Ethernet Switching
Highlighted
Ethernet Switching

access acl for admins

05.07.12   |  
‎05-07-2012 03:06 AM

Hi,

 

can sombody can paste config how to secure mgmt access to ex switches?

 

just for server class or specific ip addresses.

 

thanks

 

Lukasz

9 REPLIES
Ethernet Switching

Re: access acl for admins

05.07.12   |  
‎05-07-2012 03:29 AM
There is an excellent guide to hardening JunOS devices here: http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/hard...
JNCIE-SEC #127
JNCIE-ENT #489
Ethernet Switching

Re: access acl for admins

05.07.12   |  
‎05-07-2012 04:00 AM

but nothing about acls ..

Ethernet Switching
Solution
Accepted by topic author lapluk
‎08-26-2015 01:27 AM

Re: access acl for admins

[ Edited ]
05.07.12   |  
‎05-07-2012 06:04 AM

Chapter 4 in that book, page 90, Protecting the Routing Engine.

There's a configuration example of firewall filter which is how to do an acl in junos.

 

Add a firewall input filter on your lo0 interface:

 

family inet {
    filter protect_re {
        term allow_ssh {
            from {
                source-address {
                    10.1.2.0/24;
                }
                protocol tcp;
                destination-port ssh;
            }
            then accept;
        }
        term deny_ssh {
            from {
                protocol tcp;
                destination-port ssh;
            }
            then {
                discard;
            }
        }
        term default {
            then accept;
        }
    }
}

 Instead of the address you could just use a prefix-list configured under policy-options.

Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)
Ethernet Switching

Re: access acl for admins

05.07.12   |  
‎05-07-2012 07:05 AM

thanks,

 

it works fineSmiley Happy

 

what kind of other security stuff are you enabling on ex access switches?

Ethernet Switching

Re: access acl for admins

05.08.12   |  
‎05-08-2012 01:35 AM

one more question:

i have 2 ex4200 switches in virtual-chassis and few l3 vlans, how should i secure mgmt access, currently i can login to all l3 vlans and would like to limit it only to mgmt i configured it according to guide but doesn’t work any suggestions?

Ethernet Switching

Re: access acl for admins

05.08.12   |  
‎05-08-2012 02:16 AM
For example you could add the destination-address of your management in the firewall filter.
Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)
Ethernet Switching

Re: access acl for admins

05.08.12   |  
‎05-08-2012 03:03 AM

 filter mgmt {
        term allow {
            from {
                source-address {
                    10.X.X.0/24;
                    10.X.X.0/24;
                    10.X.X.X/32;
 
                }
                destination-address {
                    10.X.X.254/32;
                }
                protocol tcp;
                destination-port ssh;
            }
            then accept;
        }
        term deny_ssh {
            from {
                protocol tcp;
                destination-port ssh;
            }
            then {
                discard;
            }
        }
        term default {
            then accept;
        }
    }

 

and it shuld be assing under int vlan mgmt or under all?

 

right now i can access it from subnet which i shouldnt

Ethernet Switching

Re: access acl for admins

05.08.12   |  
‎05-08-2012 04:06 AM
you should add it under interfaces lo0.0 as input filter.
If you don't have a lo0.0 configured, it doesn't matter, just do set interfaces lo0.0 family inet filter input filter mgmt
Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)
Ethernet Switching

Re: access acl for admins

05.08.12   |  
‎05-08-2012 04:28 AM

i don't have int lo but i will trySmiley Happy