Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Restrict NETCONF operations

A basic example that shows how to restrict access, so that specific NETCONF clients cannot query NETCONF in Vyatta NOS.

Note: For more advanced firewall configuration options, please refer to Ciena Vyatta Network OS Firewall Configuration Guide.

NETCONF operates over an SSH session that uses TCP port 830. You can use this to restrict usage through configuration of the firewall.

In this example, we restrict access so that NETCONF clients on subnet 10.100.100.0/24 cannot perform NETCONF queries.

  1. Configure a firewall rule to drop NETCONF packets on the subnet.
    set security firewall name block-netconf default-action accept
    set security firewall name block-netconf rule 100 action drop
    set security firewall name block-netconf rule 100 destination port 830
    set security firewall name block-netconf rule 100 protocol tcp
    set security firewall name block-netconf rule 100 source address 10.100.100.0/24
  2. Apply the firewall rule to the interface to which the NETCONF client is connected.
    set interfaces dataplane dp0p6 vif 100 firewall in block-netconf
  3. Enable the NETCONF service, and the SSH server on both port 22 (default SSH port) and on port 830 (SSH port used by the NETCONF protocol).
    set service netconf
    set service ssh port 22
    set service ssh port 830
    Note: By default, SSH will validate the host name if a name server is configured. If the name server is unreachable, this will result in a 30 second delay in th response. To avoid this, you can also configure set service ssh disable-host-validation.
This configuration means that NETCONF servers on the 10.100.100.0/24 subnet will not be able to perform a NETCONF query to Vyatta NOS on port 830.