People from Cisco world would always wonder that how to restrict ssh access to a Juniper EX switch to fewer hosts or ranges
Here is how you do it..
Add IP address to Loopback interface
set interface lo0 unit 0 family inet address 127.0.0.1/32
Create a filter with allowed hosts or subnets
Term "SSH" permits Source Managements addresses
set firewall family inet filter RE_MANAGEMENT term SSH from source-address 10.80.0.0/21
set firewall family inet filter RE_MANAGEMENT term SSH from protocol tcp
set firewall family inet filter RE_MANAGEMENT term SSH from destination-port ssh
set firewall family inet filter RE_MANAGEMENT term SSH then count allow.ssh
set firewall family inet filter RE_MANAGEMENT term SSH then accept
Term "SSH_BLOCK" denies any other IP addresses trying to SSH to the box
set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK from protocol tcp
set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK from destination-port ssh
set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK then count discard.ssh
set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK then discard
and then a permit all rule
set firewall family inet filter RE_MANAGEMENT term default then accept
In Juniper world all the control traffic is processed via Loopback interfaces even if they were destined on any other interface on switch hence we will apply the filter inbound to Lo0 interface.
set interfaces lo0 unit 0 family inet filter input RE_MANAGEMENT
You can see the couters using below command
show firewall filter RE_MANAGEMENT
Filter: RE_MANAGEMENT
Counters:
Name Bytes Packets
allow.ssh 38023 370
discard.ssh 0 0
and thats it !! you're done...and your switch's ssh access is now protected.
Here is how you do it..
Add IP address to Loopback interface
set interface lo0 unit 0 family inet address 127.0.0.1/32
Create a filter with allowed hosts or subnets
Term "SSH" permits Source Managements addresses
set firewall family inet filter RE_MANAGEMENT term SSH from source-address 10.80.0.0/21
set firewall family inet filter RE_MANAGEMENT term SSH from protocol tcp
set firewall family inet filter RE_MANAGEMENT term SSH from destination-port ssh
set firewall family inet filter RE_MANAGEMENT term SSH then count allow.ssh
set firewall family inet filter RE_MANAGEMENT term SSH then accept
Term "SSH_BLOCK" denies any other IP addresses trying to SSH to the box
set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK from protocol tcp
set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK from destination-port ssh
set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK then count discard.ssh
set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK then discard
and then a permit all rule
set firewall family inet filter RE_MANAGEMENT term default then accept
In Juniper world all the control traffic is processed via Loopback interfaces even if they were destined on any other interface on switch hence we will apply the filter inbound to Lo0 interface.
set interfaces lo0 unit 0 family inet filter input RE_MANAGEMENT
You can see the couters using below command
show firewall filter RE_MANAGEMENT
Filter: RE_MANAGEMENT
Counters:
Name Bytes Packets
allow.ssh 38023 370
discard.ssh 0 0
and thats it !! you're done...and your switch's ssh access is now protected.
Nice, Very well explained . Thanks for sharing.
ReplyDeleteSucceed! It could be one of the most useful blogs we have ever come across on the subject. Excellent info! I’m also an expert in this topic so I can understand your effort very well. Thanks for the huge help. 192.168
ReplyDeleteThanks for the posst
ReplyDelete