Vinzoda's Networking Blog: EX Series

Showing posts with label EX Series. Show all posts

Friday, November 29, 2013

Restrict SSH access to Management IP address ranges - Juniper EX Switches

People from Cisco world would always wonder that how to restrict ssh access to a Juniper EX switch to fewer hosts or ranges

Here is how you do it..

Add IP address to Loopback interface

set interface lo0 unit 0 family inet address 127.0.0.1/32

Create a filter with allowed hosts or subnets

Term "SSH" permits Source Managements addresses

set firewall family inet filter RE_MANAGEMENT term SSH from source-address 10.80.0.0/21
set firewall family inet filter RE_MANAGEMENT term SSH from protocol tcp
set firewall family inet filter RE_MANAGEMENT term SSH from destination-port ssh
set firewall family inet filter RE_MANAGEMENT term SSH then count allow.ssh
set firewall family inet filter RE_MANAGEMENT term SSH then accept

Term "SSH_BLOCK" denies any other IP addresses trying to SSH to the box

set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK from protocol tcp
set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK from destination-port ssh
set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK then count discard.ssh
set firewall family inet filter RE_MANAGEMENT term SSH_BLOCK then discard

and then a permit all rule

set firewall family inet filter RE_MANAGEMENT term default then accept

In Juniper world all the control traffic is processed via Loopback interfaces even if they were destined on any other interface on switch hence we will apply the filter inbound to Lo0 interface.

set interfaces lo0 unit 0 family inet filter input RE_MANAGEMENT

You can see the couters using below command

show firewall filter RE_MANAGEMENT

Filter: RE_MANAGEMENT
Counters:
Name Bytes Packets
allow.ssh 38023 370
discard.ssh 0 0

and thats it !! you're done...and your switch's ssh access is now protected.

Wednesday, September 4, 2013

Routing Instaces VRF on Juniper EX2200 is now Supported..!!

I have just learned that routing instances are now supported on Juniper EX-2200 series switches from Junos 12.3R1 version onwards. It is very handy feature and is analogous to Cisco's VRF-Lite.

http://www.juniper.net/techpubs/en_US/release-independent/junos/topics/concept/ex-series-software-features-overview.html

Tuesday, September 3, 2013

Juniper EX Series Switches - Policing / Ratelimiting traffic

If you are from Cisco world and just been asked to rate limit traffic on Juniper EX series switches then this is how you will accomplish it.

First configure a policer under firewall

policer TEST-POLICER {
if-exceeding {
bandwidth-limit 10485760;
burst-size-limit 1966080;
}
then discard;

}

Then you will need to configure firewall filter first just like an ACL in Cisco

family ethernet-switching {
filter TEST-POLICE {
term 1 {
from {
source-address {
0.0.0.0/0;
}
destination-address {
0.0.0.0/0;
}
}
then policer TEST-POLICER;
}
}
}

The firewall filter can have multiple statements and you can apply different policers to "term"s. the above filter will apply the policer to all traffic. If your filters are specific and you want to restrict only few hosts or networks then you can have another term "default" without any action defined which will ensure that rest of the traffic is not policed

term default

Now apply the filter in the ingress on the RVI or the Interface;

show interfaces ge-0/0/42
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members 422;
}
filter {
input TEST-POLICE;
}
}
}

Please note that you cannot assign policers on the output direction as this is restricted in Juniper and will throw error when applying it.

You will need to create a shaper and apply it on the interface to shape the traffic to desired rate

show class-of-service
interfaces {
ge-0/0/42 {
shaping-rate 10485760;
}

}

Have Fun..!!