SRX Services Gateway
Reply
Trusted Contributor
ttl_expired
Posts: 439
Registered: ‎11-11-2008
0

Host inbound service DHCP...why did they do this

Why is host inbound service system-services DHCP not available at the global zone level?  

 

This is frustrating in cases where you have dozens of interfeces in a zone which all need DHCP Relay through the SRX.  You have to specify all services under each interfaces over and over because if you just specify dhcp under the interface and leave everything else global, the interface is more specific and only dhcp is allowed in.

 

Is there a clever way to set this up other then groups?

Recognized Expert
NateK
Posts: 233
Registered: ‎02-03-2009
0

Re: Host inbound service DHCP...why did they do this

IIRC the SRX does not have the concept of global zones unlike Netscreen/SSG.

 

https://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-...

 

for example

Contributor
twei214
Posts: 12
Registered: ‎06-07-2012
0

Re: Host inbound service DHCP...why did they do this

the op is right, I also am perplexed by the decision to leave out DHCP at the zone level... it doesn't seem like a technical limitation at all since if you do:

 

[edit security zones security-zone trust]
tyw214@SRX100B# set host-inbound-traffic system-services all

 

this will enable DHCP on ALL interfaces under that zone... 

 

However, if you want to only allow certain system services say ping, ssh, dhcp, and ntp on that zone, then you will have to do ping, ssh, and ntp at the zone level.

 

Then after that do:

 

[edit security zones security-zone trust]
tyw214@SRX100B# set interface fe-0/0/1.0 host-inbound-traffic system-services dhcp

 

for each interface to allow DHCP...

 

Contributor
ed_gpc
Posts: 194
Registered: ‎09-21-2010
0

Re: Host inbound service DHCP...why did they do this

Applying host-system-services all should not be applied if you just want DHCP, but you are right, you can enable it on the zone rather than having to do it under the interface sub-level of the zone

Contributor
twei214
Posts: 12
Registered: ‎06-07-2012
0

Re: Host inbound service DHCP...why did they do this

[ Edited ]

Yea, you definitely don't want to enable "ALL" on host-inbound if you just want DHCP.

 

I used it as a point to illustrate that DHCP is available at the zone level if you use all, so the question is why DHCP is not a valid option when you do:

 

set security zone security-zones WHATEVER host-inbound-traffic system-services dhcp

 

everything is there BUT DHCP which seems really trivial...

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.