[j-nsp] BCP for filtering management access, system-wide

Jason Lixfeld jason-jnsp at lixfeld.ca
Mon Jul 25 16:55:23 EDT 2016


Hi,

I’m trying to write filters to prevent management access to my system (ssh, SNMP, etc), and I’m unsure about where to apply them.

Let’s assume I have IPs configured on a bunch of interfaces, both physical and logical, and I don’t want the majority of them to be able to accept management attempts to my system.

One way to prevent this is is to apply a filter to each interface where there is an IP configured, but I can’t imagine that scales very well.

Another way I was reading about is to apply a filter via forwarding-options:

set forwarding-options family inet filter <filter_name>

Is this an appropriate way to accomplish this, or should I be looking at a different method?

If this is acceptable, my next question is bound to be how a system-wide filter like that would affects protocols that actually need to talk to the RE, like BFD, ISIS, BGP, etc., but maybe I can leave that for another thread :)

Previously, I tried to apply filters to various lo0 units, thinking those were the only interface to the RE, but that didn’t seem to help for cases where the IPs were applied to interfaces other than lo0 units.  And I haven’t been able to find a way to apply a filter or client list specifically to the ssh service itself like you can with snmp, for example.

Thanks in advance.


More information about the juniper-nsp mailing list