topic Re: Is it possible to enable DHCP-Server on Management Interface? in General Topics

Is it possible to enable DHCP-Server on Management Interface?

KaiGrunewald — Mon, 18 Mar 2013 10:24:03 GMT

Hi, I would like to know, if there is a way to enable DHCP-Server on management interface? We are using another interface for management so we could enable DHCP-Server on the dedicated management interface. In case of need we can establish a physical connection between the management interface and a laptop.

Re: Is it possible to enable DHCP-Server on Management Interface?

reaper — Mon, 18 Mar 2013 11:05:40 GMT

A DHCP server, and other services, can only be enabled on the dataplane interfaces so the dedicated mgmt port cannot be used to run services.

regards

Tom

Re: Is it possible to enable DHCP-Server on Management Interface?

mikand — Mon, 18 Mar 2013 17:36:46 GMT

Wouldnt this be a valid workaround (sort of)?

1) Create a management profile and attach this to a dataplane interface.

2) Create a dhcp server configuration and attach this to the same dataplane interface.

3) Connect client to this specific dataplane interface.

Of course you will lose the gui in case dataplane malfunctions but you can still use the dedicated mgmt interface if this occurs (that is connect two interfaces to your mgmt-vlan).

Re: Is it possible to enable DHCP-Server on Management Interface?

scantwell — Fri, 29 Mar 2013 19:34:53 GMT

I have been pondering on this question since you wrote it. Why do you need DHCP on the management interface. What is wrong with a crossover cable with a static IP on the laptop, if you need to talk to the mgmt interface. As the other person commented, DHCP services are limited to the dataplane ports, not the mgmt plane, so you cannot set one up.

Re: Is it possible to enable DHCP-Server on Management Interface?

mikand — Fri, 29 Mar 2013 21:39:33 GMT

I guess DHCP is handy if you have more than one admin client, on the other hand using fixed ip's makes it slightly harder for an attacker (with dhcp you can just plugin any device, with fixed ip you need to know which network is being used).

Re: Is it possible to enable DHCP-Server on Management Interface?

KaiGrunewald — Tue, 02 Apr 2013 13:51:49 GMT

Hi, of course there are many ways and workarounds to handle this. The reason for my question is to make it easier for our admins to connect to the device in case of loosing any other connection. (I haven't tried so far, but I think it is possible to deny the access through policy rules??) So, if I could use DHCP on management interface I could easily plug in my notebook and get a new connection without rembering IP-settings on this interface. It is more or less playing around, we will use it without DHCP on management interface.

Re: Is it possible to enable DHCP-Server on Management Interface?

mikand — Tue, 02 Apr 2013 14:50:29 GMT

In that case I would setup static ip on the mgmt interface and connect that to your mgmt network and at the same time create a management profile which only allows ssh/https/ping and connect that to a dedicated dataplane interface (like the last one or so) along with setup a dhcp server profile which you attach to the same dedicated dataplane interface.

Dont forget to put this in its own VSYS if possible (along with its own VROUTER).

This way your technician(s) can use either the dedicated mgmt-network OR connect directly to the PA device on the last dataplane interface (or which one you choose) by DHCP.

Another method is to simply use static ip on the mgmt dataplane interface (along with VSYS and VROUTER) - this way your technician(s) knows that last interface always uses 10.0.0.1/24 (or whatever) and is for mgmt being directly attached when you have physical access to the box.

The point of VSYS/VROUTER is to isolate it as much as possible from the other dataplane interfaces.