nanog mailing list archives

Re: Juniper configuration recommendations/BCP

From: Casey Russell via NANOG <nanog () nanog org>
Date: Thu, 8 Oct 2020 10:51:27 -0500

Forrest,

Between Jason and Justin, (and now others probably) they've captured what I
was already typing.  Basically, that as soon as you create a loopback
interface (with a L3 IP) you need to start planning your firewall filter
for it.  Most of it is as simple as creating filters for SSH and other
administrative access to the loopback address, but some of it is not at all
intuitive if you're coming from a Cisco/Brocade world.

The loopback filter protects the RE, and, can, in many cases affect traffic
flowing across transit interfaces, in a way that in a Cisco shop you would
never have never considered.  On a Juniper, if it will be processed in just
about any way by the routing engine (even just a few packets in the flow)
you need to account for that.  It's not as daunting as it sounds, but it
needs to be accounted for.  I'll let their comments fill in the rest,
because others have already provided good resources.

Sincerely,
Casey Russell
Network Engineer
[image: KanREN] <http://www.kanren.net>
[image: phone]785-856-9809
2029 Becker Drive, Suite 282
Lawrence, Kansas 66047
XSEDE Campus Champion
Certified Software Carpentry Instructor
[image: linkedin]
<https://www.linkedin.com/company/92399?trk=tyah&trkInfo=clickedVertical%3Acompany%2CclickedEntityId%3A92399%2Cidx%3A1-1-1%2CtarId%3A1440002635645%2Ctas%3AKanREN>
[image:
twitter] <https://twitter.com/TheKanREN> [image: twitter]
<http://www.kanren.net/feed/> need support? <support () kanren net>



On Thu, Oct 8, 2020 at 4:39 AM Forrest Christian (List Account) <
lists () packetflux com> wrote:

<ISP hat on>
After nearly 30 years of being a cisco shop, I'm working on configuring
our first pair of Juniper MX204's to replace our current provider-edge
cisco.

I've worked through enough of the Juniper documentation/books to have a
fairly good handle on how to configure these, but I wanted to check with
the list to see if there are any Juniper-Specific gotchas I might run into
that isn't documented well.

I've done a bit of googling and am either finding stuff that is largely
Cisco-specific or which is generic - all of which I'm rather familiar with
based on my past history.   Is there anything I should worry about which is
Juniper-specific?

--
- Forrest

Current thread:

Juniper configuration recommendations/BCP Forrest Christian (List Account) (Oct 08)
- Juniper configuration recommendations/BCP Chriztoffer Hansen (Oct 08)
  - RE: Juniper configuration recommendations/BCP adamv0025 (Oct 12)
- RE: [EXTERNAL] Juniper configuration recommendations/BCP Mann, Jason via NANOG (Oct 08)
  - Re: [EXTERNAL] Juniper configuration recommendations/BCP Pierre LANCASTRE (Oct 08)
- Re: Juniper configuration recommendations/BCP Justin Oeder (Oct 08)
  - Re: Juniper configuration recommendations/BCP Paschal Masha (Oct 09)
    - Re: Juniper configuration recommendations/BCP Forrest Christian (List Account) (Oct 08)
- Re: Juniper configuration recommendations/BCP Casey Russell via NANOG (Oct 08)
- RE: Juniper configuration recommendations/BCP aaron1 (Oct 08)
  - RE: Juniper configuration recommendations/BCP aaron1 (Oct 08)
    - RE: Juniper configuration recommendations/BCP aaron1 (Oct 08)
  - Re: Juniper configuration recommendations/BCP Chris Boyd (Oct 08)
    - Re: Juniper configuration recommendations/BCP Matt Harris (Oct 08)
    - Re: Juniper configuration recommendations/BCP Ryan Hamel (Oct 08)
    - Re: Juniper configuration recommendations/BCP Chris Adams (Oct 08)
    - Re: Juniper configuration recommendations/BCP David Kotlerewsky (Oct 09)
    - RE: Juniper configuration recommendations/BCP aaron1 (Oct 08)
    - Re: Juniper configuration recommendations/BCP Alain Hebert (Oct 09)

(Thread continues...)