Hi.
I want to limit incomming ssh conection to switch on public IP addresses. To do this I created a firewall family inet filter and aplled it on loopback interface (route engine).
admin@4550-1# show firewall
family inet {
filter RE-filter {
term CLI-allow {
from {
source-prefix-list {
CLI-SNMP-access;
}
protocol tcp;
destination-port [ telnet ssh ];
}
then {
count SSHpermit;
accept;
}
}
term CLI-deny {
from {
protocol tcp;
destination-port [ telnet ssh ];
}
then {
count SSHdeny;
discard;
}
}
term final {
then accept;
}
}
}admin@4550-1# show interfaces lo0
unit 0 {
family inet {
filter {
input RE-filter;
}
}Also I configured public IP adresses for some physical interfaces and vlan interfaces.
Than I found a strange behavior of firewall filter. Firewall doesn't filter incoming ssh connection for IP addresses that are located on vlan interface. But this filter works as was expected for IP addresses on physical interfaces.
If apply this filter on vlan interface it doesn't filter ssh connections too.
Does anyone know what the problem is and how to fix it?
Thanks for your help.