To enable basic login without routing on dedicated management interface fxp0:
//enable ssh
set system services ssh
//configure IP address on fxp0
set interfaces fxp0 unit 0 family inet address <IP_address>
fxp0 is pingable by deafult.
To enable basic login without routing on non-management interface xe-11/0/0:
//configure IP address on xe-11/0/0
set interfaces xe-11/0/0 unit 0 family inet address <IP_address>
//allocate security zone and allow inbound SSH service on the interface
set security zones security-zone MGMT interfaces xe-11/0/0.0 host-inbound-traffic system-services ssh
Non-management interfaces are not pingable by default. To enable ping:
set security zones security-zone MGMT interfaces xe-11/0/0.0 host-inbound-traffic system-services ping
Example on how to configure remote access on a tagged interface with applied filter/access list which will allow only SSH and ICMP:
set interfaces reth2 unit 102 vlan-id 102
set interfaces reth2 unit 102 family inet filter input MGMT_IN
set interfaces reth2 unit 102 family inet address 192.168.1.9/30
set security zones security-zone MGMT interfaces reth2.102 host-inbound-traffic system-services ping // this one is necessary
set security zones security-zone MGMT interfaces reth2.102 host-inbound-traffic system-services ssh // and this line is necessary also
set firewall family inet filter MGMT_IN term terminal_access from protocol tcp
set firewall family inet filter MGMT_IN term terminal_access from port ssh
set firewall family inet filter MGMT_IN term terminal_access then accept
set firewall family inet filter MGMT_IN term ping from protocol icmp // ICMP must go under a separate "term" statement, else everything will be denied due to FW rule evaluation
set firewall family inet filter MGMT_IN term ping then accept
Enable MGMT Access on Loopback
—-inbound traffic—->[reth]-[PFE(datal plane)]—Lo0.#—[RE(control plane)]
Applying ACL to Loopback (any) will control access from the Data Plane to Control Plane on SRX.
The filter below allows ssh/https access to control plane from 192.168.0.0/16, then denies ssh access from other IP subnets, then allows other services traffic between PFE and Routing Engine (this last step is important):
set interfaces lo0 unit 0 family inet filter input Lo0_IN
set firewall family inet filter Lo0_IN term terminal_access from source-address 192.168.0.0/16
set firewall family inet filter Lo0_IN term terminal_access from protocol tcp
set firewall family inet filter Lo0_IN term terminal_access from port ssh
set firewall family inet filter Lo0_IN term terminal_access from port https
set firewall family inet filter Lo0_IN term terminal_access then accept
set firewall family inet filter Lo0_IN term terminal_access_denied from protocol tcp
set firewall family inet filter Lo0_IN term terminal_access_denied from port ssh
set firewall family inet filter Lo0_IN term terminal_access_denied then log
set firewall family inet filter Lo0_IN term terminal_access_denied then reject
set firewall family inet filter Lo0_IN term default-term then accept
After implementing ACL on Loopback, the ACL on physical interface is no longer required.
By privilege15