Switching

Hi everybody,

Probably someone had this need before, i've searched, and came to no conclusion, feel free to provide me the correct link, in case this is old stuff 🙂

I need to protect several EX3200 with Junos 10.1 from worldwide access to SSH, without creating hardcoded IP lists of all VLan IPs on the switches.

I've tried the lo0 approach, just like i've done in the routers, but seems that this is not supported in EX.

Is there any other alternative, without hardcode IPs or SSH to internal IP?

Thanks in advance

Carlos Santos

Hi Carlos,

I used the Loopback approach and I find it works well.  Here is the config.  This permits SSH and SSL access from our Mgt VLANs.

system {

    services {
        ssh {
            protocol-version v2;

 interfaces {

    lo0 {           
        unit 0 {
            family inet {
                filter {
                    input manager-ip;

firewall {
    family inet {

       filter manager-ip {
            term permit-ssh-ssl {
                from {
                    source-address {
                        192.168.2.0/24;
                        192.168.3.0/24;
                    }
                    protocol tcp;
                    destination-port [ ssh https ];
                }
                then accept;
            }
            term deny-ssh-ssl {
                from {
                    protocol tcp;
                    destination-port [ ssh https ];
                }
                then {
                    discard;
                }
            }
            term else-accept {
                then accept;
            }
        }
    }
}

Hi Firewall72,

This worked, something went wrong with my previous testing.

Thank you for your time.

Carlos Santos