Ethernet Switching
Reply
Contributor
lapluk
Posts: 69
Registered: ‎08-01-2011
0
Accepted Solution

access acl for admins

Hi,

 

can sombody can paste config how to secure mgmt access to ex switches?

 

just for server class or specific ip addresses.

 

thanks

 

Lukasz

Recognized Expert
ronf
Posts: 238
Registered: ‎04-04-2011
0

Re: access acl for admins

There is an excellent guide to hardening JunOS devices here: http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/hard...
JNCIE-SEC #127
Contributor
lapluk
Posts: 69
Registered: ‎08-01-2011
0

Re: access acl for admins

but nothing about acls ..

Super Contributor
AdamLin
Posts: 167
Registered: ‎08-02-2010
0

Re: access acl for admins

[ Edited ]

Chapter 4 in that book, page 90, Protecting the Routing Engine.

There's a configuration example of firewall filter which is how to do an acl in junos.

 

Add a firewall input filter on your lo0 interface:

 

family inet {
    filter protect_re {
        term allow_ssh {
            from {
                source-address {
                    10.1.2.0/24;
                }
                protocol tcp;
                destination-port ssh;
            }
            then accept;
        }
        term deny_ssh {
            from {
                protocol tcp;
                destination-port ssh;
            }
            then {
                discard;
            }
        }
        term default {
            then accept;
        }
    }
}

 Instead of the address you could just use a prefix-list configured under policy-options.

Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)
Contributor
lapluk
Posts: 69
Registered: ‎08-01-2011
0

Re: access acl for admins

thanks,

 

it works fine:smileyhappy:

 

what kind of other security stuff are you enabling on ex access switches?

Contributor
lapluk
Posts: 69
Registered: ‎08-01-2011
0

Re: access acl for admins

one more question:

i have 2 ex4200 switches in virtual-chassis and few l3 vlans, how should i secure mgmt access, currently i can login to all l3 vlans and would like to limit it only to mgmt i configured it according to guide but doesn’t work any suggestions?

Super Contributor
AdamLin
Posts: 167
Registered: ‎08-02-2010
0

Re: access acl for admins

For example you could add the destination-address of your management in the firewall filter.
Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)
Contributor
lapluk
Posts: 69
Registered: ‎08-01-2011
0

Re: access acl for admins

 filter mgmt {
        term allow {
            from {
                source-address {
                    10.X.X.0/24;
                    10.X.X.0/24;
                    10.X.X.X/32;
 
                }
                destination-address {
                    10.X.X.254/32;
                }
                protocol tcp;
                destination-port ssh;
            }
            then accept;
        }
        term deny_ssh {
            from {
                protocol tcp;
                destination-port ssh;
            }
            then {
                discard;
            }
        }
        term default {
            then accept;
        }
    }

 

and it shuld be assing under int vlan mgmt or under all?

 

right now i can access it from subnet which i shouldnt

Super Contributor
AdamLin
Posts: 167
Registered: ‎08-02-2010
0

Re: access acl for admins

you should add it under interfaces lo0.0 as input filter.
If you don't have a lo0.0 configured, it doesn't matter, just do set interfaces lo0.0 family inet filter input filter mgmt
Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)
Contributor
lapluk
Posts: 69
Registered: ‎08-01-2011
0

Re: access acl for admins

i don't have int lo but i will try:smileyhappy:

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.