[j-nsp] protect ssh and telnet
Krasimir Avramski
krasi at smartcom.bg
Sat Apr 16 12:21:48 EDT 2016
Hey Aaron,
file show /var/db/scripts/commit/ifl-addr.slax
version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";
match configuration {
var $toplevel = .;
var $vrf = "one"; /* name of routing instance */
var $direct = 0; /* set this to 1 for building "direct" prefixes, default
is "local"" */
<transient-change> {
<policy-options> {
<prefix-list replace="replace"> {
<name> "ifl-addr-v4";
for-each ($toplevel/routing-instances/instance[name =
$vrf]/interface) {
var $ifd = substring-before(name, ".");
var $unit = substring-after(name, ".");
for-each ($toplevel/interfaces/interface[name =
$ifd]/unit[name = $unit]/family/inet/address) {
var $addr = jcs:parse-ip(name);
if ($direct) {
<prefix-list-item> {
<name> $addr[4]_"/"_$addr[3];
}
}
else {
<prefix-list-item> {
<name> $addr[1];
}
}
}
}
}
}
}
}
Best Regards,
Krasi
On 15 April 2016 at 23:12, Aaron <aaron1 at gvtc.com> wrote:
> Right, that’s what I saw recently when working through a case with JTAC…
>
>
>
> I need a solution that will…
>
> 1 – apply to ONLY my direct/local actual ip addresses on my ACX5048
>
> 2 – apply to ONLY routing-instance vrf “one”
>
>
>
>
>
> agould at eng-lab-acx5048-1
> <https://webmail.gvtc.net/owa/redir.aspx?C=a19b8644071049cdb814656cd0485639&URL=mailto%3aagould%40eng-lab-acx5048-1>#
> show policy-options prefix-list all-internet | display inheritance
> ##
> ## apply-path was expanded to:
> ## 10.101.14.124/30;
> ## 10.101.14.108/30;
> ## 1.2.3.64/28;
> ## 10.95.255.0/26;
> ## 10.101.12.245/32;
> ##
> apply-path "interfaces <*> unit <*> family inet address <*>";
>
>
>
>
>
>
>
More information about the juniper-nsp
mailing list