As I mentioned from my last post, I switched back from ASA5505 to SRX100H2. The reason I am posting this is for some reason, my SRX100 couldn’t receive a public IP address from my service provider. Somehow the newer way of configuring the SRX as a DHCP client works for my SRX to receive an IP from my ISP. At this point, I am not sure if this is a code related issue.
You must be thinking why in the world making the SRX the DHCP server is even related to receiving public dynamic IP from an ISP. Well… The newer configuration of the SRX as a DHCP client (ISP perspective) is not compatible with the older way of DHCP server configuration — that is if your DHCP server for your LAN is the SRX– and the older way DHCP client configuration is not compatible with the newer way DHCP server configuration.
Just like I mentioned, I am only able to receive public IP from my ISP with the newer way of configuring the untrust interface as a DHCP client. Since my SRX is the DHCP server for my wired and wireless stations, I have to reconfigure my SRX’ DHCP server to get my home network functional again.
If you are using the typical DHCP client and server on your SRX, and everything works then keep it that way, but if you want to test or implement the newer way, keep reading.
Let’s start with the untrust interface. My untrust interface is fe-0/0/0 and this interface is the interface that is connected to the Internet. The typical and old way of configuring a DHCP client on the SRX interface is shown in Example 1
Example 1
set interfaces fe-0/0/0 unit 0 family inet dhcp update-server
Here is the compatible DHCP server shown in Example 2. Also, the command propagate-settings is optional. This is used if the name-server is not specified; therefore, the DHCP server will use the name server from the ISP. Otherwise, the name resolution will not work for the LAN.
Example 2
[edit system services] dhcp { pool 192.168.0.0/24 { address-range low 192.168.0.100 high 192.168.0.254; maximum-lease-time 57600; default-lease-time 28800; name-server { 8.8.8.8; } router { 192.168.0.1; } propagate-settings fe-0/0/0.0; } static-binding aa:bb:cc:dd:ee:ff { fixed-address { 192.168.0.50; } } } [edit] root#
Also, the dhcp should be enabled under the security-zone on the interface level
Example 3
[edit] root# show security zones security-zone trust interfaces vlan.0 host-inbound-traffic { system-services { dhcp; } } [edit] root#
Since both DHCP client and server are compatible with each other, the SRX will not bark at you. However, if you happened to be using the old/typical DHCP server, and you configure your DHCP client interface with the newer way, your SRX will complain that the configuration is not compatible as shown in Example 4
Example 4
[edit interfaces fe-0/0/0 unit 0] + family inet { + dhcp-client { + update-server; + } + } [edit] root# commit check [edit interfaces fe-0/0/0 unit 0 family inet] 'dhcp-client' Incompatible with the dhcp server configured under 'system services dhcp' error: configuration check-out failed: (statements constraint check failed) [edit] root#
Here is another error on the interface level
Example 5
root# show interfaces fe-0/0/0 unit 0 { family inet { ## ## Warning: Incompatible with the dhcp server configured under 'system services dhcp' ## dhcp-client { update-server; } } } [edit] root#
Now, why would you want to use the newer way of configuring the DHCP on your SRX box?
Well… If you decide to configure IPv6 on your SRX, then you would need to use the newer way of configuring DHCP. Also, the newer way is more modular and flexible
Unfortunately, you cannot have both configuration on the same box. Either you stay with the old/typical way of configuring DHCP or you switch to the newer way of configuring DHCP. I chose the latter.
Just a quick run down for the DHCP server, the old way is done under [edit system service dhcp]; and the newer way is done in two different locations [edit access address-assignment] and [edit system service dhcp-local-server]. Now, that you have seen how to configure the old/typical DHCP on the SRX as shown in Example 1 (DHCP client) and Example 2 (DHCP server), we are going to configure the newer way of DHCP server and client.
To configure the newer way DHCP client, it is almost identical to the old way. However, all the old way DHCP config need to be remove first because if it is not the the system will complain again that it is not compatible with the newer config and you won’t be able to commit.
Example 6
[edit] root# delete system services dhcp [edit] root# delete interfaces fe-0/0/0.0 family inet dhcp [edit] root#
Once the old way configs are gone, then we can proceed. To configure the newer way DHCP client, it is very similar to the older way.
Example 7
set interfaces fe-0/0/0.0 family inet dhcp-client update-server
To configure DHCP server, this is done under [edit access address-assignment]
Example 8
[edit] root# show access address-assignment { pool trust-POOL { family inet { network 192.168.0.0/24; range trust-IP-SCOPE { low 192.168.0.100; high 192.168.0.254; } dhcp-attributes { name-server { 8.8.8.8; 8.8.4.4; } router { 192.168.0.1; } } host PLAYSTATION4 { hardware-address aa:bb:cc:dd:ee:ff; ip-address 192.168.0.10; } } } } [edit] root#
Now the DHCP group needs to be configured
Example 9
[edit] root# show system services dhcp-local-server group DHCP-GROUP { interface vlan.0; } [edit] root#
The last piece is allowing the SRX to receive a DHCP request from the hosts. This is done in security-zone interface level as shown in Example 10
Example 10
[edit] root# show security zones security-zone trust interfaces vlan.0 { host-inbound-traffic { system-services { dhcp; } } } [edit] root#
That is pretty much it. For verification, you can use the commands shown below. These commands are for the new way DHCP configs
show dhcp client binding show dhcp client binding detail show dhcp client statistics show dhcp server binding show dhcp server binding detail show dhcp server statistics
For restating the services and renewing the DHCP client interface
request dhcp client renew interface fe-0/0/0 restart dhcp gracefully restart dhcp-service gracefully
I hope you will find this post helpful
Cheers!