Forum Discussion

jason_gauruder_'s avatar
Icon for Nimbostratus rankNimbostratus
Jul 12, 2011

Management interface vs TMM interfaces and routing domains




I've seen an interesting similarity between Juniper SRX firewalls and their "dedicated out of band management" interfaces and BIG-IP with their management interfaces. Both have this interesting overlap with "revenue" ports (from Juniper speak...a "revenue" port is where the hardware has security policies for servicing customer traffic...for BIG-IP this would be the TMM interfaces).




I'd like to use a default route on my mgmt interface on the big-ip - I'd also like to have a default route in the TMM interface world. Can I leave the mgmt interface in the "default" routing domain and have any TMM related interfaces, servers and virtual servers in a seperate, new routing domain ? Would that elleviate issues with big-ip wondering what interface to use for sending syslogs, ntp client updates, trap sending? How about node status polling for servers not locally adjacent to the big-ip on the same vlan (ie - reverse proxy duties where snat must be used)



For comparison, Juniper basically states for the "dedicated out of band mgmt", that the servers that need to talk to the srx firewall via the out of band mgmt must NOT also need to talk out via the "revenue" ports because asymmetric routing would occur and security policy would not work for those nodes. It is a bit cumbersome ...and on their forums, some folks are looking at route domains / virtual router within the srx to mitigate this challenge (with some caveats to other services that can't work within a virtual router yet in the srx)




In my case, I have all TMM in our Internet facing "dmz" and mgmt on our inside network (on a management vlan) - so I'm a bit concerned that if I don't have better seperation /isolation of mgmt and TMM routing, that I have a security vulnerability.



thoughts? anyone have experience with better/more complete seperate of mgmt routing vs TMM routing?















1 Reply

  • SOL3669 is a good place to start for info on TMM and management routing:



    sol3669: Overview of management interface routing




    In general, it's considered a best practice to disable management access on self IP's on untrusted VLANs. And make sure to restrict access to the management port from untrusted hosts.