Is it possible to enable DHCP-Server on Management Interface?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Is it possible to enable DHCP-Server on Management Interface?

L1 Bithead

Hi, I would like to know, if there is a way to enable DHCP-Server on management interface? We are using another interface for management so we could enable DHCP-Server on the dedicated management interface. In case of need we can establish a physical connection between the management interface and a laptop.

6 REPLIES 6

Cyber Elite
Cyber Elite

Hi

A DHCP server, and other services, can only be enabled on the dataplane interfaces so the dedicated mgmt port cannot be used to run services.

regards

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Wouldnt this be a valid workaround (sort of)?

1) Create a management profile and attach this to a dataplane interface.

2) Create a dhcp server configuration and attach this to the same dataplane interface.

3) Connect client to this specific dataplane interface.

Of course you will lose the gui in case dataplane malfunctions but you can still use the dedicated mgmt interface if this occurs (that is connect two interfaces to your mgmt-vlan).

L4 Transporter

I have been pondering on this question since you wrote it. Why do you need DHCP on the management interface.  What is wrong with a crossover cable with a static IP on the laptop, if you need to talk to the mgmt interface. As the other person commented, DHCP services are limited to the dataplane ports, not the mgmt plane, so you cannot set one up.

I guess DHCP is handy if you have more than one admin client, on the other hand using fixed ip's makes it slightly harder for an attacker (with dhcp you can just plugin any device, with fixed ip you need to know which network is being used).

L1 Bithead

Hi, of course there are many ways and workarounds to handle this. The reason for my question is to make it easier for our admins to connect to the device in case of loosing any other connection. (I haven't tried so far, but I think it is possible to deny the access through policy rules??) So, if I could use DHCP on management interface I could easily plug in my notebook and get a new connection without rembering IP-settings on this interface. It is more or less playing around, we will use it without DHCP on management interface.

In that case I would setup static ip on the mgmt interface and connect that to your mgmt network and at the same time create a management profile which only allows ssh/https/ping and connect that to a dedicated dataplane interface (like the last one or so) along with setup a dhcp server profile which you attach to the same dedicated dataplane interface.

Dont forget to put this in its own VSYS if possible (along with its own VROUTER).

This way your technician(s) can use either the dedicated mgmt-network OR connect directly to the PA device on the last dataplane interface (or which one you choose) by DHCP.

Another method is to simply use static ip on the mgmt dataplane interface (along with VSYS and VROUTER) - this way your technician(s) knows that last interface always uses 10.0.0.1/24 (or whatever) and is for mgmt being directly attached when you have physical access to the box.

The point of VSYS/VROUTER is to isolate it as much as possible from the other dataplane interfaces.

  • 2812 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!