >>>> entirely. >>> _______________________________________________ >>> juniper-nsp mailing list juniper-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >> >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp