[j-nsp] ACL for lo0 template/example comprehensive list of 'things to think about'?

Gert Doering gert at greenie.muc.de
Thu Jul 12 03:00:59 EDT 2018


Hi,

On Wed, Jul 11, 2018 at 11:50:57PM +0100, adamv0025 at netconsultings.com wrote:
> 2) Would you like to have the ability to restrict management plane protocols
> only to certain internal interfaces outside of RE filter logic (explicitly
> defining source IPs per protocol or XR-like management-plane protection
> functionality)?

This would have saved me lots of work over the years...  so, yes.

We have fairly strong border ACLs that protect all "backbone links" and
loopback ranges, but customer connections are numbered out of different
address blocks - our PA that also hosts their firewalls/routers, their 
PA/PI - so protecting all those by border ACLs is not practical.  So,
being able to bind snmp/ssh/ntp/l2tp to "talk this on lo0, do not listen 
on anything else" would have saved me quite a bit of annoyance over time.

(I do understand that we could number our customer links differently, and
maybe we can find the time to change *that* one day...)

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20180712/0af172b5/attachment.sig>


More information about the juniper-nsp mailing list