Junos
Highlighted
Junos

EX2200 limit SSH access

[ Edited ]
‎01-11-2018 05:10 AM

Hi all,

 

I recently configured a few EX2200 switches. I want to limit the management access(SSH) to a few sources.

On my SRX I have a L3 wan interface, with a few VLANs.

 

From a Juniper SRX point of view, I would limit the SSH access via something like:

set security zones security-zone management interfaces vlan.27 host-inbound-traffic system-services ssh

 

There is no such option on the EX2200 as there are no security zones... At this moment I have applied a filter to all individual L3 interfaces, but I am guessing this can be done more efficient. 

 

Any thoughts?

 

Piet

 

4 REPLIES 4
Highlighted
Junos

Re: EX2200 limit SSH access

‎01-13-2018 05:15 AM

On any Junos device besides the SRX we use firewall filters for this purpose.  See chapter 5 page 59 and following in the free Day One: Finishing Junos Deploys book.

 

https://forums.juniper.net/t5/Day-One-Books/Day-One-Finishing-Junos-Deployments/ba-p/272763

 

These are packet access control filters that get applied to the interface on the protected device to restrict access per protocol.  Similar to a policy but these have no session table or awareness just a straight packet filter.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Junos

Re: EX2200 limit SSH access

[ Edited ]
‎01-13-2018 05:26 AM

as rightly pointed by spuluka, Here are couple of firewall filter sample configuration:

 

[EX/QFX] How to provide SSH access to specific IP addresses and restrict SSH access to all other IP addresses:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB24764

 

[EX] How to limit SSH login for management to a range of IP address:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB19171

 

/Karan Dhanak

#Mark my solution as accepted if it helped, Kudos are appreciated as well.    

/Karan Dhanak
Highlighted
Junos

Re: EX2200 limit SSH access

[ Edited ]
‎01-16-2018 08:53 AM

Hi Steve/Karan,

 

Thank you for your reply,

 

I understand that I must use firewall filters and apply it to the interfaces. So basically there is no other option then apply filter(s) to all interfaces?

 

The reason why I am asking this is because I have a loopback interface on which a firewall filter is applied, so that I can only reach/SSH the switch(loopback interface) from my management network. However, SSH(and such) is still open to the box on my WAN/ LAN interfaces.

 

That means I need to apply filters to those interfaces also, which seems a bit off when you compare it to ,for example, a SRX where you allow it with something like:

"security zones security-zone MANAGEMENT interfaces vlan.20 host-inbound-traffic system-services ssh"

 

But from what I understand, there is no such option and the only possibility is with multiple firewall filters/ filters for to-the-box traffic per interface.

 

Regards,

 

Piet

Highlighted
Junos
Solution
Accepted by topic author PietJansen
‎01-17-2018 01:01 AM

Re: EX2200 limit SSH access

‎01-16-2018 09:51 AM

Hi Piet,

 

Usually, its the loopback address that's the most routed & advertised IP address on the router/switch (towards its known peers) thus the filter is applied commonly onto router/switch loopback.  If your uplinks/downlinks (such as accessLink/wanLink) is IP routable from far remote end outside your network, then yes, you may wanna apply filters on them but again that depends from setup to setup, a firewall node should block such unauthorized access.

 

Security zone configuration set is specfic to SRX/vSRX Series and unfortunately doesn't apply to our subjected node, EX2200.

 

 

 

/Karan Dhanak