Hi, You may assign your core interfaces to specific interface-group, which would then be referenced from a filter. This at least allows you to have a uniform configuration.
Best Dragan On Mon, Oct 17, 2016 at 4:50 PM, John Luthcinson <luthcin...@gmail.com> wrote: > Hi list > > How do you protect router management (SSH) access inside VRFs? Has there > been any improvement? I see this question has been asked before but there > was no good solution. I think maintaining a per-router list of core IFLs is > a PITA. > > I don't want to add a loopback for every VRF just for this purpose. > > E.g. My mgmt net is 1.2.3.0/24 and it's configured in lo0.0 RE filter. > Customer A has a default route in their VRF. They can use 1.2.3.0/24 > network and ssh into the router. Of course they need to know username and > password, but hey again limiting the attack surface... An MPLS router can > be connected to many customer internal networks and I think it needs to be > very very carefully protected. > > https://puck.nether.net/pipermail/juniper-nsp/2013-July/027007.html > > https://kb.juniper.net/InfoCenter/index?page=content&; > id=KB23547&actp=search > > Cisco (IOS) has this knob access-class vrf-also. If you omit it, access is > allowed only from global table. I know this is not COPP, but in addition to > COPP it allows you to accomplish the goal. > > > Thanks and best regards > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
