I have been tyring to secure the management of or EX switches. The setup is that in general we have an inband vlan that we use for management access. This management vlan/subnet is protected by our firewall where we controll access to it.
On edge switches this is in general not a problem since they only have one IP-enabled interface, but on some switches that also act as routers, we have more interfaces with IP-addresses. So, I want to lockdown so that only traffic from the management network can have SSH access to the switches.
The examples I have seen with firewall filters is always based on that you know the source address of the computer trying to connect. But I want to make this a bit more flexibel and say that only SSH connections comming in from this interface is allowed. Is this possible?
It doesn't support "Interface Filter Match Conditions".
Match conditions are below for EX Series.
Match conditions—Specify the values or fields that the packet must contain. You can define various match conditions, including the IP source address field, IP destination address field, Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source port field, IP protocol field, Internet Control Message Protocol (ICMP) packet type, TCP flags, and interfaces.