[j-nsp] protect ssh and telnet

Krasimir Avramski krasi at smartcom.bg
Sat Apr 16 12:21:48 EDT 2016


Hey Aaron,


file show /var/db/scripts/commit/ifl-addr.slax


version 1.0;

ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";

import "../import/junos.xsl";

match configuration {
var $toplevel = .;
var $vrf = "one"; /* name of routing instance */
var $direct = 0; /* set this to 1 for building  "direct" prefixes, default
is "local"" */

    <transient-change> {
        <policy-options> {
            <prefix-list replace="replace"> {
                <name> "ifl-addr-v4";
                for-each ($toplevel/routing-instances/instance[name =
$vrf]/interface) {
                        var $ifd = substring-before(name, ".");
                        var $unit = substring-after(name, ".");
                        for-each ($toplevel/interfaces/interface[name =
$ifd]/unit[name = $unit]/family/inet/address) {
                          var $addr = jcs:parse-ip(name);
                            if ($direct) {
                               <prefix-list-item> {
                                <name> $addr[4]_"/"_$addr[3];
                               }
                            }
                            else {
                                <prefix-list-item> {
                                <name> $addr[1];
                                }
                            }
                        }
                }
             }
         }
     }
}

Best Regards,
Krasi


On 15 April 2016 at 23:12, Aaron <aaron1 at gvtc.com> wrote:

> Right, that’s what I saw recently when working through a case with JTAC…
>
>
>
> I need a solution that will…
>
> 1 – apply to ONLY my direct/local actual ip addresses on my ACX5048
>
> 2 – apply to ONLY routing-instance vrf “one”
>
>
>
>
>
> agould at eng-lab-acx5048-1
> <https://webmail.gvtc.net/owa/redir.aspx?C=a19b8644071049cdb814656cd0485639&URL=mailto%3aagould%40eng-lab-acx5048-1>#
> show policy-options prefix-list all-internet | display inheritance
> ##
> ## apply-path was expanded to:
> ##     10.101.14.124/30;
> ##     10.101.14.108/30;
> ##     1.2.3.64/28;
> ##     10.95.255.0/26;
> ##     10.101.12.245/32;
> ##
> apply-path "interfaces <*> unit <*> family inet address <*>";
>
>
>
>
>
>
>


More information about the juniper-nsp mailing list