Switching

Expand all | Collapse all

How do i configure an ACL for SSH on Ex4200 Switch

Jump to Best Answer
  • 1.  How do i configure an ACL for SSH on Ex4200 Switch

    Posted 06-26-2018 05:46

    I am trying to configure this ACL for juniper using SET commands but need assistance if anyone can help with the right set commands.

     

    access-list 97 permit 10.3.10.0/24;

    access-list 97 permit 10.2.8.0/26;

    access-list 97 deny any log

    line vty 0 15 

     access-class 97 in

     



  • 2.  RE: How do i configure an ACL for SSH on Ex4200 Switch

     
    Posted 06-26-2018 06:03

    There are couple of ways..Here is one sample using firewall filter:

     

    set policy-options prefix-list SSH 10.2.8.0/26
    set policy-options prefix-list SSH 10.3.10.0/24

    set firewall family inet filter SSH term 1 from source-prefix-list SSH
    set firewall family inet filter SSH term 1 from protocol tcp
    set firewall family inet filter SSH term 1 from port ssh
    set firewall family inet filter SSH term 1 then accept
    set firewall family inet filter SSH term 2 then log
    set firewall family inet filter SSH term 2 then reject

    set interfaces <XYZ> unit <X> family inet filter input SSH



  • 3.  RE: How do i configure an ACL for SSH on Ex4200 Switch

    Posted 06-26-2018 06:09

    Thank You, i tried this but the juniper isnt using a loopback interface.  can i configure just with VTY line ?  I would like to deny based on vty and not interface or loopback.

     

     

    See below is what i have so far.

    Edit

    set firewall family inet filter local_acl term terminal_access from source-address 10.3.10.0/24
    set firewall family inet filter local_acl term terminal_access from source-address 10.3.9.0/24
    set firewall family inet filter local_acl term terminal_access from protocol tcp
    set firewall family inet filter local_acl term terminal_access from port ssh
    set firewall family inet filter local_acl term terminal_access from port telnet
    set firewall family inet filter local_acl term terminal_access then accept
    set firewall family inet filter local_acl term terminal_access_denied from protocol tcp
    set firewall family inet filter local_acl term terminal_access_denied from port ssh
    set firewall family inet filter local_acl term terminal_access_denied from port telnet
    set firewall family inet filter local_acl term terminal_access_denied then log
    set firewall family inet filter local_acl term terminal_access_denied then reject
    set firewall family inet filter local_acl term default-term then accept
    set interfaces vlan unit XXX family inet filter input local_acl
    set interfaces vlan unit XXX family inet address XXXXXXXXXXX/XX
    Commit

    [edit]
    user@myhost# edit firewall family inet filter local_acl
    Commit

    [edit firewall family inet filter local_acl]
    user@myhost# set term terminal_access from source-address 10.3.10.0/24
    user@myhost# set term terminal_access from source-address 10.3.9.0/24

    user@myhost# set term terminal_access from protocol tcp
    user@myhost# set term terminal_access from port ssh
    user@myhost# set term terminal_access from port telnet
    user@myhost# set term terminal_access then accept
    Commit

    [edit firewall family inet filter local_acl]
    user@myhost# set term terminal_access_denied from protocol tcp
    user@myhost# set term terminal_access_denied from port ssh
    user@myhost# set term terminal_access_denied from port telnet
    user@myhost# set term terminal_access_denied then log
    user@myhost# set term terminal_access_denied then reject
    user@myhost# set term default-term then accept
    Commit

    To apply the firewall filter to the loopback interface:
    [edit]
    user@myhost# set interfaces lo0 unit 0 family inet filter input local_acl
    set interfaces vlan unit XXX family inet address XXXXXXXXXXX/XX
    Commit

     



  • 4.  RE: How do i configure an ACL for SSH on Ex4200 Switch

     
    Posted 06-26-2018 08:00

    There is no VTY line style of setup in "JUNOS" like cisco's vty line access-control except for "JUNOSe S/w" where the CLI is IOS alike & have vty line".

     

    In JUNOS we configure firewall filter to restrict mgmt access. Firewall filter on lo0 is similar to cisco's line vty access-list, but here our firewall filter covers more than just device VTY access control. Configure a loopback and call the input filter there.

     

    Here are couple of examples:

     

     



  • 5.  RE: How do i configure an ACL for SSH on Ex4200 Switch

    Posted 06-26-2018 08:03

    Can i add it to the Management VLAN instead of the Lo0 ?  

     

    For example:

    set interfaces vlan unit 1 family inet filter input local_acl
    set interfaces vlan unit 1 family inet address 10.155.96.5/21

     

     

    user@myhost# set vlan unit 1 family inet filter input local_acl
    set interfaces vlan unit 1 family inet address 10.155.96.5/21



  • 6.  RE: How do i configure an ACL for SSH on Ex4200 Switch
    Best Answer

    Posted 06-26-2018 08:04

    Juniper devices do not have an equivilent to the Cisco VTY.  I'm not sure what you mean when you say the device isn't using a loopback interface, as it is the connection between the data plane and control plane.  It exists by default on all Juniper devices even if it isn't configured, and does not require an address.

     

    The standard way to control access to a Juniper device is with a firewall filter applied to the loopback interface, as in your example.  This filter will restrict all traffic to the control plane, including management traffic like SSH, telnet, or NTP, as well as all routing protocol traffic - so this filter must take into account all possible traffic the control plane needs, or it needs to restrict the specific traffic you want to limit and allow all other traffic.

     

    Once applied to the loopback interface, this filter will limit all traffic to the device itself on any IP address configured on the device regardless of what interface the IP may be assigned to.  The filter could also be applied to the individual interfaces, but would only apply to traffic on that specific interface (EDIT: this approach could also impact any transit traffic on that interface as well).  The loopback filter approach is a more comprehensive way to protect the device.

     

    EDIT: yes, you could apply the same filter to the vlan interface as you stated.  However, this would cause all traffic on that vlan to be evaluated against the filter, potentially impacting transit traffic flow.  Also, if any other IP addresses are configured on other interfaces on the device, the filter on the vlan would not block traffic to the new IP - remember that Juniper devices are full L3 devices, and can have multiple IPs configured on the box.  Best practice is to apply to the loopback interface, both to eliminate potential impact to transit traffic and for complete protection in the future as IPs may be changed.