> On Jan 4, 2019, at 8:10 AM, <adamv0...@netconsultings.com> > <adamv0...@netconsultings.com> wrote: > > Also in addition to the lengthy, complex and therefore often misconfigured > RE filter a good practice is to have iACLs as a second layer of defence. > By that I mean a policy applied on all edge interfaces allowing only > selected protocols (e.g. ICMP & BGP) to talk to any of your edge addresses > (reachable form a particular VRF) and deny anything else destined to these > or your internal infrastructure addresses. > Such filters would mitigate the attack vector mentioned above.
In Cisco land, for management, one puts a filter on the VTY range, and also include the vrf-also keyword where required. Does JunOS have similar functionality, or would you need to put the filter on the fxp0/em0/whatever out-of-band management interface you’re using, or the in-band management lo0 unit, depending on the user’s desired management implementation. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp