Juniper SRX New DHCP Configuration for Home LAN

As I mentioned from my last post, I switched back from ASA5505 to SRX100H2. The reason I am posting this is for some reason, my SRX100 couldn’t receive a public IP address from my service provider. Somehow the newer way of configuring the SRX as a DHCP client works for my SRX to receive an IP from my ISP. At this point, I am not sure if this is a code related issue.

You must be thinking why in the world making the SRX the DHCP server is even related  to receiving public dynamic IP from an ISP. Well… The newer configuration of the SRX as a DHCP client (ISP perspective) is not compatible with the older way of DHCP server configuration — that is if your DHCP server for your LAN is the SRX– and the older way DHCP client configuration is not compatible with the newer way DHCP server configuration.

Just like I mentioned, I am only able to receive public IP from my ISP with the newer way of configuring the untrust interface as a DHCP client. Since my SRX is the DHCP server for my wired and wireless stations, I have to reconfigure my SRX’ DHCP server to get my home network functional again.

If you are using the typical DHCP client and server on your SRX, and everything works then keep it that way, but if you want to test or implement the newer way, keep reading.

Let’s start with the untrust interface. My untrust interface is fe-0/0/0 and this interface is the interface that is connected to the Internet. The typical and old way of configuring a DHCP client on the SRX interface is shown in Example 1

Example 1

set interfaces fe-0/0/0 unit 0 family inet dhcp update-server

Here is the compatible DHCP server shown in Example 2. Also, the command propagate-settings is optional. This is used if the name-server is not specified; therefore, the DHCP server will use the name server from the ISP. Otherwise, the name resolution will not work for the LAN.

Example 2

[edit system services]
   dhcp {
       pool 192.168.0.0/24 {
           address-range low 192.168.0.100 high 192.168.0.254;
           maximum-lease-time 57600;
           default-lease-time 28800;
           name-server {
             8.8.8.8;
           }
           router {
               192.168.0.1;
           }
           propagate-settings fe-0/0/0.0;
       }
       static-binding aa:bb:cc:dd:ee:ff {
           fixed-address {
              192.168.0.50;
           }
       }
   }
[edit]
root#

Also, the dhcp should be enabled under the security-zone on the interface level

Example 3

[edit]
root# show security zones security-zone trust interfaces vlan.0            
host-inbound-traffic {
   system-services {
       dhcp;
   }
}

[edit]
root#

Since both DHCP client and server are compatible with each other, the SRX will not bark at you. However, if you happened to be using the old/typical DHCP server, and you configure your DHCP client interface with the newer way, your SRX will complain that the configuration is not compatible as shown in Example 4

Example 4

[edit interfaces fe-0/0/0 unit 0]
+     family inet {
+         dhcp-client {
+             update-server;
+         }
+     }

[edit]
root# commit check
[edit interfaces fe-0/0/0 unit 0 family inet]
'dhcp-client'
   Incompatible with the dhcp server configured under 'system services dhcp'
error: configuration check-out failed: (statements constraint check failed)

[edit]
root#

Here is another error on the interface level

Example 5

root# show interfaces fe-0/0/0            
unit 0 {
   family inet {
       ##
       ## Warning: Incompatible with the dhcp server configured under 'system services dhcp'
       ##
       dhcp-client {
           update-server;
       }
   }
}

[edit]
root#

Now, why would you want to use the newer way of configuring the DHCP on your SRX box?
Well… If you decide to configure IPv6 on your SRX, then you would need to use the newer way of configuring DHCP. Also, the newer way is more modular and flexible

Unfortunately, you cannot have both configuration on the same box. Either you stay with the old/typical way of configuring DHCP or you switch to the newer way of configuring DHCP. I chose the latter.

Just a quick run down for the DHCP server, the old way is done under [edit system service dhcp]; and the newer way is done in two different locations [edit access address-assignment] and [edit system service dhcp-local-server]. Now, that you have seen how to configure the old/typical DHCP on the SRX as shown in Example 1 (DHCP client) and Example 2 (DHCP server),  we are going to configure the newer way of DHCP server and client.

To configure the newer way DHCP client, it is almost identical to the old way. However, all the old way DHCP config need to be remove first because if it is not the the system will complain again that it is not compatible with the newer config and you won’t be able to commit.

Example 6

[edit]
root# delete system services dhcp

[edit]
root# delete interfaces fe-0/0/0.0 family inet dhcp 

[edit]
root#

Once the old way configs are gone, then we can proceed. To configure the newer way DHCP client, it is very similar to the older way.

Example 7

 set interfaces fe-0/0/0.0 family inet dhcp-client update-server

To configure DHCP server, this is done under [edit access address-assignment]

Example 8

[edit]
root# show access
address-assignment {
   pool trust-POOL {
       family inet {
           network 192.168.0.0/24;
           range trust-IP-SCOPE {
               low 192.168.0.100;
               high 192.168.0.254;
           }
           dhcp-attributes {
               name-server {
                    8.8.8.8;
                    8.8.4.4;
               }
               router {
                   192.168.0.1;
               }
           }
           host PLAYSTATION4 {
               hardware-address aa:bb:cc:dd:ee:ff;
               ip-address 192.168.0.10;
            }
       }
   }
}                                      

[edit]
root#

Now the DHCP group needs to be configured

Example 9

[edit]
root# show system services dhcp-local-server 
group DHCP-GROUP {
 interface vlan.0;
}

[edit]
root#

The last piece is allowing the SRX to receive a DHCP request from the hosts. This is done in security-zone interface level as shown in Example 10

Example 10

[edit]
root# show security zones security-zone trust interfaces
vlan.0 {
   host-inbound-traffic {
       system-services {
           dhcp;
       }
   }
}

[edit]
root#

That is pretty much it. For verification, you can use the commands shown below. These commands are for the new way DHCP configs

show dhcp client binding
show dhcp client binding detail
show dhcp client statistics
show dhcp server binding
show dhcp server binding detail
show dhcp server statistics

For restating the services and renewing the DHCP client interface

request dhcp client renew interface fe-0/0/0    
restart dhcp gracefully
restart dhcp-service gracefully

 

 

I hope you will find this post helpful

Cheers!

Advertisements

About networkshinobi

This blog is about the things I learned about computers and networking to help me to remember them as I push further my studies. I created this blog to help myself to continue my education; and if you find this blog helpful for your studies, that is great. That is one of the reasons why I made this blog, to share my interest and knowledge. Also, all the entries/posts I made are based on my views, opinion and for educational purposes only. If you see some mistakes, feel free to drop some comments. I would appreciate all the helpful comments. Thanks
This entry was posted in Firewall, Juniper, Misc., Sec, Security and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s