[j-nsp] ACL for lo0 template/example comprehensive list of 'things to think about'?

adamv0025 at netconsultings.com adamv0025 at netconsultings.com
Wed Jul 11 18:50:57 EDT 2018


> Of Drew Weaver
> Sent: Wednesday, July 11, 2018 7:17 PM
> 
> Hello,
> 
> Is there a list of best practices or 'things to think about' when
constructing a
> firewall filter for a loopback on an MX series router running version 15
of
> Junos?
> 
> I'm slowly piecing it together by just 'seeing what is broken next' and I
have
> found some issue specific examples on Juniper.net thus far that tend to
help
> with some of the issues but if anyone has ever seen a decent comprehensive
> guide that would be tremendously useful.
> 
> If anyone has seen anything like this let me know, if not no worries will
just
> keep fixing the things one by one =)
>
Regarding management plane, 
One important thing to be aware of with virtually all the routers out there
is that in contrast to routing protocols if you enable management protocol
(for some strange reason) by default that protocol listens on all IP
addresses on the box. 

And there don't seem to be a way in Junos how to restrict management-plane
protocols only to certain interfaces no matter what RE filter says. 
In XR it's as easy as specifying a list of OOB or in-band interfaces against
a list of management protocols,

Yes in RE filter you can associate interface with say your SSH term but any
mistake in any of the preceding terms and all the management protocols wait
for an incoming session wide open. 

Pool questions:
1) Are you folks using interfaces or interface groups in your RE filters to
further secure management plane access? (seems that team cymru doesn't)   
2) Would you like to have the ability to restrict management plane protocols
only to certain internal interfaces outside of RE filter logic (explicitly
defining source IPs per protocol or XR-like management-plane protection
functionality)?
 
Thank you

adam  

netconsultings.com
::carrier-class solutions for the telecommunications industry::




More information about the juniper-nsp mailing list