Routing – Isolating Juniper Management Plane

juniper-junosrouting

Out of the box, it seems that the Juniper management routing is part of the default route table. Can I use logical systems to isolate the service plane from management routing? Are there any drawbacks?

Best Answer

This can easily turn into a debate, sure you could do management in different logical-system, but what are the perceived gains? You're still going to need to protect the main instance just the same.
In my opinion you gain nothing but you add complexity, which means added risk of downtime.

It would be different matter on SUP2T or Nexus7k with CMP, where you truly have separate out-of-band interface available.

My recommendation would be to optimize for least complexity, do on-band ssh management via normal main instance and have RS232 (alas, necessary evil) as back-up out-of-band.

If you go through this route, it'll work, there will be some inconveniences like copying software, but you can cope with it, with 'set cli logical-system MGMT'

You need two solution, one for normal day-to-day work, and another for OOB, when system or network is broken. OOB is easy, you need RS232, as RS232 is only solution you can use, to try to reboot box when junos is not running or unresponsive (set system debugger-on-break).
For your main day-to-day work, it's more debatable, you have three options:

use on-band (same routes as production INET)
use routing-instance (you'll get routing separation, but use same copy of RPD, but I guess you're using FXP0, which is not supported here)
use logical-system, another copy of RPD is ran just for MGMT

You mentioned need to have symmetric route. I assume from this, that you want to use FXP0 for MGMT and you have another competing route for return traffic, which you need, as NMS server network is used for something else than just NMS, which is bit worrying.
In my opinion FXP0 is simply not needed, as it's not OOB (like CMP is) you cannot even protect FXP0 port via FW filter, as it's not HW interface.

But if we assume that you want to keep using FXP0 then you indeed pretty-much MUST put it in logical-system, even if you didn't have competing route for NMS, you'd still need to put FXP0 in logical-system, otherwise you expose your NMS network to attacks from the on-band, which you cannot protect, as you cannot put HW FW filter in the FXP0 interface.

Related Solutions

Cannot access web management through HTTPS despite being configured

According to Juniper the functional-zone is supposed to be used with the dedicated management interfaces (fxp0). Since this device doesn't have dedicated management interfaces (unless it's set-up as chassis cluster - which in that case interface ge-0/0/0 is assigned to fxp0), you can't use the functional zone.

Also, you have everything configured for interface ge-0/0/1 but you show the configuration of interface ge-0/0/15, so maybe there's a mistake there.

So, if you want to use a non dedicated management interface, you have to use a "normal" security zone. If you want to use the dedicated interface, then you can use the functional zone.

Juniper Switch – Enabling Ports

For layer 2 switching, these ports need to be configured for family ethernet-switching.

ge-0/0/1 {
    unit 0 {
        family ethernet-switching {
        }
    }
}

Best Answer

Related Solutions

Cannot access web management through HTTPS despite being configured

Juniper Switch – Enabling Ports

Related Topic