Routing

Hello,

Our MX80 is running JUNOS 10.4R4.5

SWITCH(1) === 10G Link==== xe-0/0/0 - MX80 - ge-1/0/0 -------- SWITCH(2)

On xe-0/0/0 we are getting our bgp feeds from SWITCH(1) in distinct vlans, and we also want to bridge vlans from SWITCH(2) to SWITCH(1)

we used old style config because new one isn't working on MX80

interfaces {
    xe-0/0/0 {
        flexible-vlan-tagging;
        encapsulation extended-vlan-bridge;
        unit 200 {
            vlan-id 200;
            family bridge;
        }
        unit 1500 {
            vlan-id 1500;
            family bridge;
        }
    }
    fxp0 {
        unit 0 {
            family inet {
                filter {
                    input manager-ip;
                }
                address 10.0.200.2/24;
            }
        }
    }
irb {
        unit 200 {
            family inet {
                address 10.0.200.201/24;
            }
        }
        unit 1500 {
            family inet {
                filter {
                    input manager-ip;
                }
                address 192.168.3.233/24;
            }
        }
    }
}

policy-options {
    prefix-list manager-ip {
        10.0.200.21/32;
    }
}

firewall {
    family inet {
        filter manager-ip {
            term block_non_manager {
                from {
                    prefix-list {
                        manager-ip except;
                    }
                    protocol tcp;      
                    destination-port [ ssh http https telnet ];
                }                      
                then {                 
                    log;               
                    reject;            
                }                      
            }                          
            term accept_rest {         
                then {                 
                    log;               
                    accept;            
                }                      
            }                          
        }                              
    }                                  
}                                      
bridge-domains {                       
    managment {                        
        domain-type bridge;            
        vlan-id 200;                   
        interface xe-0/0/0.200;        
        inactive: routing-interface irb.200;
    } 

    vps {                              
        domain-type bridge;            
        vlan-id 1500;                  
        interface xe-0/0/0.1500;       
        routing-interface irb.1500;    
    }                                  
}

everything seems to work bridge mac addresses are visible, irb is also working I can ssh to 192.168.3.233, except

manager-ip filter, despite the filter i still can ssh to it from 192.168.3.0/24

after adding it to fxp0.0 and lo0.0 I still could log in from other then 10.0.200.21 hosts.

I guess it might be some obvious error but I can't spot it right now.

Will using irb not a plain L3 interface facing internet have any consquences for us ?

Any help would be much appreciated.

--

Michal Grzedzicki

Your firewall filter is only specifying a prefix-list to match against the SA or DA.

If you only want to be able to login from a particular subnet, use the source-prefix-list match condition.  If you want to restrict which IP you can SSH to use the destination-prefix-list match condition.

Right, but still it wasn't working until I modified block_non_manager to

(add source-address 0/0)

from {
    source-address {
        0.0.0.0/0;
    }
    source-prefix-list {
        manager-ip except;
    }
    protocol tcp;
    destination-port [ http ssh telnet https ];
}
then {
    discard;
}

it seems that except isn't matching other then manager-ip prefixes but preventing manager-ip proefixes from matching

a term.

What abour using irbs as internet facing interfaces, can we safly use them in our bgp sessions ?

--

Michal Grzedzicki

I know you mentioned that you applied this to the Lo0.0, but it doesn't show that way in the configuration. Check out the Securing the Control Plane DayOne Book to see if that would offer insight.

http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/securing-routing-engine/

Even though it shouldn't matter, try creating a prefix-list that contains only the 0/0 and apply that to the source-prefix-list match condition to see if that solves the problem.  I can't find it, but I remember reading that the "prefix-list" take precendence over "address"  when Junos compiles the FF.   I could be waayyy wrong though.

Yeah, somewhat unexpected behavior when using except.  The implicit 0/0 isn't there since there is some address specified, so it is trying to do the equivalent of (NULL - prefix-list).  The end result is NULL, so the rule doesn't get matched.

Since I used except a lot, I got around it by creating a prefix-list that contained 0/0:

set policy-options prefix-list PL-ANY 0.0.0.0/0

Your code block would then look like this

from {
    source-prefix-list {
        PL-ANY;
        manager-ip except;
    }
    protocol tcp;
    destination-port [ http ssh telnet https ];
}
then {
    discard;
}

Helps to keep the stanza form of the config shorter.

-Chad