[j-nsp] BCP for filtering management access, system-wide

chip chip.gwyn at gmail.com
Mon Jul 25 17:17:02 EDT 2016


Assuming an MX, application of the filter can be applied to the loopback
interface.  This will effectively provide a "system wide" filter.  Yes, you
would need to allow for control-plane protocols and such.  Doug Hank's MX
book has a very excellent layout of this methodology:

https://www.safaribooksonline.com/library/view/juniper-mx-series/9781449358143/ch04s01.html

It also goes into methods of using dynamic prefix filters that update
whenever a new interface (address) or bgp peer or whatever is added.

That all works pretty well on MX gear, EX is a bit of a different beast and
your filter space is much much smaller.

Hope that helps a bit,

--chip

On Mon, Jul 25, 2016 at 4:55 PM, Jason Lixfeld <jason-jnsp at lixfeld.ca>
wrote:

> Hi,
>
> I’m trying to write filters to prevent management access to my system
> (ssh, SNMP, etc), and I’m unsure about where to apply them.
>
> Let’s assume I have IPs configured on a bunch of interfaces, both physical
> and logical, and I don’t want the majority of them to be able to accept
> management attempts to my system.
>
> One way to prevent this is is to apply a filter to each interface where
> there is an IP configured, but I can’t imagine that scales very well.
>
> Another way I was reading about is to apply a filter via
> forwarding-options:
>
> set forwarding-options family inet filter <filter_name>
>
> Is this an appropriate way to accomplish this, or should I be looking at a
> different method?
>
> If this is acceptable, my next question is bound to be how a system-wide
> filter like that would affects protocols that actually need to talk to the
> RE, like BFD, ISIS, BGP, etc., but maybe I can leave that for another
> thread :)
>
> Previously, I tried to apply filters to various lo0 units, thinking those
> were the only interface to the RE, but that didn’t seem to help for cases
> where the IPs were applied to interfaces other than lo0 units.  And I
> haven’t been able to find a way to apply a filter or client list
> specifically to the ssh service itself like you can with snmp, for example.
>
> Thanks in advance.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp




-- 
Just my $.02, your mileage may vary,  batteries not included, etc....


More information about the juniper-nsp mailing list