Thus the standard practice has always been to protect lo0 with a firewall
filter that just allows through the source IPs that you want. There’s really
no gain from using a VRF for it, though people with a Cisco background tend to
expect it, thus why it’s being added now-ish.
> On Jul 8, 2016,
That’s interesting. I wouldn’t have expected to hear that about Juniper.
Thanks for the insight!
> On Jul 8, 2016, at 2:19 PM, Aaron Dewell wrote:
>
>
> Yes, though there are occasional issues such as sshd only binding to the
> local IPs within inet.0. Whether that’s working yet or not will
Yes, though there are occasional issues such as sshd only binding to the local
IPs within inet.0. Whether that’s working yet or not will depend on version
and the enhancement request previously mentioned. Last I heard, that was going
to be a 16.1 or farther out feature, but it depends on whic
So if my management stations are is in the same VRF as lo0, no leaking should
be required.
Of course, this implies that the underpinnings of route redistribution (i.e.:
connected/static into MP-BGP) inside the VRF are all present, so the routing
table on the EX knows how to get everywhere insid
Sorry! I got stuck on SRX. Ignore that lol.
So if you’re only putting lo0 into the VRF, then you’ll need some way to route
in and out of the VRF to get there. That could be via route leaking, etc.
That routing table will have to have a return route to the source, and the main
instance will
Sorry, I wasn’t trying to suggest I got an error, it was more of a conceptual
config paste.
This is on an EX9200, which I don’t think support security zones?
> On Jul 8, 2016, at 1:25 PM, Aaron Dewell wrote:
>
>
> Did you write those firewall filters that you list? What was the error that
>
Did you write those firewall filters that you list? What was the error that
you got?
You’ll have to assign lo0 into a security zone, that might be what’s missing.
"security zones functional-zone management” must be in inet.0. You can do
other zones in a VRF and do in-band management within
I’m not quite following. This won’t work:
set interfaces lo0 unit 0 family inet address 10.219.60.54/32
set interfaces lo0 unit 0 family inet filter input-list
V4-ACCEPT-COMMON-SERVICES
set interfaces lo0 unit 0 family inet filter input-list V4-ACCEPT-ESTABLISHED
set interfaces lo0 unit 0 family
I never understood why people want to do this.
FXP0/EM0 are very dangerous ports, they sit on control-plane without
any HW protection, no port filters, no lo0, no ddos-protection. So if
you have L2 MGMT network there, connecting all Junipers, potentially
L2 loop in your MGMT network breaks whole n
I don't want to convert a regular port into a routing-instance, I want
to put fxp0 / em0 into a routing-instance or logical router. I don't
want to pollute the main inet.0 routing table with mgmt routes. There
are various workarounds, but some features (inline jflow) that only work
properly via
Likewise, it really doesn't make much sense to me.
Having to retrofit a normal port to act as management in its own vrf is
stupid (and not even always possible).
On 7/8/2016 07:07 AM, Clinton Work wrote:
JunOS doesn't support putting management into a routing-instance and I
have been pushing
Hello,
On 07/07/2016 23:07, Clinton Work wrote:
JunOS doesn't have an explicit control-plane interface
Not exactly true. It does but You cannot attach filters directly to it.
It is called fxp1/em1.
and you attach
your control-plane filter to lo0.0 instead.
Depending on platform and expec
I would still use lo0.0 as your always up in-band mgmt interface.
JunOS doesn't support putting management into a routing-instance and I
have been pushing Juniper for this. You can use inet.0 for management
and additional logical routers for data traffic, but that is different
than a Cisco mana
Hey there,
Coming from a Cisco background, I generally assign a loopback interface as my
in-band management channel. I stick that into my management VRF and that’s
that. Without knowing any better, my instinct would be to do the same in
JunOS, but it seems as though lo0 is the control plane i
14 matches
Mail list logo