[j-nsp] Protecting ssh access inside a VRF
John Luthcinson
luthcinson at gmail.com
Mon Oct 17 10:50:27 EDT 2016
Hi list
How do you protect router management (SSH) access inside VRFs? Has there
been any improvement? I see this question has been asked before but there
was no good solution. I think maintaining a per-router list of core IFLs is
a PITA.
I don't want to add a loopback for every VRF just for this purpose.
E.g. My mgmt net is 1.2.3.0/24 and it's configured in lo0.0 RE filter.
Customer A has a default route in their VRF. They can use 1.2.3.0/24
network and ssh into the router. Of course they need to know username and
password, but hey again limiting the attack surface... An MPLS router can
be connected to many customer internal networks and I think it needs to be
very very carefully protected.
https://puck.nether.net/pipermail/juniper-nsp/2013-July/027007.html
https://kb.juniper.net/InfoCenter/index?page=content&id=KB23547&actp=search
Cisco (IOS) has this knob access-class vrf-also. If you omit it, access is
allowed only from global table. I know this is not COPP, but in addition to
COPP it allows you to accomplish the goal.
Thanks and best regards
More information about the juniper-nsp
mailing list