Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Restrict NETCONF operations

A basic example that shows how to restrict access, so that specific NETCONF clients cannot query NETCONF in Vyatta NOS.

Note: For more advanced firewall configuration options, please refer to Ciena Vyatta Network OS Firewall Configuration Guide.

NETCONF operates over an SSH session that uses TCP port 830. You can use this to restrict usage through configuration of the firewall.

In this example, we restrict access so that NETCONF clients on subnet 10.100.100.0/24 cannot perform NETCONF queries.

  1. Configure a firewall rule to drop NETCONF packets on the subnet.
    set security firewall name block-netconf default-action accept
    set security firewall name block-netconf rule 100 action drop
    set security firewall name block-netconf rule 100 destination port 830
    set security firewall name block-netconf rule 100 protocol tcp
    set security firewall name block-netconf rule 100 source address 10.100.100.0/24
  2. Apply the firewall rule to the interface to which the NETCONF client is connected.
    set interfaces dataplane dp0p6 vif 100 firewall in block-netconf
  3. Enable the NETCONF service, and the SSH server on both port 22 (default SSH port) and on port 830 (SSH port used by the NETCONF protocol).
    set service netconf
    set service ssh port 22
    set service ssh port 830
    Note: By default, SSH will validate the host name — so long as you have configured a name server (DNS) with the set system name-server command. If the name server is unreachable then there will be a 30 second delay in the response. To avoid this, you can also configure set service ssh disable-host-validation.
This configuration means that NETCONF servers on the 10.100.100.0/24 subnet will not be able to perform a NETCONF query to Vyatta NOS on port 830.