I use something like this so the same firewall filter is applied on all lo0.* interfaces of all VRFs and logical-systems:
set groups RE-FILTER logical-systems <*> interfaces lo0 unit <*> family inet filter input ROUTING-ENGINE set groups RE-FILTER logical-systems <*> interfaces lo0 unit <*> family inet6 filter input ROUTING-ENGINE6 set groups RE-FILTER interfaces lo0 unit <*> family inet filter input ROUTING-ENGINE set groups RE-FILTER interfaces lo0 unit <*> family inet6 filter input ROUTING-ENGINE6 set apply-groups RE-FILTER On Mon, Dec 09, 2019 at 05:10:01PM +0100, Andreas wrote: > Hello Mike, > > if you're using that lo0.0 in a routing-instance or use more than one > loopback you could also run into these restrictions: > > - If you configure Filter A on the default loopback interface and > Filter B on the VRF loopback interface, the VRF routing instance uses > Filter B. > > - If you configure Filter A on the default loopback interface but do > not configure a filter on the VRF loopback interface, the VRF routing > instance does not use a filter. > > - If you configure Filter A on the default loopback interface but do > not even configure a VRF loopback interface, the VRF routing instance > uses Filter A. > > See > > https://www.juniper.net/documentation/en_US/junos/topics/usage-guidelines/vpns-configuring-logical-units-on-the-loopback-interface-for-routing-instances-in-layer-3-vpns.html > > > BR > Andreas > > On Mon, 9 Dec 2019 15:46:38 +0000, Anderson, Charles R wrote: > > What hardware and software version? There were some bugs/limitations > > with certain combinations. > > > > On Mon, Dec 09, 2019 at 07:42:02AM -0800, Mike wrote: > >> Hello, > >> > >> I have a problem getting junos to filter out admin access to my > >> router > >> from unauthorized addresses. > >> > >> I have some addresses bound to lo0.0 which I am advertising > >> internally > >> in my igp, and which are the 'official' addresses used for SNMP, SSH > >> and > >> BGP to the router. > >> > >> I have firewall filters also that limit access to these protocols > >> using > >> prefix lists and such, and these filters are applied to lo0.0. The > >> filters work and I can observe log messages for invalid accesses to > >> the > >> protocols from unauthorized ip addresses. HOWEVER, snmp/ssh/bgp > >> access > >> to other ip addresses bound on the router, such as ethernet > >> interface > >> addresses, are still being allowed. I thought, according to various > >> junos docs, that applying a filter to lo0.0 filters out packets > >> destined > >> locally to the box regardless of actual interface. Could use some > >> help. _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
