Junos OS

last person joined: 6 days ago 

Ask questions and share experiences about Junos OS.

  • 1.  Problem with security zone host-inbound-traffic

    Posted 01-08-2009 13:50

    Hi All,

     

    I have a problem with security zone host-inbound-traffic definition on J2320 with JUNOS Software Release [9.1R1.8] (Export edition) Enhanced Services.

    I have following configuration of security zone:

     

    security-zone Internal {
        host-inbound-traffic {
            system-services {
                ping;
            }
        }
        interfaces {
            ge-0/0/0.199 {
                host-inbound-traffic {
                    system-services {
                        telnet;
                    }
                    protocols {
                        ospf;
                    }
                }
            }
        }
    }

    But I cannot ping IP address on interface ge-0/0/0.199.

    When I add "ping" to system-services under interface host-inbound-traffic block, then it works...

    Any suggestions? Thanks in advance!

     

     

     

     

    Message Edited by Minotaur on 01-08-2009 01:50 PM


  • 2.  RE: Problem with security zone host-inbound-traffic

    Posted 01-09-2009 01:23

    Hello,

     

    This is as per-design (and documentation):

     http://www.juniper.net/techpubs/software/junos-es/junos-es92/junos-es-swconfig-security/configuring-host-inbound-traffic.html

     

    "You can configure these parameters at the zone level, in which case they affect all interfaces of the zone, or at the interface level. (Interface configuration overrides that of the zone.)"

     

    If you are familiar with JUNOS policy configurations, it is the same principal: a policy configured under the neighbor stanza overrides that of the group which overrides that of the protocol.

     

    HTH,

    /david 



  • 3.  RE: Problem with security zone host-inbound-traffic

    Posted 01-09-2009 01:42

    Hi,

     

    yes, I've read the documentation. In my case host-inbound-traffic is configured at zone level.

    And it should affect all interfaces in the zone. But it does not. I still cannot ping ge-0/0/0.199 interface.

    When I moving host-inbound-traffic system-services ping at interface level, it works as expected. 

     

    I cannot understand what am I doing wrong? 



  • 4.  RE: Problem with security zone host-inbound-traffic
    Best Answer

    Posted 01-09-2009 02:04

    If you have no 'host-inbound-traffic' statement configured under the interface level then you are correct, the zone-level configuration should apply to all interfaces in the zone (but this was not the case in your initial configuration snippet).

     

    As long as you have the 'host-inbound-traffic' configured under the interface, the zone-level configuration is completely ignored for that interface. Many think that "override" means merge and the interface wins in case of "conflict" but that is not the case.

     

    Is this clearer ? If you remove the  'host-inbound-traffic' statement from the interface, can you ping ? If not, then I will try to reproduce the problem in my lab.

     

    Regards,

    /david 

     

     

     


    #zones
    #JUNOS
    #security