Re: [j-nsp] in-band management interface vs. re firewall concepts/bcp

2016-07-08 Thread Aaron Dewell
Thus the standard practice has always been to protect lo0 with a firewall filter that just allows through the source IPs that you want. There’s really no gain from using a VRF for it, though people with a Cisco background tend to expect it, thus why it’s being added now-ish. > On Jul 8,

Re: [j-nsp] in-band management interface vs. re firewall concepts/bcp

2016-07-08 Thread Jason Lixfeld
That’s interesting. I wouldn’t have expected to hear that about Juniper. Thanks for the insight! > On Jul 8, 2016, at 2:19 PM, Aaron Dewell wrote: > > > Yes, though there are occasional issues such as sshd only binding to the > local IPs within inet.0. Whether

Re: [j-nsp] in-band management interface vs. re firewall concepts/bcp

2016-07-08 Thread Aaron Dewell
Yes, though there are occasional issues such as sshd only binding to the local IPs within inet.0. Whether that’s working yet or not will depend on version and the enhancement request previously mentioned. Last I heard, that was going to be a 16.1 or farther out feature, but it depends on

Re: [j-nsp] in-band management interface vs. re firewall concepts/bcp

2016-07-08 Thread Jason Lixfeld
So if my management stations are is in the same VRF as lo0, no leaking should be required. Of course, this implies that the underpinnings of route redistribution (i.e.: connected/static into MP-BGP) inside the VRF are all present, so the routing table on the EX knows how to get everywhere

Re: [j-nsp] in-band management interface vs. re firewall concepts/bcp

2016-07-08 Thread Aaron Dewell
Sorry! I got stuck on SRX. Ignore that lol. So if you’re only putting lo0 into the VRF, then you’ll need some way to route in and out of the VRF to get there. That could be via route leaking, etc. That routing table will have to have a return route to the source, and the main instance

Re: [j-nsp] in-band management interface vs. re firewall concepts/bcp

2016-07-08 Thread Jason Lixfeld
Sorry, I wasn’t trying to suggest I got an error, it was more of a conceptual config paste. This is on an EX9200, which I don’t think support security zones? > On Jul 8, 2016, at 1:25 PM, Aaron Dewell wrote: > > > Did you write those firewall filters that you list?

Re: [j-nsp] in-band management interface vs. re firewall concepts/bcp

2016-07-08 Thread Aaron Dewell
Did you write those firewall filters that you list? What was the error that you got? You’ll have to assign lo0 into a security zone, that might be what’s missing. "security zones functional-zone management” must be in inet.0. You can do other zones in a VRF and do in-band management

Re: [j-nsp] in-band management interface vs. re firewall concepts/bcp

2016-07-08 Thread Jason Lixfeld
I’m not quite following. This won’t work: set interfaces lo0 unit 0 family inet address 10.219.60.54/32 set interfaces lo0 unit 0 family inet filter input-list V4-ACCEPT-COMMON-SERVICES set interfaces lo0 unit 0 family inet filter input-list V4-ACCEPT-ESTABLISHED set interfaces lo0 unit 0

Re: [j-nsp] in-band management interface vs. re firewall concepts/bcp

2016-07-08 Thread Saku Ytti
I never understood why people want to do this. FXP0/EM0 are very dangerous ports, they sit on control-plane without any HW protection, no port filters, no lo0, no ddos-protection. So if you have L2 MGMT network there, connecting all Junipers, potentially L2 loop in your MGMT network breaks whole

Re: [j-nsp] in-band management interface vs. re firewall concepts/bcp

2016-07-08 Thread Clinton Work
I don't want to convert a regular port into a routing-instance, I want to put fxp0 / em0 into a routing-instance or logical router. I don't want to pollute the main inet.0 routing table with mgmt routes. There are various workarounds, but some features (inline jflow) that only work properly

Re: [j-nsp] in-band management interface vs. re firewall concepts/bcp

2016-07-08 Thread Paul S.
Likewise, it really doesn't make much sense to me. Having to retrofit a normal port to act as management in its own vrf is stupid (and not even always possible). On 7/8/2016 07:07 AM, Clinton Work wrote: JunOS doesn't support putting management into a routing-instance and I have been pushing

Re: [j-nsp] in-band management interface vs. re firewall concepts/bcp

2016-07-08 Thread Alexander Arseniev
Hello, On 07/07/2016 23:07, Clinton Work wrote: JunOS doesn't have an explicit control-plane interface Not exactly true. It does but You cannot attach filters directly to it. It is called fxp1/em1. and you attach your control-plane filter to lo0.0 instead. Depending on platform and

Re: [j-nsp] in-band management interface vs. re firewall concepts/bcp

2016-07-07 Thread Clinton Work
I would still use lo0.0 as your always up in-band mgmt interface. JunOS doesn't support putting management into a routing-instance and I have been pushing Juniper for this. You can use inet.0 for management and additional logical routers for data traffic, but that is different than a Cisco

[j-nsp] in-band management interface vs. re firewall concepts/bcp

2016-07-07 Thread Jason Lixfeld
Hey there, Coming from a Cisco background, I generally assign a loopback interface as my in-band management channel. I stick that into my management VRF and that’s that. Without knowing any better, my instinct would be to do the same in JunOS, but it seems as though lo0 is the control plane