Hello Mike,
if you're using that lo0.0 in a routing-instance or use more than one
loopback you could also run into these restrictions:
- If you configure Filter A on the default loopback interface and
Filter B on the VRF loopback interface, the VRF routing instance uses
Filter B.
- If you configure Filter A on the default loopback interface but do
not configure a filter on the VRF loopback interface, the VRF routing
instance does not use a filter.
- If you configure Filter A on the default loopback interface but do
not even configure a VRF loopback interface, the VRF routing instance
uses Filter A.
See
https://www.juniper.net/documentation/en_US/junos/topics/usage-guidelines/vpns-configuring-logical-units-on-the-loopback-interface-for-routing-instances-in-layer-3-vpns.html
BR
Andreas
On Mon, 9 Dec 2019 15:46:38 +0000, Anderson, Charles R wrote:
What hardware and software version? There were some bugs/limitations
with certain combinations.
On Mon, Dec 09, 2019 at 07:42:02AM -0800, Mike wrote:
Hello,
I have a problem getting junos to filter out admin access to my
router
from unauthorized addresses.
I have some addresses bound to lo0.0 which I am advertising
internally
in my igp, and which are the 'official' addresses used for SNMP, SSH
and
BGP to the router.
I have firewall filters also that limit access to these protocols
using
prefix lists and such, and these filters are applied to lo0.0. The
filters work and I can observe log messages for invalid accesses to
the
protocols from unauthorized ip addresses. HOWEVER, snmp/ssh/bgp
access
to other ip addresses bound on the router, such as ethernet
interface
addresses, are still being allowed. I thought, according to various
junos docs, that applying a filter to lo0.0 filters out packets
destined
locally to the box regardless of actual interface. Could use some
help.
Here is the filter for ssh/telnet/snmp:
term allowed-login {
from {
prefix-list {
admin-hosts;
}
protocol tcp;
destination-port [ ssh telnet ];
}
then accept;
}
term no-other-logins {
from {
protocol tcp;
destination-port [ ssh telnet ];
}
then {
count bad-admin-access;
log;
discard;
}
}
term allowed-snmp {
from {
prefix-list {
network-mgmt-stations;
}
protocol udp;
destination-port snmp;
}
then accept;
}
term no-more-snmp {
from {
protocol udp;
destination-port snmp;
}
then {
count bad-snmp-access;
log;
syslog;
discard;
}
}
term allow-peers {
from {
source-prefix-list {
bgp-peers;
}
protocol tcp;
destination-port bgp;
}
then accept;
}
term no-other-peers {
from {
protocol tcp;
destination-port bgp;
}
then {
count bad-bgp-connect;
discard;
}
}
here is the config for lo0.0:
family inet {
filter {
input-list [ limit-admin limit-bgp ALLOW ];
}
address blah1/32;
address blah2/32;
address blah3/32 {
primary;
preferred;
}
}
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp