SRX static Binding using IRB

last person joined: 4 days ago

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

Back to discussions

Expand all | Collapse all

SRX static Binding using IRB

Jump to Best Answer

1. SRX static Binding using IRB

0 Recommend
Erdem
Posted 12-19-2016 10:13

Reply Reply Privately
I have the following DHCP server setup on my IRB. I use the IRB as my layer 3 interface. I am trying to understand how I can do static binding with this configuration.

#set system services dhcp static-binding is not an option.

}
    services {
        ssh {
            protocol-version v2;
            connection-limit 3;
        }
        telnet;
        dhcp-local-server {
            group DHCP-Group {
                interface irb.0;
            }
        }
        web-management {
            https {
                system-generated-certificate;
                interface [ ge-0/0/0.0 irb.0 ];
            }
            session {
                idle-timeout 60;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        boot-server 64.203.255.71;
        server 64.203.255.71 prefer;
    }
}
services {
    rpm;
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set nsw_srcnat {
                from zone Internal;
                to zone Internet;
                rule nsw-src-interface {
                    match {
                        source-address 192.168.0.0/24;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool Camera-System {
                address 192.168.0.200/32;
            }
            rule-set Internet-to-Internal {
                from zone Internet;
                rule Camera-System {
                    match {
                        destination-address 0.0.0.0/32;
                        destination-port {
                            18004;
                        }
                    }
                    then {
                        destination-nat {
                            pool {
                                Camera-System;
                            }
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone Internal to-zone Internet {
            policy All_Internal_Internet {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internet to-zone Internal {
            policy Permit-Cameras {
                match {
                    source-address any;
                    destination-address Camera-System;
                    application Camera-System;
                }
                then {
                    permit;
                }
            }
            policy default-reject {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    reject;
                    count;
                }
            }
        }
        from-zone Internal to-zone Internal {
            policy Permit-Any {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone Internal {
            address-book {
                address Camera-System 192.168.0.200/32;
            }
            interfaces {
                irb.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone Internet {
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            dhcp;
                            http;
                            https;
                            ssh;
                            tftp;
                            ntp;
                            traceroute;
                            dns;
                        }
                    }
                }
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        description "Hargray Cable Modem";
        unit 0 {
            family inet {
                dhcp-client;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/2 {
        description "Netgear Switch";
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/4 {
        description "Apple AP";
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan1;
                }
            }
        }
    }
    ge-0/0/5 {
        description "Dish Hopper DVR";
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members vlan1;
                }
            }
        }
    }
    irb {
        unit 0 {
            family inet {
                address 192.168.0.1/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input protect-host;
                }
                address 127.0.0.1/32;
            }
        }
    }
}
protocols {
    l2-learning {
        global-mode switching;
    }
}
policy-options {
    prefix-list router-ipv4 {
        apply-path "interfaces <*> unit <*> family inet address <*>";
    }
    prefix-list ntp-servers {
        apply-path "system ntp server <*>";
    }
    prefix-list dns-servers {
        apply-path "system name-server <*>";
    }
    prefix-list managed-ips {
        64.53.59.14/32;
        64.203.245.151/32;
        192.168.0.0/24;
        204.116.21.6/32;
        216.16.216.166/32;
    }
}
firewall {
    filter protect-host {
        term accept-managed {
            from {
                prefix-list {
                    managed-ips;
                }
                protocol tcp;
                port [ ssh https ];
            }
            then {
                count accept-managed;
                accept;
            }
        }
        term accept-dhcp {
            from {
                protocol udp;
                port dhcp;
            }
            then {
                count accept-dhcp;
                accept;
            }
        }
        term accept-ntp {
            from {
                prefix-list {
                    ntp-servers;
                    router-ipv4;
                }
                protocol udp;
                port ntp;
            }
            then {
                count accept-ntp;
                accept;
            }
        }
        term accept-dns {
            from {
                source-prefix-list {
                    dns-servers;
                }
                protocol udp;
                port 53;
            }
            then {
                count accept-dns;
                accept;
            }
        }
        term accept-ping {
            from {
                protocol icmp;
            }
            then {
                count accept-ping;
                accept;
            }
        }
        term reject {
            then {
                count default-reject;
                reject;
            }
        }
    }
}
access {
    address-assignment {
        pool DHCP_Pool {
            family inet {
                network 192.168.0.0/24;
                range DHCP_Range {
                    low 192.168.0.10;
                    high 192.168.0.254;
                }
                dhcp-attributes {
                    name-server {
                        8.8.8.8;
                    }
                    router {
                        192.168.0.1;
                    }
                }
            }
        }
    }
}
applications {
    application Camera-System {
        term t1 protocol tcp destination-port 18004;
    }
    application MS1 {
        term t1 protocol tcp destination-port 80;
    }
}
vlans {
    vlan1 {
        vlan-id none;
        l3-interface irb.0;
    }
}
2. RE: SRX static Binding using IRB

0 Recommend
Erdem
Posted 12-19-2016 12:02

Reply Reply Privately
Tried this....still no Joy. Cleared arp table still pulled wrong IP Cleared binding dhcp server for irb still came back and pulled wrong IP @FW1> show configuration | display set | match MS1 set access address-assignment pool DHCP_Pool family inet host MS1 hardware-address b8:27:eb:ed:b0:37 set access address-assignment pool DHCP_Pool family inet host MS1 ip-address 192.168.0.205 @FW1> show arp MAC Address Address Name Interface Flags 00:01:5c:71:c6:46 64.20.130.1 64.20.130.1.dyn-e-pool3.p ge-0/0/0.0 none b8:27:eb:5d:e7:c6 192.168.0.9 192.168.0.9 irb.0 [ge-0/0/5.0] none 00:16:a2:01:24:e6 192.168.0.10 192.168.0.10 irb.0 [ge-0/0/5.0] none 00:1f:5b:00:82:5b 192.168.0.11 192.168.0.11 irb.0 [ge-0/0/5.0] none 4c:82:cf:01:67:8a 192.168.0.12 192.168.0.12 irb.0 [ge-0/0/5.0] none 00:0d:c5:4d:51:b9 192.168.0.13 192.168.0.13 irb.0 [ge-0/0/5.0] none 18:b4:30:06:13:8f 192.168.0.14 192.168.0.14 irb.0 [ge-0/0/5.0] none b8:27:eb:ed:b0:37 192.168.0.19 192.168.0.19 irb.0 [ge-0/0/5.0] none 00:23:63:27:b9:9b 192.168.0.200 192.168.0.200 irb.0 [ge-0/0/5.0] none
3. RE: SRX static Binding using IRB
Best Answer

0 Recommend
jonashauge
Posted 12-19-2016 12:34

Reply Reply Privately
You configure this under "access address-assignment". Example-config:

jh@fw# show access address-assignment pool int-guest
family inet {
network 192.168.0.0/24;
range scope {
low 192.168.0.30;
high 192.168.0.99;
}
dhcp-attributes {
grace-period 86400;
name-server {
8.8.8.8
}
router {
192.168.0.1;
}
}
host static-host {
hardware-address 11:11:11:11:11:11;
ip-address 192.168.0.123;
}
}
4. RE: SRX static Binding using IRB

0 Recommend
Erdem
Posted 12-19-2016 14:14

Reply Reply Privately
Worked, Thanks you very much!

SRX

SRX static Binding using IRB

Erdem12-19-2016 10:13

Erdem12-19-2016 12:02

jonashauge12-19-2016 12:34Best Answer

Erdem12-19-2016 14:14

1. SRX static Binding using IRB

2. RE: SRX static Binding using IRB

3. RE: SRX static Binding using IRB Best Answer

4. RE: SRX static Binding using IRB

3. RE: SRX static Binding using IRB
Best Answer