Switching

Hello community,

i am new to Junos and a bit confused concerning out of band Management on a EX-4200 VC of two devices running 10.0R4.7.

Although i configured OoB-Management using the dedicated interface on the back of the switch i can reach ssh, web-management etc outside of this management-Lan through interface ge-1/0/15. Does this mean i have to apply filters to all other inet-interfaces (e.g. ge-1/0/15) to circumvent that it's possible to ssh from outside to the switch? I thought this is one of the main reasons for OoB-Management to not separate the management further - or did i just something stupid?

My test-configuration is attached but mainly looks like this:

interfaces {
 ge-1/0/15 {
        description testuplink1;
        unit 0 {
            family inet {
                address 192.168.1.60/24;
            }
        }
    }
    vme {
        unit 0 {
            family inet {
                address 192.168.2.72/24;
            }
        }
    }
}

ssh'ing to 192.168.2.72 is of course working, but why can i ssh to 192.168.1.60? Shouldn't the OoB-Management prevent this?

Attachment(s)

oob-test.txt   7 KB 1 version

I believe the piece you are missing is the vlan assignment for the ports.  In-band management is permited on the default vlan.  And the switch ships with all ports a member of the default vlan.

I think if you just create a new vlan and assign all the ports to that then in-band management will not be permitted there unless you configure it.

Thank you for your hint.

I replaced ge-1/0/15 with family ethernet-switching and created a VLAN "myvlan", assigned all switchports to it, most notably ge-1/0/15 (the only port active beside the management-port on the back) :

interfaces {
[..]
vlan {
        unit 20 {
            family inet {
                address 192.168.1.60/24;
            }
        }
    }
    vme {
        unit 0 {
            family inet {
                address 192.168.2.72/24;
            }
        }
    }
}

vlans {
    default;
    myvlan {
	vlan-id 20;
        interface {
[..]
            ge-1/0/15.0;
[..]
        }
        l3-interface vlan.20;
    }

root@test# run show vlans
Name           Tag     Interfaces
default                None
myvlan         20      [..] ge-1/0/15.0* [..]

root@test# run show vlans management-vlan
Name           Tag     Interfaces
mgmt                   bme0.32769, me0.0*

But i am still able to ssh to the VC through 192.168.1.60 ..

Any ideas what stupid error i am doing? All i want is to simply allow management of the switch only through the address i assigned to vme/me0.

Attachment(s)

oob-test2.txt   8 KB 1 version

Hi pvlan ,

You can set a firewall filter   &  apply it  to the  loopback interface (lo0.0 interface )

Example:

Step1 :  Create Firewall Filter denying access using SSH & Telnet

[edit firewall family inet]

root@EX#set filter filter1 term term1 from protocol tcp destination-port ssh

root@EX#set filter filter1 term term1 from protocol tcp destination-port telnet

root@EX#set filter filter1 term term1 then discard

root@EX#set filter filter1 term term2 then accept   >>>>>>>>>>>>  to allow all other types of traffic

( This will deny SSH & Telnet  accces to  Your vlan Ips  & allow all other types of traffic )

Step2 : Apply The Firewall Filter to the Loopback interface

root@EX#set interfaces lo0.0 family inet filter input filter1

root@EX#commit

**************  Click on the button saying " Accept  as Solution"  if  My Post solved your problem  **************

I though when using OoB-Management services like ssh, web-management etc are only listening on the me/vme interface and there is no need to filter, seems i was wrong. Thank you!

Keep in mind its not really OOB management.. Any route you install for the OOB port gets installed into the global routing table along with everything else.. You can un-intentionally black hole traffic this way..

Does this configuration will deny ssh connections to ssh-server behind switch, for example, to servers connected to this switch ?

No , it  applies only for traffic with destination ip = switch ip

We only do inband management due to the shared routing table so I don't know if the loopback filter also affects the vme port.  If it does then the firewall filter needs to be updated to have an allow ssh/telnet to the vme0 address before that discard.

set filter1 term vme_access from destination-address 192.168.2.72/32

set filter1 term vme_access from protocol tcp destination-port ssh

set filter1 term vme_access from protocol tcp destination-port telnet

set filter1 term vme_access then accept

set filter1 term block_non-vme protocol tcp destination-port ssh

set filter1 term block_non-vme protocol tcp destination-port telnet

set filter1 term block_non-vme then discard

set filter1 term Default_allow then accept

Personally, I do the above using prefix-lists for ease of deployment.

1) Get vme's address

set policy-statement prefix-list PL-VME apply-path "interfaces vme unit <*> family inet address <*>"

2) Get all addresses assigned to the device; will pick up vme also.

set policy-statement prefix-list PL-MY_ADDRESSES apply-path "interfaces <*> unit <*> family inet address <*>"

3) Use in the filter.

edit firewall family inet