[j-nsp] Protecting ssh access inside a VRF
Dragan Jovicic
draganj84 at gmail.com
Mon Oct 17 13:56:09 EDT 2016
Hi,
You may assign your core interfaces to specific interface-group, which
would then be referenced from a filter. This at least allows you to have a
uniform configuration.
Best
Dragan
On Mon, Oct 17, 2016 at 4:50 PM, John Luthcinson <luthcinson at gmail.com>
wrote:
> Hi list
>
> How do you protect router management (SSH) access inside VRFs? Has there
> been any improvement? I see this question has been asked before but there
> was no good solution. I think maintaining a per-router list of core IFLs is
> a PITA.
>
> I don't want to add a loopback for every VRF just for this purpose.
>
> E.g. My mgmt net is 1.2.3.0/24 and it's configured in lo0.0 RE filter.
> Customer A has a default route in their VRF. They can use 1.2.3.0/24
> network and ssh into the router. Of course they need to know username and
> password, but hey again limiting the attack surface... An MPLS router can
> be connected to many customer internal networks and I think it needs to be
> very very carefully protected.
>
> https://puck.nether.net/pipermail/juniper-nsp/2013-July/027007.html
>
> https://kb.juniper.net/InfoCenter/index?page=content&
> id=KB23547&actp=search
>
> Cisco (IOS) has this knob access-class vrf-also. If you omit it, access is
> allowed only from global table. I know this is not COPP, but in addition to
> COPP it allows you to accomplish the goal.
>
>
> Thanks and best regards
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list