Managing a Juniper EX4300 In-Band

irbjuniperjuniper-exjuniper-junosvlan

Currently, our ex4300 are managed in band using irb.20.

show configuration interfaces irb

unit 20 {

family inet6 {
    address 2001:db8:1::252/64;

show configuration routing-options

rib inet6.0 {

static {
    route ::/0 next-hop 2001:db8:1::254 (this is the MX10003 router's sub-interface IP).

vlan 20 is our MGMT vlan
Vlan 10 is our production vlan

I need to restrict management plane traffic that is destined to the switch. For example, ssh traffic destined for 2001:db8:1::252 needs to be sourced from our NOC network (2001:db8:10::/64). The problem is when I apply a firewall filter to irb.20, it's checking everything coming through, even if it's not destined for 2001:db8:1::252, because we have other access ports in vlan 20. I figure the best way to fix this is to manage the switch with a different logical interface. Unfortunately, I can't seem to get this to work. I've tried configuring lo0, vme0, me0, and fxp0 all to no avail. When I configured the aforementioned interfaces, I gave them the inet6 address 2001:db8:1::200/64. I'm not certain what I'm missing, but any tips would be greatly appreciated.

Best Answer

Junos allows you to restrict control-plane traffic -- including SSH, routing protocol traffic, etc. -- by applying a filter to the lo0 interface. This is true even if you have not configured a loopback IP address.

For example, you can allow SSH and SNMP traffic only from 192.0.2.0/24, but allow all other traffic (default-allow) with the following configuration-fragment.

Remove your filter from the irb.20 interface -- you do not need it! With some exceptions (on buggy/limited platforms) lo0 filters do not affect any transit traffic; they only affect traffic being processed by the routing engine.

interfaces {
  lo0 {
    unit 0 {
      family inet {
        filter {
          input REv4-in;
        }
      }
    }
  }
}
policy-options {
  prefix-list ssh_allow {
    192.0.2.0/24;
  }
  prefix-list snmp_allow {
    192.0.2.0/24;
  }
}
firewall {
  family inet {
    filter REv4-in {
      term ssh_allow {
        from {
          protocol tcp;
          destination-port 22;
          source-prefix-list ssh_allow;
        }
        then {
          count ssh_allow;
          accept;
        }
      }
      term snmp_allow {
        from {
          protocol udp;
          destination-port 161;
          source-prefix-list snmp_allow;
        }
        then {
          count snmp_allow;
          accept;
        }
      }
      term control_default_discard {
        from {
          destination-port [ 22 161 ];
        }
        then {
          log;
          count control_default_discard;
          discard;
        }
      }
      term ELSE {
        then {
          count ELSE;
          accept;
        }
      }
    }
  }
}

Related Solutions

Vlan – IPv6 DHCP Server vs Router

IPv6 has more options for configuring addresses than IPv4. The process works as follows:

A new client joins the network and sends a Router Solicitation (RS)
Each router (can be multiple) sends a Router Advertisement (RA)
- This happens both on request (when receiving an RS) as well as periodically
The RA contains a lot of information on how the network is run:
- If the router sending the RA can be a default gateway, and for how long
- Telling clients if there is a stateless (not giving out addresses, only providing extra information like DNS settings) DHCPv6 server on the network (the O=other flag)
- Telling clients if there is a stateful (like in IPv4) DHCPv6 server on the network (the M=managed flag)
- Telling clients about the prefixes in use on the network
  - For each prefix: tell the clients if they can auto-configure an address by themselves (the A=autoconf flag)
- And possibly lots of other stuff

If you want to run a fully managed network where the DHCPv6 server manages all the addresses (and please think why you want this before choosing it, if you don't use the information in the DHCPv6 server then letting clients configure their own addresses is much easier) then the router has to turn off the A (autoconf) flag for every prefix it announces and turn on the M (managed) flag so that clients know that they are not allowed to choose their own addresses but that there is a DHCPv6 server available to help them.

This is how to do that on a Cisco router:

; Go to the interface configuration
interface FastEthernet0/0
  ; Tell clients that auto configuration is not allowed
  ; This changes the default parameters.
  ; You have to specify the timers, so I use the standard values
  ipv6 nd prefix default 2592000 604800 no-autoconfig
  ;
  ; Tell the clients that there is a stateful DHCPv6 server available
  ipv6 nd managed-config-flag

; Repeat this for every (sub)interface where you want to force clients to use DHCPv6.

Also note: You need those RA packets. DHCPv6 only provides information, and optionally addresses. It does not provide a default gateway. That is done using RA. The idea here is that routers usually have better information on routing and gateways than DHCP servers, with the added benefit that you can have multiple routers on one subnet acting as default gateways with clients load balancing between them etc.

Juniper – Troubleshooting Unstable Uplink on SRX240 with VPN

With help from our service provider we've been able to localise the problem. The idea I had in my last comment proved correct: the difference between fast ethernet and gigabit ethernet was the source of the problem.

The reason for dropping connections, undeliverable packets and segmented packets was a mismatch in link mode between the fiber switch and the SRX - they hardcoded their port to 100m full duplex, but the SRX had automatic negotiation, which resolved to 100m half duplex.

The problem was further complicated by Juniper's odd configuration of speed and link mode. Just setting these configuration options wasn't enough:

speed 100m;
link-mode full-duplex;

This configuration was accepted, but when running show interfaces ge-0/0/0, it still showed:

Link-level type: Ethernet, MTU: 1514, Link-mode: Half-duplex, Speed: 100mbps,

Apparently, you have to explicitly disable auto-negotiation:

speed 100m;
link-mode full-duplex;
gigether-options {
    no-auto-negotiation;
}

In the end, I found that this guy had the exact same problem (and the solution!)

Thanks for all your help.

Best Answer

Related Solutions

Vlan – IPv6 DHCP Server vs Router

Juniper – Troubleshooting Unstable Uplink on SRX240 with VPN

Related Topic