access acl for admins

lapluk · ‎08-01-2011

Hi,

can sombody can paste config how to secure mgmt access to ex switches?

just for server class or specific ip addresses.

thanks

Lukasz

ronf · ‎04-04-2011

There is an excellent guide to hardening JunOS devices here: http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/hard...

lapluk · ‎08-01-2011

but nothing about acls ..

AdamLin · ‎08-02-2010

Chapter 4 in that book, page 90, Protecting the Routing Engine.

There's a configuration example of firewall filter which is how to do an acl in junos.

Add a firewall input filter on your lo0 interface:

family inet {
    filter protect_re {
        term allow_ssh {
            from {
                source-address {
                    10.1.2.0/24;
                }
                protocol tcp;
                destination-port ssh;
            }
            then accept;
        }
        term deny_ssh {
            from {
                protocol tcp;
                destination-port ssh;
            }
            then {
                discard;
            }
        }
        term default {
            then accept;
        }
    }
}

Instead of the address you could just use a prefix-list configured under policy-options.

Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)

lapluk · ‎08-01-2011

thanks,

it works fine

what kind of other security stuff are you enabling on ex access switches?

lapluk · ‎08-01-2011

one more question:

i have 2 ex4200 switches in virtual-chassis and few l3 vlans, how should i secure mgmt access, currently i can login to all l3 vlans and would like to limit it only to mgmt i configured it according to guide but doesn’t work any suggestions?

AdamLin · ‎08-02-2010

For example you could add the destination-address of your management in the firewall filter.

Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)

lapluk · ‎08-01-2011

filter mgmt {
        term allow {
            from {
                source-address {
                    10.X.X.0/24;
                    10.X.X.0/24;
                    10.X.X.X/32;

                }
                destination-address {
                    10.X.X.254/32;
                }
                protocol tcp;
                destination-port ssh;
            }
            then accept;
        }
        term deny_ssh {
            from {
                protocol tcp;
                destination-port ssh;
            }
            then {
                discard;
            }
        }
        term default {
            then accept;
        }
    }

and it shuld be assing under int vlan mgmt or under all?

right now i can access it from subnet which i shouldnt

AdamLin · ‎08-02-2010

you should add it under interfaces lo0.0 as input filter.
If you don't have a lo0.0 configured, it doesn't matter, just do set interfaces lo0.0 family inet filter input filter mgmt

Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)

lapluk · ‎08-01-2011

i don't have int lo but i will try

access acl for admins

Re: access acl for admins

Re: access acl for admins

Re: access acl for admins

Re: access acl for admins

Re: access acl for admins

Re: access acl for admins

Re: access acl for admins

Re: access acl for admins

Re: access acl for admins