Juniper configuration recommendations/BCP

Casey Russell crussell at kanren.net
Thu Oct 8 15:51:27 UTC 2020


Forrest,

Between Jason and Justin, (and now others probably) they've captured what I
was already typing.  Basically, that as soon as you create a loopback
interface (with a L3 IP) you need to start planning your firewall filter
for it.  Most of it is as simple as creating filters for SSH and other
administrative access to the loopback address, but some of it is not at all
intuitive if you're coming from a Cisco/Brocade world.

The loopback filter protects the RE, and, can, in many cases affect traffic
flowing across transit interfaces, in a way that in a Cisco shop you would
never have never considered.  On a Juniper, if it will be processed in just
about any way by the routing engine (even just a few packets in the flow)
you need to account for that.  It's not as daunting as it sounds, but it
needs to be accounted for.  I'll let their comments fill in the rest,
because others have already provided good resources.

Sincerely,
Casey Russell
Network Engineer
[image: KanREN] <http://www.kanren.net>
[image: phone]785-856-9809
2029 Becker Drive, Suite 282
Lawrence, Kansas 66047
XSEDE Campus Champion
Certified Software Carpentry Instructor
[image: linkedin]
<https://www.linkedin.com/company/92399?trk=tyah&trkInfo=clickedVertical%3Acompany%2CclickedEntityId%3A92399%2Cidx%3A1-1-1%2CtarId%3A1440002635645%2Ctas%3AKanREN>
[image:
twitter] <https://twitter.com/TheKanREN> [image: twitter]
<http://www.kanren.net/feed/> need support? <support at kanren.net>



On Thu, Oct 8, 2020 at 4:39 AM Forrest Christian (List Account) <
lists at packetflux.com> wrote:

> <ISP hat on>
> After nearly 30 years of being a cisco shop, I'm working on configuring
> our first pair of Juniper MX204's to replace our current provider-edge
> cisco.
>
> I've worked through enough of the Juniper documentation/books to have a
> fairly good handle on how to configure these, but I wanted to check with
> the list to see if there are any Juniper-Specific gotchas I might run into
> that isn't documented well.
>
> I've done a bit of googling and am either finding stuff that is largely
> Cisco-specific or which is generic - all of which I'm rather familiar with
> based on my past history.   Is there anything I should worry about which is
> Juniper-specific?
>
> --
> - Forrest
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20201008/035c762e/attachment.html>


More information about the NANOG mailing list