Denying SSH Access from CPEs in All Routing Instances on Juniper MX960

juniperjuniper-junosjuniper-mxssh

I try to deny ssh access from routing-instance CPEs in Juniper MX960 device. I want to know if there is a way to deny only ssh access attempt from any routing-instance.

Best Answer

You have a couple of options::

Option 1

The filter can stay on the loopback interface, you can simply add firewall terms and specify from interface. So if xe-0/0/0.0 was one of the interfaces connected to a CPE in a routing-instance and 1.1.1.1 was the router's in-band management address, you could do something like this:

jhead@MX1# show firewall 
family inet {
    filter PROTECT {
        term BLOCK-VRF-1-SSH {
            from {
                destination-address {
                    1.1.1.1/32;
                }
                port ssh;
                interface xe-0/0/0.0;
            }
            then {
                discard;
            }
        }
    } 
}

Option 2

Configure firewall filters on the physical interfaces in the routing-instances facing the CPEs. Firewall filters are evaluated first on physical interfaces (ae, xe-, etc.), then on the loopback.

Related Topic