Routing
Routing

How to filter ssh access if device is default gateway in a routing instance

‎03-10-2016 02:27 AM

Hello all,

 

I need to filter ssh access from servers that i have in different routing instances ( VRFs) when device is a default gateway for them.

 

There are any option to set filter en global configuration and appy on all VRFs? or i need to appy it in each VRF ?

 

Thanks a lot

Fran

6 REPLIES 6
Routing

Re: How to filter ssh access if device is default gateway in a routing instance

‎03-10-2016 02:32 AM

Hi Fran,

 

Are you looking to filter ssh access to the device from the servers or are you trying to filter ssh access from a routing instance  through the device to another routing instance ?

Shailesh
[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Routing

Re: How to filter ssh access if device is default gateway in a routing instance

‎03-10-2016 02:43 AM

Hello,

 

is the first that you said:

 

I have multiple routing instances that connect to servers, the problem is from servers i can do ssh  to default gateway ( Juniper device )  in same routing instance and i want to filter this access and only permit ssh to one or two prefix.

Routing

Re: How to filter ssh access if device is default gateway in a routing instance

‎03-10-2016 06:56 AM

Hi,

 

recommended way to limit access to the Juniper devices is by applying a firewall filter to the loopback interface. Having said this, as you have multiple VRFs you need to define a single loopback interface for each individual VRF (in case you do not have it already). Note, that in order to apply a firewall filter to a loopback interface unit, the loopback interfaceunit does not necessarily need to have an IP address.

 

Easiest way to get this filter to all VRFs is using apply-groups. here is an example:

 

set policy-options prefix-list ssh-hosts 172.16.1.100/32
set policy-options prefix-list ssh-hosts 172.16.1.101/32
set firewall family inet filter ssh-filter term ssh-access from source-prefix-list ssh-hosts 
set firewall family inet filter ssh-filter term ssh-access from protocol tcp 
set firewall family inet filter ssh-filter term ssh-access from port ssh 
set firewall family inet filter ssh-filter term ssh-access then accept
set firewall family inet filter ssh-filter term default then discard
set groups ssh-access-to-vrfs interfaces lo0 unit <*> family inet filter input ssh-filter
set apply-group ssh-access-to-vrfs

set interfaces lo0 unit 1
set routing-instances VR1 interface lo0.1

Only configuration step you need to repeat for each VRF are the last two lines (defining and applying individual loopback interface unit to VRFs).

 

Cheers,

Carsten 

Routing

Re: How to filter ssh access if device is default gateway in a routing instance

‎03-10-2016 07:26 AM

OK, thanks so much, one question:

 

In a vrf configuration i already have an interface with a default gateway of the vrf , then i don't need configure a loopback for each vrf, see the configuration:

 

instance-type virtual-router;
interface irb.2442;
interface irb.2444; <<<<<<<<<<<<<<
protocols {
ospf {
export training_ospf2fw;
area 0.0.0.0 {
interface irb.2444;
interface irb.2442;

 

core01> show configuration interfaces irb.2444
family inet {
address 10.236.26.1/24; <<<< this is a default gateway ( core01 )

 

From a remote server of this routing-instance:

Server#ssh Y9CB9N@10.252.26.1
password:
--- JUNOS 14.1R3.5 built 2014-11-13 10:59:26 UTC
{master:member0-re0}
core01>

 

I want filter this ssh access, when in routing-instance , the default gateway is own device ( core01 ) . So, with your previous configuration I don't need configure a loopback for each routing-instance, because i already have an IRB interface ( with default gateway ) .

 

Thanks a lot.

Fran

 

Routing
Solution
Accepted by topic author fserrano@es.ibm.com
‎03-11-2016 12:59 AM

Re: How to filter ssh access if device is default gateway in a routing instance

‎03-10-2016 10:50 PM

Potentially you can bind the firewall filter to the irb.2444 as an input filter as well, but then unrestricted access via the irb.2442 (or any other interface within the routing instance) is still possible. If you use a transit interface (irb or ge/xe-*) to block the traffic you need to apply the filter to every individual interface. Makes things more complex especially if you want to filter or classify transit traffic in addition.

 

Therefore, best practise is to apply a filter to the loopback interface unit because all traffic destined for the routing engine (ssh, ospf, bgp, etc) will logically pass the firewall filter of the loppback interface independent on which interface the traffic entered the router.

 

BTW, in my previous config example you need to add a rule to accept OSPF packets as well. :-)

 

Cheers,

Carsten

Routing

Re: How to filter ssh access if device is default gateway in a routing instance

‎03-11-2016 12:58 AM

Hello camtable,

 

Thanks for resolve my question, i alredy understand all , thanks for your time and your work.

 

Have a nice day.

 

Fran