Currently, our ex4300 are managed in band using irb.20.
show configuration interfaces irb
unit 20 {
family inet6 {
address 2001:db8:1::252/64;
show configuration routing-options
rib inet6.0 {
static {
route ::/0 next-hop 2001:db8:1::254 (this is the MX10003 router's sub-interface IP).
vlan 20 is our MGMT vlan
Vlan 10 is our production vlan
I need to restrict management plane traffic that is destined to the switch. For example, ssh traffic destined for 2001:db8:1::252
needs to be sourced from our NOC network (2001:db8:10::/64
). The problem is when I apply a firewall filter to irb.20, it's checking everything coming through, even if it's not destined for 2001:db8:1::252
, because we have other access ports in vlan 20. I figure the best way to fix this is to manage the switch with a different logical interface. Unfortunately, I can't seem to get this to work. I've tried configuring lo0, vme0, me0, and fxp0 all to no avail. When I configured the aforementioned interfaces, I gave them the inet6 address 2001:db8:1::200/64
. I'm not certain what I'm missing, but any tips would be greatly appreciated.
Best Answer
Junos allows you to restrict control-plane traffic -- including SSH, routing protocol traffic, etc. -- by applying a filter to the lo0 interface. This is true even if you have not configured a loopback IP address.
For example, you can allow SSH and SNMP traffic only from 192.0.2.0/24, but allow all other traffic (default-allow) with the following configuration-fragment.
Remove your filter from the irb.20 interface -- you do not need it! With some exceptions (on buggy/limited platforms) lo0 filters do not affect any transit traffic; they only affect traffic being processed by the routing engine.