I recently configured a few EX2200 switches. I want to limit the management access(SSH) to a few sources.
On my SRX I have a L3 wan interface, with a few VLANs.
From a Juniper SRX point of view, I would limit the SSH access via something like:
set security zones security-zone management interfaces vlan.27 host-inbound-traffic system-services ssh
There is no such option on the EX2200 as there are no security zones... At this moment I have applied a filter to all individual L3 interfaces, but I am guessing this can be done more efficient.
On any Junos device besides the SRX we use firewall filters for this purpose. See chapter 5 page 59 and following in the free Day One: Finishing Junos Deploys book.
These are packet access control filters that get applied to the interface on the protected device to restrict access per protocol. Similar to a policy but these have no session table or awareness just a straight packet filter.
Thank you for your reply,
I understand that I must use firewall filters and apply it to the interfaces. So basically there is no other option then apply filter(s) to all interfaces?
The reason why I am asking this is because I have a loopback interface on which a firewall filter is applied, so that I can only reach/SSH the switch(loopback interface) from my management network. However, SSH(and such) is still open to the box on my WAN/ LAN interfaces.
That means I need to apply filters to those interfaces also, which seems a bit off when you compare it to ,for example, a SRX where you allow it with something like:
"security zones security-zone MANAGEMENT interfaces vlan.20 host-inbound-traffic system-services ssh"
But from what I understand, there is no such option and the only possibility is with multiple firewall filters/ filters for to-the-box traffic per interface.
Usually, its the loopback address that's the most routed & advertised IP address on the router/switch (towards its known peers) thus the filter is applied commonly onto router/switch loopback. If your uplinks/downlinks (such as accessLink/wanLink) is IP routable from far remote end outside your network, then yes, you may wanna apply filters on them but again that depends from setup to setup, a firewall node should block such unauthorized access.
Security zone configuration set is specfic to SRX/vSRX Series and unfortunately doesn't apply to our subjected node, EX2200.
as rightly pointed by spuluka, Here are couple of firewall filter sample configuration:
[EX/QFX] How to provide SSH access to specific IP addresses and restrict SSH access to all other IP addresses:
[EX] How to limit SSH login for management to a range of IP address:
#Mark my solution as accepted if it helped, Kudos are appreciated as well.