Switching

last person joined: 3 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

  • 1.  access acl for admins

    Posted 05-07-2012 03:07

    Hi,

     

    can sombody can paste config how to secure mgmt access to ex switches?

     

    just for server class or specific ip addresses.

     

    thanks

     

    Lukasz



  • 2.  RE: access acl for admins

    Posted 05-07-2012 03:29
    There is an excellent guide to hardening JunOS devices here: http://www.juniper.net/us/en/community/junos/training-certification/day-one/fundamentals-series/hardening-junos-devices-checklist/


  • 3.  RE: access acl for admins

    Posted 05-07-2012 04:00

    but nothing about acls ..



  • 4.  RE: access acl for admins
    Best Answer

     
    Posted 05-07-2012 06:05

    Chapter 4 in that book, page 90, Protecting the Routing Engine.

    There's a configuration example of firewall filter which is how to do an acl in junos.

     

    Add a firewall input filter on your lo0 interface:

     

    family inet {
    filter protect_re {
        term allow_ssh {
            from {
                source-address {
                    10.1.2.0/24;
                }
                protocol tcp;
                destination-port ssh;
            }
            then accept;
        }
        term deny_ssh {
            from {
                protocol tcp;
                destination-port ssh;
            }
            then {
                discard;
            }
        }
        term default {
            then accept;
        }
    }
}

     Instead of the address you could just use a prefix-list configured under policy-options.



  • 5.  RE: access acl for admins

    Posted 05-07-2012 07:05

    thanks,

     

    it works fine:)

     

    what kind of other security stuff are you enabling on ex access switches?



  • 6.  RE: access acl for admins

    Posted 05-08-2012 01:36

    one more question:

    i have 2 ex4200 switches in virtual-chassis and few l3 vlans, how should i secure mgmt access, currently i can login to all l3 vlans and would like to limit it only to mgmt i configured it according to guide but doesn’t work any suggestions?



  • 7.  RE: access acl for admins

     
    Posted 05-08-2012 02:16
    For example you could add the destination-address of your management in the firewall filter.


  • 8.  RE: access acl for admins

    Posted 05-08-2012 03:04

     filter mgmt {
            term allow {
                from {
                    source-address {
                        10.X.X.0/24;
                        10.X.X.0/24;
                        10.X.X.X/32;
     
                    }
                    destination-address {
                        10.X.X.254/32;
                    }
                    protocol tcp;
                    destination-port ssh;
                }
                then accept;
            }
            term deny_ssh {
                from {
                    protocol tcp;
                    destination-port ssh;
                }
                then {
                    discard;
                }
            }
            term default {
                then accept;
            }
        }

     

    and it shuld be assing under int vlan mgmt or under all?

     

    right now i can access it from subnet which i shouldnt



  • 9.  RE: access acl for admins

     
    Posted 05-08-2012 04:07
    you should add it under interfaces lo0.0 as input filter.
    If you don't have a lo0.0 configured, it doesn't matter, just do set interfaces lo0.0 family inet filter input filter mgmt


  • 10.  RE: access acl for admins

    Posted 05-08-2012 04:29

    i don't have int lo but i will try:)