Flexible Managment

Over the couple of weeks I have had a real dose of JUNOS. I’ve been drinking the secret sauce and I am very exited. Powerful, Flexible, and delicious. In my previous post I introduced my SRX110 Firewall Router. My good friend Kurt Bales provided me with one and I immediately set to work deciphering JUNOS. As an IOS man I feel a little fish out of water but it is changing. At this stage simple things seem to take a little longer. Once I get the hierarchical nature down pat and figure out configuration sections my speed will ramp up.

Today I want to demonstrate how to configure a management only port with the SRX110. In addition to a console port which can be used with an OOB, a configured dedicated management port will allow administration of the device within the routed network but only pass management traffic.

We will perform three steps today to set up the management interface. Define an IP address, assign the interface to a security zone, and set a security zones functional level and services.

interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                inactive: dhcp;

Here I have issued the config to set a static IPv4 address to fe-0/0/0.0. I have made dhcp inactive on this port. The configuration can easily be reversed at a later date.

set interfaces fe-0/0/0 unit 0 family inet address
set interfaces fe-0/0/0 unit 0 family inet dhcp
deactivate interfaces fe-0/0/0 unit 0 family inet dhcp

I set the first and third line of code. By default fe-0/0/0 serves up IP addresses from the pool.

Next I am going to change the interface type. The functional interface type becomes management and we will specify ssh inbound only.

security {
       zones {
        functional-zone management {
            interfaces {
            host-inbound-traffic {
                system-services {
security-zone management;

You can see here that under the security section of the configuration I have set the function-zone of management to the interface fe-0/0/0.0 and specified inbound system services allowing SSH in. The security-zone management was also made.

set security zones functional-zone management interfaces fe-0/0/0.0
set security zones functional-zone management host-inbound-traffic system-services ssh
set security zones security-zone management
[email protected]> show security zones 

Functional zone: management
  Policy configurable: No  
  Interfaces bound: 1

This is my first post regarding doing lab work on the SRX110. After getting used to the foreign and alien JUNOS landscape I am finding myself becoming used to it. I like many features of it. There are some that I don’t; though this probably is due to lack of understanding. Firewalls are an important part of any network. Management is crucial. Couple this Management interface with a console OOB network and you can guarantee yourself higher access and a second exit in case that AAA command was fat thumbed.

2 thoughts on “Flexible Managment”

  1. Have fun trying to make it work with the ASA. Its not Juniper though ! Ask Chris Jones . In particular ask him about “tinkering and adjusting the settings”…lol! MSS is just one problem …dude !

Leave a Reply

Your email address will not be published. Required fields are marked *