[j-nsp] Disable telnet/ssh access from virtual routers

Aaron Dewell aaron.dewell at gmail.com
Wed Jul 15 12:15:14 EDT 2015


Apply a filter on lo0.0 which denies traffic from anything but your management IPs.  Or, put a filter on the VR interface denying all traffic destined to that IP itself.  

On Jul 15, 2015, at 10:11 AM, Victor Sudakov <vas at mpeks.tomsk.su> wrote:
> Colleagues,
> 
> I have customers' networks connected to routing-instances of type
> "virtual-router." These routing-instances are supposed to be isolated
> and use their own address space.
> 
> However, a customer can telnet/ssh from their network to the
> virtual-router's IP address effectively telnetting to the main device. 
> 
> Is there an elegant way to prevent this from happening, i.e. to permit
> telnet/ssh access from hosts in the inet.0 table but deny from hosts
> from the CUSTOMERXX.inet.0 table?
> 
> Thanks in advance for any input.
> 
> -- 
> Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
> sip:sudakov at sibptus.tomsk.ru
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list