I try to deny ssh access from routing-instance CPEs in Juniper MX960 device. I want to know if there is a way to deny only ssh access attempt from any routing-instance.
Denying SSH Access from CPEs in All Routing Instances on Juniper MX960
juniperjuniper-junosjuniper-mxssh
Best Answer
You have a couple of options::
Option 1
The filter can stay on the loopback interface, you can simply add firewall terms and specify
from interface
. So if xe-0/0/0.0 was one of the interfaces connected to a CPE in a routing-instance and 1.1.1.1 was the router's in-band management address, you could do something like this:Option 2
Configure firewall filters on the physical interfaces in the routing-instances facing the CPEs. Firewall filters are evaluated first on physical interfaces (ae, xe-, etc.), then on the loopback.