You may assign your core interfaces to specific interface-group, which
would then be referenced from a filter. This at least allows you to have a
On Mon, Oct 17, 2016 at 4:50 PM, John Luthcinson <luthcin...@gmail.com>
> Hi list
> How do you protect router management (SSH) access inside VRFs? Has there
> been any improvement? I see this question has been asked before but there
> was no good solution. I think maintaining a per-router list of core IFLs is
> a PITA.
> I don't want to add a loopback for every VRF just for this purpose.
> E.g. My mgmt net is 188.8.131.52/24 and it's configured in lo0.0 RE filter.
> Customer A has a default route in their VRF. They can use 184.108.40.206/24
> network and ssh into the router. Of course they need to know username and
> password, but hey again limiting the attack surface... An MPLS router can
> be connected to many customer internal networks and I think it needs to be
> very very carefully protected.
> Cisco (IOS) has this knob access-class vrf-also. If you omit it, access is
> allowed only from global table. I know this is not COPP, but in addition to
> COPP it allows you to accomplish the goal.
> Thanks and best regards
> juniper-nsp mailing list firstname.lastname@example.org
juniper-nsp mailing list email@example.com