Routing

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  MX5 - Securing Logical Systems

    Posted 06-18-2014 08:54

    Hello,

     

    We have a newly installed MX5 router,and we're looking to secure the system routing engine AS well as setup radius authentication for access control to the control plane.

     

    The system is split into 2 logical systems because the router serves as both the primary edge router AND the internal core router.

     

    Basically:

    Internet <--> MX5 LS1 (Edge) <--> Firewall <--> MX5 LS2 (Core) <--> Layer 2 Switching Core

     

    All the internal private IP space terminates on MX5 LS2 for internal inter-vlan routing, there is then a default route to a /30 IP between the MX5 and the Firewall.  The Firewall then has a default route to MX5-LS1 which terminates our ISP and BGP peers.

     

    LS1 is actually the default global LS.  

    I'm having trouble wrapping my head around how to configure radius authentication for system logins.  Our radius server sits behind LS2, but you cannot configure radius or even system login statements in the logical system "edit system" stanza.

     

    Should I create a firewall filter on LS1 blocking SSH, other unwanted traffic, then create a Logical Tunnel between LS1 and LS2 with a static route for radius traffic sourcing from LS1 to reach the radius server on LS2?

     

    Sanitized configuration is below:

    ## Last changed: 2014-06-18 09:22:28 MDT
    version 12.3R6.6;
    system {
        host-name sanitized;
        authentication-order [ password radius ];
        root-authentication {
            encrypted-password "sanitized"; ## SECRET-DATA
        }
        name-server {
            172.21.21.29;
            172.21.21.36;
        }
        login {
            user jbarron {
                ";
                uid 2000;
                class super-user;
                authentication {
                    encrypted-password "sanitized"; ## SECRET-DATA
                }
            }
        }
        services {
            ssh;
        }
        syslog {
            user * {
                any emergency;
            }
            file messages {
                any notice;
                authorization info;
            }
        }
        ntp {
            boot-server 217.114.59.66;
            server 217.114.59.66;
        }
    }
    logical-systems {
        LS2{
            interfaces {
                ge-1/1/0 {
                    unit 0 {
                        description "To Juniper CP_CoreEX4200-VC1 Ge-0/0/0";
                        family bridge {
                            interface-mode trunk;
                            vlan-id-list [ 20 25 50 125-300 ];
                        }
                    }
                }
                ge-1/1/1 {
                    unit 0 {
                        description "To Sophos Eth0";
                        family inet {
                            address 192.168.199.2/30;
                        }
                    }
                }
                irb {
                    unit 20 {
                        family inet {
                            address 172.21.1.1/24;
                        }
                    }
                    unit 25 {
                        family inet {
                            address 172.21.50.1/24;
                        }
                    }
                    unit 50 {
                        family inet {
                            address 172.10.0.1/24;
                        }
                    }
                    unit 125 {
                        family inet {
                            address 172.21.22.1/24;
                        }
                    }
                    unit 135 {
                        family inet {
                            address 172.21.21.1/24;
                        }
                    }
                    unit 145 {
                        family inet {
                            address 172.21.20.1/24;
                        }
                    }
                    unit 155 {
                        family inet {
                            address 172.21.19.1/24;
                        }
                    }
                    unit 165 {
                        family inet {
                            address 172.21.18.1/24;
                        }
                    }
                    unit 175 {
                        family inet {
                            address 172.21.2.1/23;
                        }
                    }
                    unit 185 {
                        family inet {
                            address 172.21.16.1/24;
                        }
                    }
                    unit 195 {
                        family inet {
                            address 172.21.15.1/24;
                        }
                    }
                    unit 200 {
                        family inet {
                            address 172.21.14.1/24;
                        }
                    }
                    unit 205 {
                        family inet {
                            address 172.21.24.1/24;
                        }
                    }
                    unit 215 {
                        family inet {
                            address 172.21.23.1/24;
                        }
                    }
                    unit 226 {
                        family inet {
                            address 172.22.22.1/16;
                        }
                    }
                    unit 300 {
                        family inet6 {
                            address sanitized/48;
                        }
                    }
                }
            }
            routing-instances {
                Internal BD{
                    instance-type virtual-switch;
                    interface ge-1/1/0.0;
                    bridge-domains {
                        VLAN_125 {
                            description Core;
                            vlan-id 125;
                            routing-interface irb.125;
                        }
                        VLAN_135 {
                            description Servers;
                            vlan-id 135;
                            routing-interface irb.135;
                        }
                        VLAN_145 {
                            description Executive;
                            vlan-id 145;
                            routing-interface irb.145;
                        }
                        VLAN_155 {
                            description Operations;
                            vlan-id 155;
                            routing-interface irb.155;
                        }
                        VLAN_165 {
                            description Support;
                            vlan-id 165;
                            routing-interface irb.165;
                        }
                        VLAN_175 {
                            description Engineering;
                            vlan-id 175;
                            routing-interface irb.175;
                        }
                        VLAN_185 {
                            description Sales;
                            vlan-id 185;
                            routing-interface irb.185;
                        }
                        VLAN_195 {
                            description IT;
                            vlan-id 195;
                            routing-interface irb.195;
                        }
                        VLAN_20 {
                            description SAN;
                            vlan-id 20;
                            routing-interface irb.20;
                        }
                        VLAN_200 {
                            description "Wireless Clients";
                            vlan-id 200;
                            routing-interface irb.200;
                        }
                        VLAN_205 {
                            description QA;
                            vlan-id 205;
                            routing-interface irb.205;
                        }
                        VLAN_215 {
                            description Enterprise;
                            vlan-id 215;
                            routing-interface irb.215;
                        }
                        VLAN_226 {
                            description Legacy;
                            vlan-id 226;
                            routing-interface irb.226;
                        }
                        VLAN_25 {
                            description VoIP;
                            vlan-id 25;
                            routing-interface irb.25;
                        }
                        VLAN_300 {
                            description IPv6;
                            vlan-id 300;
                            routing-interface irb.300;
                        }
                        VLAN_50 {
                            description "Guest Wifi";
                            vlan-id 50;
                            routing-interface irb.50;
                        }
                    }
                }
            }
            routing-options {
                static {
                    route 0.0.0.0/0 next-hop 192.168.199.1;
                }
            }
        }
    }
    chassis {
        alarm {
            management-ethernet {
                link-down ignore;
            }
        }
    }
    interfaces {
        ge-1/0/0 {
            description WAN;
            unit 0 {
                family inet {
                    address sanitized/30;
                }
                family inet6 {
                    address sanitized/64;
                }
            }
        }
        ge-1/0/2 {
            description "To Sophos UTM WAN";
            unit 0 {
                family bridge {
                    interface-mode access;
                    vlan-id 2;
                }
            }
        }
        ge-1/0/3 {
            description "To Sophos UTM WAN";
            unit 0 {
                family bridge {
                    interface-mode access;
                    vlan-id 2;
                }
            }
        }
        fxp0 {
            unit 0 {
                family inet {
                    address 192.168.199.254/24;
                }
            }
        }
        irb {
            unit 2 {
                family inet {
                    address sanitized/25;
                }
            }
        }
        lo0 {
            unit 0 {
                family inet {
                    address 127.0.0.1/32;
                }
            }
        }
    }
    routing-options {
        rib inet6.0 {
            static {
                rib-group CP-IPv6;
                route ::/0 next-hop sanitized;
                route sanitized{
                    discard;
                    install;
                    readvertise;
                }
            }
        }
        static {
            route 0.0.0.0/0 next-hop sanitized;
        }
        rib-groups {
            CP-IPv6 {
                import-rib inet6.0;
            }
        }
        autonomous-system 62478;
    }
    protocols {
        bgp {
            group TWTelecom {
                type external;
                family inet6 {
                    any;
                }
                export To-TWTelecom;
                peer-as 4323;
                neighbor sanitized {
                    description "Ethernet to TWTelecom IPv6";
                }
            }
        }
    }
    policy-options {
        policy-statement To-TWTelecom {
            term 1 {
                from {
                    route-filter sanitized exact;
                }
                then {
                    next-hop self;
                    accept;
                }
            }
            term 2 {
                then reject;
            }
        }
    }
    routing-instances {
        Sophos_WAN {
            instance-type virtual-switch;
            interface ge-1/0/2.0;
            interface ge-1/0/3.0;
            bridge-domains {
                FW_Wan_Access {
                    vlan-id 2;
                    routing-interface irb.2;
                }
            }
        }
    }
    

     


    #MX5
    #firewallfilters
    #routing-engine
    #LogicalSystems


  • 2.  RE: MX5 - Securing Logical Systems
    Best Answer

    Posted 06-19-2014 05:09

    So looking at your config, there is nothing you are doing with an LSYS that couldn't be achieved by simply using routing-instances, which would solve your issue right away.

     

    That said, what do you want to achieve?

     

    Do you only want certain users to be able to log into the router and possibly a different set to just access the LSYS?

     

    If that's the case, something simple like a login class will achieve that:

     

    set system login class LSYS2-USER logical-system LSYS2
    set system login class LSYS2-USER permissions all

    As for RADIUS access, keep it simple and plug the management interface (fxp0) into a network that has access to your RADIUS server, then there is no need to start writing firewall rules or sending RADIUS requests through your router twice - especially if you need to log in during an issue. 

     

    If you can't put it in the same subnet, make sure you put a static route to the RADIUS server with a next hop of the fxp0 gateway address.  Traffic cannot transit this interface, however the MX can use it to source requests from.

     

    Hope this helps



  • 3.  RE: MX5 - Securing Logical Systems

    Posted 06-27-2014 14:22

    Thanks Ben,

     

    I didn't even think to use the FXP0 interface for this!