Thanks Chris, but apparently the Juniper ACX5048 is an exception to the lo0 rule… see link
http://kb.juniper.net/InfoCenter/index?page=content <http://kb.juniper.net/InfoCenter/index?page=content&id=KB28893&actp=search&viewlocale=en_US&searchid=1305252358192> &id=KB28893&actp=search&viewlocale=en_US&searchid=1305252358192 I’ve been able to accomplish protecting telnet/ssh on my ACX5048 like this… set routing-instances one forwarding-options family inet filter input protect-5048 set firewall family inet filter protect-5048 term 1 from destination-address 1.1.1.1/32 set firewall family inet filter protect-5048 term 1 from protocol tcp set firewall family inet filter protect-5048 term 1 from destination-port telnet set firewall family inet filter protect-5048 term 1 from destination-port ssh set firewall family inet filter protect-5048 term 1 then count protect-5048-counter set firewall family inet filter protect-5048 term 1 then discard set firewall family inet filter protect-5048 term 2 then accept 1.1.1.0/24 is a subnet on an interface in vrf “one” on my acx5048… The only thing is that I will need to make it a policy with my colleagues that if/when we churn public address space or add new interfaces on our acx5048’s, part of the process will be to add a line to our firewall acl… set firewall family inet filter protect-5048 term 1 from destination-address 1.1.2.1/32 set firewall family inet filter protect-5048 term 1 from destination-address 1.1.3.1/32 etc QUESTION – does anyone know how to make this firewall acl or include a confition or policy somehow to apply the firewall policy to ONLY LOCAL ROUTES (/32’s) ? that would be nice , so that I would never have to add/subtract specific ip addresses in this firewall policy. Aaron From: Chris Jones [mailto:ipv6fre...@gmail.com] Sent: Wednesday, April 13, 2016 10:05 AM To: Aaron <aar...@gvtc.com> Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] protect ssh and telnet To answer OPs actual question: What you're looking for is an RE filter, applied to lo0. A great resource explaining them and some best practices, etc. check out Doug Hank's Day One book: http://www.juniper.net/us/en/training/jnbooks/day-one/fundamentals-series/securing-routing-engine/ On Tue, Mar 29, 2016 at 10:26 PM, Aaron <aar...@gvtc.com <mailto:aar...@gvtc.com> > wrote: I'm new to Juniper. and I'm looking to protect ssh/telnet on all interfaces on my juniper ACX5048's. In Cisco you can protect the virtual interface (vty) with a acl (access-class) so that any remote login attempts (ssh or telnet) or protected. How do I protect ssh and telnet globally in Junos ? I only want to allow ssh and telnet from certain trusted management subnets. Aaron _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net <mailto:juniper-nsp@puck.nether.net> https://puck.nether.net/mailman/listinfo/juniper-nsp -- Chris Jones JNCIE-ENT #272 CCIE# 25655 (R&S) _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp