Hi list How do you protect router management (SSH) access inside VRFs? Has there been any improvement? I see this question has been asked before but there was no good solution. I think maintaining a per-router list of core IFLs is a PITA.
I don't want to add a loopback for every VRF just for this purpose. E.g. My mgmt net is 1.2.3.0/24 and it's configured in lo0.0 RE filter. Customer A has a default route in their VRF. They can use 1.2.3.0/24 network and ssh into the router. Of course they need to know username and password, but hey again limiting the attack surface... An MPLS router can be connected to many customer internal networks and I think it needs to be very very carefully protected. https://puck.nether.net/pipermail/juniper-nsp/2013-July/027007.html https://kb.juniper.net/InfoCenter/index?page=content&id=KB23547&actp=search Cisco (IOS) has this knob access-class vrf-also. If you omit it, access is allowed only from global table. I know this is not COPP, but in addition to COPP it allows you to accomplish the goal. Thanks and best regards _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp