SRX

SRX-100. 

WAN is fe-0/0/0 DHCP to a cable modem, and this works fine.

LAN is DHCP scope, on fe-0/0/1 and works fine.

I want fe-0/0/2 thru 07 to also be part of the DHCP scope in the LAN side.

Tried several options but not able to make it work.

set system services web-management http interface fe-0/0/1.0
set system services web-management https system-generated-certificate
set system services web-management https interface fe-0/0/1.0
set system services web-management session idle-timeout 60
set system services dhcp pool 192.168.202.0/24 address-range low 192.168.202.50
set system services dhcp pool 192.168.202.0/24 address-range high 192.168.202.250
set system services dhcp pool 192.168.202.0/24 router 192.168.202.1
set system services dhcp propagate-settings fe-0/0/0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp server us.ntp.pool.org
set interfaces fe-0/0/0 unit 0 family inet dhcp
set interfaces fe-0/0/1 unit 0 family inet address 192.168.202.1/24
set interfaces st0 unit 0 family inet address 192.168.202.251/24
set routing-options static route 10.10.9.0/24 next-hop st0.0

HI,

If you want to do that you need to put all the interfaces from fe-0/0/1 till fe-0/0/7 into a vlan and create a RVI to make it route able.

something like this will help you

Create a vlan:

set vlans vlan-trust vlan-id 3

set vlans vlan-trust l3-interface vlan.0

You need to rename the fe-0/0/1 interface to a vlan RVI

rename interface fe-0/0/1 to interface vlan

You need to change the fe-0/0/1 ---> fe-0/0/7 interface to be member of the vlan-trust.

delete interface fe-0/0/1 (do this for all interfaces upto 7)

set interface fe-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust

set interface fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust

set interface fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust

set interface fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust

set interface fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust

set interface fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust

set interface fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust

add the vlan.0 interface to you security zone

set security zones security-zone trust interface vlan.0

set security zones security-zone trust interface vlan.0 host-inbound-traffic system-services ssh

set security zones security-zone trust interface vlan.0 host-inbound-traffic system-services dhcp

set security zones security-zone trust interface vlan.0 host-inbound-traffic system-services http

set security zones security-zone trust interface vlan.0 host-inbound-traffic system-services https

set security zones security-zone trust interface vlan.0 host-inbound-traffic system-services ping

set security zones security-zone trust interface vlan.0 host-inbound-traffic system-services dns

set system services web-management http interface vlan.0

set system services web-management https interface vlan.0

Hope this helps a bit

MarcTBs

Thought I had resolved the DHCP problem, and yes your instructions worked, now ge-0/0/1 thru 0/0/15 have DHCP for the local LAN.

A side issue, is now I broke the connection the WAN, cannot ping 4.2.2.2

Please take a look, I am sure I missed something here.

Thanks Tom

 ge-0/0/0 is WAN

set version 10.2R3.10
set system root-authentication encrypted-password "CLEANED"
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services dhcp router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
set system services dhcp propagate-settings ge-0/0/0.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces ge-0/0/0 unit 0
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/8 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/9 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/10 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/11 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/12 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/13 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/14 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/15 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set protocols stp
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services ssh
set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services dhcp
set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services http
set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services https
set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces vlan.0 host-inbound-traffic system-services dns
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

Hi,

First I would suggest upgrading to a more recent Junos version, you are running 10.2 which is really old

I see this in your config:

set interfaces ge-0/0/0 unit 0

 You have no config on the ge-0/0/0 interface. is your wan interface a static interface ? or do you need to use dhcp-client

to get an ip from your Internet provider ?

static config:

set interfaces ge-0/0/0 unit 0 family inet address x.x.x.x/x

dynamic config

set interfaces ge-0/0/0 unit 0 family inet address dhcp

Static route

set routing-options static route 0.0.0.0/0 next-hop <gateway.ip.address>

Then you should be ready

MarcTB

That is now working, it is DHCP from internet provider.

I was almost there with the WAN dhcp setting.

Much appreciated.

Tom

Hi,

you are welcome! Glad we could help