To configure SSH (Secure Shell) on a Juniper switch with an access-list to filter specific IP addresses, follow the steps below. Please note that the specific commands and configuration may vary depending on the Juniper switch model and software version. Adapt the instructions accordingly.
Part 1: SSH Configuration with Access-List
Step 1: Access the Juniper Switch Connect to the Juniper switch using a console cable or through SSH/Telnet.
Step 2: Enter Configuration Mode Enter the configuration mode by typing the following command:
configure
Step 3: Configure
SSH Enable SSH and set the desired SSH parameters, such as the version and authentication algorithms. Additionally, generate an SSH key for secure communication.
set system services ssh
set system services ssh protocol-version v2
set system services ssh root-login deny
set system services ssh rate-limit 10
set system services ssh hostkey-algorithm <algorithm> (e.g., rsa)
Step 4: Configure Access-List
Create an access-list to filter specific IP addresses that are allowed to connect via SSH. Replace <access-list-name> with a meaningful name and <IP-address> with the desired IP address.
set firewall family inet filter <access-list-name> term 1 from source-address <IP-address>
set firewall family inet filter <access-list-name> term 1 then accept
set firewall family inet filter <access-list-name> term 2 then reject
Example:
set firewall family inet filter SSH-ACL term 1 from source-address 192.168.1.10
set firewall family inet filter SSH-ACL term 1 then accept
set firewall family inet filter SSH-ACL term 2 then reject
Step 5: Apply Access-List to SSH Configuration
Apply the access-list to the SSH configuration to filter SSH access based on the defined access-list.
set system services ssh access-control-filter <access-list-name>
Example:
set system services ssh access-control-filter SSH-ACL
Step 6: Commit Configuration
Changes Commit the configuration changes to make them effective.
commit
Example to implement filter on interface :
Create an access list to allow or deny SSH access on the desired interface. Replace <interface-name> with the actual interface name, and <access-list-name> with a meaningful name for the access list.
set interfaces <interface-name> unit 0 family inet filter input <access-list-name>
Complete example : Script:
configure
set system services ssh
set system services ssh protocol-version v2
set system services ssh root-login deny
set system services ssh rate-limit 10
set system services ssh hostkey-algorithm rsa
set firewall family inet filter SSH-ACL term 1 from source-address 192.168.1.10
set firewall family inet filter SSH-ACL term 1 then accept
set firewall family inet filter SSH-ACL term 2 then reject
set system services ssh access-control-filter SSH-ACL
commit
Part 2: SSH Configuration on VLAN and IRB
For VLAN: To enable SSH on a specific VLAN, follow these additional steps:
Step 1: Enter VLAN Configuration Mode
configure
edit vlans <vlan-name>
Step 2: Enable SSH on VLAN
set protocols ssh
commit
Complete example : Script
configure
edit interfaces irb unit 10
set protocols ssh
commit
Run ssh filter on VLAN:
set vlans <vlan-name> family inet filter input <access-list-name>
example:
configure
set vlans VLAN10 family inet filter input SSH-ACL
commit
For IRB: To enable SSH on an IRB interface, follow these additional steps:
Step 1: Enter IRB Interface Configuration Mode
configure
edit interfaces irb unit <unit-number>
Step 2: Enable SSH on IRB Interface
set protocols ssh
commit
Complete example : Script
configure
edit interfaces irb unit 10
set protocols ssh
commit
Run ssh filter on IRB:
set interfaces irb unit <unit-number> family inet filter input <access-list-name>
example :
configure
set interfaces irb unit 10 family inet filter input SSH-ACL
commit