From Infrastructure Router Security Technical Implementation Guide Juniper
Part of Routes from the two IGP domains are redistributed
If the gateway router is not a dedicated device for the OOBM network, several safeguards must be implemented for containment of management and production traffic boundaries. Since the managed network and the management network are separate routing domains, separate IGP routing instances must be configured on the router—one for the managed network and one for the OOBM network. In addition, the routes from the two domains must not be redistributed to each other.
Verify that the IGP instance used for the managed network does not redistribute routes into the IGP instance used for the management network and vice versa. There is no equivalent redistribute command in JUNOS. All redistribution of routes between protocols is done through the creation of a routing policy through the use of import and export statements. Verify that there are no export and policy-statement commands configured that would distribute routes from the IGP routing domain for the management network into the IGP routing domain of the managed network, or vice-versa. The following example illustrates how RIP routes would be redistributing into OSPF. policy-options { policy-statement rip-to-ospf { from protocol rip; then accept; } } } protocols { ospf { export rip-to-ospf; area 0.0.0.0 { interface fe-0/0/0.0; interface fe-0/0/1.0; } } As an alternative, static routes can be used to forward management traffic to the OOBM interface; however, this method may not scale well. If static routes are used to forward management traffic to the OOB backbone network, verify that the OOBM interface is not an IGP adjacency and that the correct destination prefix has been configured to forward the management traffic to the correct next-hop and interface for the static route. In the following configuration examples, 10.1.1.0/24 is the management network and 10.1.20.4 is the interface address of the OOB backbone router that the OOB gateway router connects to. The network 10.1.20.0/24 is the OOBM backbone. interfaces { fe-0/0/0 { description “link to our Private Net” unit 0 { family inet { address 172.20.4.2/24; } } } fe-0/0/1 { description “link to our Service Net” unit 0 { family inet { address 172.20.5.2/24; } } } t3-3/0/3 { description “link to OOBM Backbone” unit 0 { family inet { address 10.1.20.3/24; } } } protocols { ospf { area 0.0.0.0 { interface fe-0/0/0.0; interface fe-0/0/1.0; interface lo0.0; } } routing-options { static { route 10.1.1.0/24 { next-hop 10.1.20.4; } } }
Ensure that the IGP instance used for the managed network does not redistribute routes into the IGP instance used for the management network and vice versa.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer