OK, here is an odd impact. I put the following commands into a router in our wide area network.
set system services ssh root-login deny
set system services ssh protocol-version v2
set policy-options prefix-list ALLOWED-HOSTS 10.0.0.0/8
set firewall family inet filter ALLOWED-SSH term SSH from source-prefix-list ALLOWED-HOSTS
set firewall family inet filter ALLOWED-SSH term SSH from port ssh
set firewall family inet filter ALLOWED-SSH term SSH then accept
set firewall family inet filter ALLOWED-SSH term BLOCK-SSH from port ssh
set firewall family inet filter ALLOWED-SSH term BLOCK-SSH then discard
set firewall family inet filter ALLOWED-SSH term ACCEPT-ALL then accept
set interfaces lo0 unit 0 family inet filter input ALLOWED-SSH
The idea was to prevent Guest network access from 192 address systems conneccting to ssh. There are no routes but just in case it sounded like a good idea. The strang thing is that BOOTP relay stopped working for the voice network. See some of my config options below.
set interfaces lo0 unit 0 family inet address 127.0.0.1/32
set interfaces vlan unit 7 family inet address 10.7.20.1/24
set interfaces vlan unit 8 family inet address 192.168.10.1/24
set interfaces vlan unit 20 family inet address 10.20.0.1/16
set forwarding-options helpers bootp server 10.10.10.1
set forwarding-options helpers bootp interface vlan.10
set forwarding-options helpers bootp interface vlan.7
set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members SITE1-LAN
set ethernet-switching-options voip interface ge-0/0/0.0 vlan VoIP
set ethernet-switching-options voip interface ge-0/0/0.0 forwarding-class expedited-forwarding
set vlans SITE1-LAN vlan-id 20
set vlans SITE1-LAN l3-interface vlan.20
set vlans VoIP vlan-id 7
set vlans VoIP l3-interface vlan.7
set vlans GUEST-LAN vlan-id 8
set vlans GUEST-LAN l3-interface vlan.8
If we static map a IP phone it can't even ping the 10.10.10.1 dhcp server. Oddly it can ping the remote switch where that dhcp server is attached. The solution to getting DHCP for the phones to work was run the following:
delete interfaces lo0 unit 0 family inet filter input ALLOWED-SSH
The phones came right up after that.
Any ideas,
Todd