Restrict NETCONF operations

A basic example that shows how to restrict access, so that specific NETCONF clients cannot query NETCONF in Vyatta NOS.

Note: For more advanced firewall configuration options, please refer to Ciena Vyatta Network OS Firewall Configuration Guide.

NETCONF operates over an SSH session that uses TCP port 830. You can use this to restrict usage through configuration of the firewall.

In this example, we restrict access so that NETCONF clients on subnet 10.100.100.0/24 cannot perform NETCONF queries.

Configure a firewall rule to drop NETCONF packets on the subnet.

set security firewall name block-netconf default-action accept
set security firewall name block-netconf rule 100 action drop
set security firewall name block-netconf rule 100 destination port 830
set security firewall name block-netconf rule 100 protocol tcp
set security firewall name block-netconf rule 100 source address 10.100.100.0/24

Apply the firewall rule to the interface to which the NETCONF client is connected.
```
set interfaces dataplane dp0p6 vif 100 firewall in block-netconf
```
Enable the NETCONF service, and the SSH server on both port 22 (default SSH port) and on port 830 (SSH port used by the NETCONF protocol).
```
set service netconf
set service ssh port 22
set service ssh port 830
```
Note: By default, SSH will validate the host name — so long as you have configured a name server (DNS) with the set system name-server command. If the name server is unreachable then there will be a 30 second delay in the response. To avoid this, you can also configure set service ssh disable-host-validation.

This configuration means that NETCONF servers on the 10.100.100.0/24 subnet will not be able to perform a NETCONF query to Vyatta NOS on port 830.

Vyatta documentation

Learn how to install, configure, and operate the Vyatta Network Operating System (Vyatta NOS) and Orchestrator, which help drive our virtual networking and physical platforms portfolio.

Restrict NETCONF operations

Helpful Links

Key Resources