Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos] How to limit SSH login for management to a range of IP address

0

0

Article ID: KB19171 KB Last Updated: 31 Mar 2020Version: 2.0
Summary:

This article demonstrates with a sample configuration how to allow selected source IP addresses to access the Junos device.

 

Symptoms:

I need to restrict management access.

 

Solution:

Configuration parameters required to limit the IP addresses that can access the device via SSH are shown below.

This is an example for an EX device that uses a VLAN interface for management. (Note: You can modify the configuration according to the management interface of each Junos device.)

Allowed IP address:

10.130.38.26

10.130.38.30

Blocked IP:

All other IP addresses are denied access via SSH.

EX_Juniper# show
MGMT {
    vlan-id 100;
    l3-interface vlan.100;
}

set interfaces vlan unit 100 family inet address 10.130.238.229/24 (10.130.238.229 is configured for VLAN 100)

set firewall family inet filter RE_FILTER term SSH from source-address 10.130.38.26/32 (This host, 10.130.38.26, is allowed to do SSH)
set firewall family inet filter RE_FILTER term SSH from source-address 10.130.38.30/32 (This host, 10.130.38.30, is allowed to do SSH)
set firewall family inet filter RE_FILTER term SSH from destination-address 10.130.238.229/32 
set firewall family inet filter RE_FILTER term SSH from protocol tcp
set firewall family inet filter RE_FILTER term SSH from destination-port ssh
set firewall family inet filter RE_FILTER term SSH then count allow.ssh
set firewall family inet filter RE_FILTER term SSH then accept

set firewall family inet filter RE_FILTER term SSH_BLOCK from destination-address 10.130.238.229/32 (10.130.238.229 is a Switch Management IP Address)
set firewall family inet filter RE_FILTER term SSH_BLOCK from protocol tcp
set firewall family inet filter RE_FILTER term SSH_BLOCK from destination-port ssh
set firewall family inet filter RE_FILTER term SSH_BLOCK then count discard.ssh
set firewall family inet filter RE_FILTER term SSH_BLOCK then discard
set firewall family inet filter RE_FILTER term default then accept

set interfaces lo0 unit 0 family inet filter input RE_FILTER

 

Modification History:

2020-03-31: Article reviewed for accuracy; it is valid and accurate; added a note about ability to modify the configuration according to the management interface of each Junos device.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search