Switching

last person joined: yesterday 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

  • 1.  EX Management Firewall Filter

    Posted 12-06-2010 10:39

    Hi,

     

    I've tried a few different approaches to get our Filter working, but running into a wall.  Our Loopback approach on the SRX works without issues, but was told it's not recommended to use the loopback on the EX since there was a few limitations.  Anyone have an example for the EX?  We're running 10.0x and simply trying to lock down SSH/HTTPS access.  Here is what I currently have.  Thank you.

     

    filter v156 {
        term 1 {
            from {
                source-prefix-list {
                    mgt-vlans;
                }
                destination-prefix-list {
                    mgt-ips;
                }
                protocol tcp;
                destination-port [ ssh https ];
            }
            then {
                log;
                accept;
            }
        }
        term 2 {        
            from {
                source-address {
                    10.0.0.0/8;
                }
                destination-prefix-list {
                    mgt-ips;
                }
                protocol tcp;
                destination-port [ ssh https ];
            }
            then {
                log;
                discard;
            }
        }
        term 3 {
            then accept;
        }
    }

     

    policy-options {
        prefix-list mgt-vlans {
            10.100.1.0/24;
            10.108.1.0/24;
            10.108.152.0/24;
            10.109.48.0/24;
        }
        prefix-list mgt-ips {
            10.108.156.1/32;
            10.108.156.2/32;
        }
    }

     

    unit 0 {
        family inet;
    }

    unit 156 {
        family inet {
            filter {
                input v156;
            }
            address 10.108.156.2/24 {
                vrrp-group 0 {
                    virtual-address 10.108.156.1;
                    priority 110;
                    accept-data;
                }
            }
        }
    }



  • 2.  RE: EX Management Firewall Filter
    Best Answer

    Posted 12-06-2010 11:40

    Hi,

     

    I tried the loopback approach again and now it's working.  Basically, it's Screenie's config from the Config Library http://forums.juniper.net/t5/Configuration-Library/Configuration-Example-permited-IP-on-SRX/m-p/58392#M26.

     

    Here's the config that tested OK.

     

        filter manager-ip {
            term permit-ssh-ssl {
                from {
                    source-address {
                        10.108.1.0/24;
                        10.108.152.0/24;
                        10.100.1.0/24;
                    }
                    protocol tcp;
                    destination-port [ ssh https ];
                }
                then accept;
            }
            term deny-ssh-ssl {
                from {
                    protocol tcp;
                    destination-port [ ssh https ];
                }
                then {
                    discard;
                }
            }
            term else-accept {
                then accept;
            }
        }
    }

        lo0 {
            unit 0 {
                family inet {
                    filter {
                        input manager-ip;
                    }
                }
            }
        }