[j-nsp] Protecting ssh access inside a VRF

John Luthcinson luthcinson at gmail.com
Mon Oct 17 10:50:27 EDT 2016


Hi list

How do you protect router management (SSH) access inside VRFs? Has there
been any improvement? I see this question has been asked before but there
was no good solution. I think maintaining a per-router list of core IFLs is
a PITA.

I don't want to add a loopback for every VRF just for this purpose.

E.g. My mgmt net is 1.2.3.0/24 and it's configured in lo0.0 RE filter.
Customer A has a default route in their VRF. They can use 1.2.3.0/24
network and ssh into the router. Of course they need to know username and
password, but hey again limiting the attack surface... An MPLS router can
be connected to many customer internal networks and I think it needs to be
very very carefully protected.

https://puck.nether.net/pipermail/juniper-nsp/2013-July/027007.html

https://kb.juniper.net/InfoCenter/index?page=content&id=KB23547&actp=search

Cisco (IOS) has this knob access-class vrf-also. If you omit it, access is
allowed only from global table. I know this is not COPP, but in addition to
COPP it allows you to accomplish the goal.


Thanks and best regards


More information about the juniper-nsp mailing list