[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Configuring Protocols

Any host-inbound traffic that corresponds to a protocol listed under this option is allowed. For example, if anywhere in the configuration, you map a protocol to a port number other than the default, you can specify the protocol in the host-inbound traffic option, and the new port number will be used.Table 11 lists the supported protocols. A value of all indicates that traffic from all of the following protocols is allowed inbound on the specified interfaces (of the zone, or a single specified interface).

Table 11: Supported Inbound System Protocols

Supported System Services

all

igmp

pgm

sap

bfd

ldp

pim

vrrp

bgp

msdp

rip

nhrp

router-discovery

dvmrp

ospf

rsvp

Note: If DVMRP or PIM is enabled for an interface, IGMP and MLD host-inbound traffic is enabled automatically. Because ISIS uses OSI addressing and should not generate any IP traffic, there is no host-inbound traffic option for the ISIS protocol.

To use supported protocols for host-inbound traffic, use either J-Web or the CLI configuration editor.

This topic covers:

J-Web Configuration

To configure the ABC zone to allow use of all the supported protocols for host inbound traffic using the J-Web configuration editor:

  1. Select Configure>CLI Tools>Point and Click CLI.
  2. Next to Security, click Configure or Edit.
  3. Next to Zones, click Configure or Edit.
  4. Next to Security zone, click Add new entry.
  5. In the Name box, type ABC and click OK.

To configure an interface for the created security zone, corresponding to the security zone name ABC , next to ABC, click Edit.

  1. Next to Interfaces, click Add new entry.
  2. In the Interface unit box, type ge-0/0/1.3 and click OK.
  3. Next to Host inbound traffic, click Configure or Edit.
  4. Next to System services, click Add new entry.
  5. From the Service name list, select ping and click OK.
  6. Next to System services, click Add new entry.
  7. From the Service name list, select ssh and click OK.
  8. Next to System services, click Add new entry.
  9. From the Service name list, select traceroute and click OK.
  10. Next to Protocols, click Add new entry.
  11. In the Protocol name box, type ospf and click OK.
  12. If you are finished configuring the device, commit the configuration.

CLI Configuration

In the following example, ping, ssh, traceroute, and ospf host-inbound traffic is enabled for interface ge-0.0/1.1

user@host# set security zones security-zone ABC interfaces ge-0/0/1.3 host-inbound-traffic system-services ping
user@host# set security zones security-zone ABC interfaces ge-0/0/1.3 host-inbound-traffic system-services ssh
user@host# set security zones security-zone ABC interfaces ge-0/0/1.3 host-inbound-traffic system-services traceroute
user@host# set security zones security-zone ABC interfaces ge-0/0/1.1 host-inbound-traffic protocols ospf

If you are finished configuring the device, commit the configuration.

Another view of the previous configuration:

security zones security-zone ABC {
 	interfaces {
		ge-0/0/0.33 {
			host-inbound-traffic {
				system-services {
					ping;
					ssh;
					traceroute;
				}
				protocols {
					ospf;
				}
			}
		}
	}
}

For more information on host-inbound protocols configuration, see the JUNOS Software CLI Reference.

Related Topics

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]