ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

SSG + DHCP on VLAN issues

08.26.10   |  
‎08-26-2010 12:42 PM

Hello all, having an issue with DHCP over subinterfaces I'm hoping someone can point out the fix for.

I have three vlans created

 

set interface ethernet0/2.1 ip 10.20.2.1/24
set interface ethernet0/2.1 route
set interface ethernet0/2.2 ip 10.15.2.1/24
set interface ethernet0/2.2 route
set interface ethernet0/2.3 ip 10.10.5.1/24
set interface ethernet0/2.3 route

These are the pools:

set ippool "Data" 10.20.2.30 10.3.2.150
set ippool "Voice" 10.15.2.30 10.2.2.150
set ippool "NetOnly" 10.10.2.30 10.5.5.75

Here are their tags...

set interface "ethernet0/2.1" tag 20 zone "Trust"
set interface "ethernet0/2.2" tag 25 zone "Trust"
set interface "ethernet0/2.3" tag 30 zone "Untrust"

No device is getting DHCP when I plug them in no matter what I do. I'm aware that older versions of ScreenOS didn't do subinterface DHCP servers. What gives on my config?

myssg-> get system | in soft
Software Version: 6.3.0r4.0, Type: Firewall+VPN

Config:

unset key protection enable
set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
unset alg sip enable
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "myssg"
set admin password "nAzXXXXXXXXXXpnMBsFEBEDtQqIhTn"
set admin manager-ip 172.16.32.201
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2.1" tag 20 zone "Trust"
set interface "ethernet0/2.2" tag 25 zone "Trust"
set interface "ethernet0/2.3" tag 30 zone "Untrust"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip xxx.xxx.xxx./32
set interface ethernet0/0 nat
set interface ethernet0/2.1 ip 10.20.2.1/24
set interface ethernet0/2.1 route
set interface ethernet0/2.2 ip 10.15.2.1/24
set interface ethernet0/2.2 route
set interface ethernet0/2.3 ip 10.10.5.1/24
set interface ethernet0/2.3 route
set interface ethernet0/2.1 mtu 1500
set interface ethernet0/2.2 mtu 1500
set interface ethernet0/2.3 mtu 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/2.1 ip manageable
set interface ethernet0/2.2 ip manageable
set interface ethernet0/2.3 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage telnet
set interface ethernet0/0 manage snmp
set interface ethernet0/0 manage ssl
set interface ethernet0/0 manage web
set interface ethernet0/0 manage mtrace
unset interface ethernet0/2.1 manage telnet
unset interface ethernet0/2.1 manage ssl
unset interface ethernet0/2.2 manage telnet
unset interface ethernet0/2.2 manage snmp
unset interface ethernet0/2.2 manage ssl
set interface ethernet0/2.3 manage ping
set interface ethernet0/2.3 manage ssh
set interface ethernet0/2.3 manage snmp
set interface ethernet0/2.3 manage web
set interface bgroup0 manage mtrace
set interface ethernet0/1 dhcp client enable
set interface ethernet0/2.1 dhcp server service
set interface ethernet0/2.2 dhcp server service
set interface ethernet0/2.3 dhcp server service
set interface ethernet0/2.1 dhcp server auto
set interface ethernet0/2.2 dhcp server auto
set interface ethernet0/2.3 dhcp server auto
set interface ethernet0/2.1 dhcp server option lease 1440000
set interface ethernet0/2.2 dhcp server option lease 1440000
set interface ethernet0/2.3 dhcp server option lease 1440000
unset interface ethernet0/2.1 dhcp server config next-server-ip
unset interface ethernet0/2.2 dhcp server config next-server-ip
unset interface ethernet0/2.2 dhcp server config updatable
unset interface ethernet0/2.3 dhcp server config next-server-ip
unset interface ethernet0/2.3 dhcp server config updatable
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set hostname difjuncan
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set ippool "Data" 10.20.2.30 10.3.2.150
set ippool "Voice" 10.15.2.30 10.2.2.150
set ippool "NetOnly" 10.10.2.30 10.5.5.75
set crypto-policy
exit
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 1
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set snmp port listen 161
set snmp port trap 162
set snmpv3 local-engine id "016211200900XXXX"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/0 gateway xxx.xxx.xxx.xxx
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

1 REPLY
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: SSG + DHCP on VLAN issues

08.30.10   |  
‎08-30-2010 05:35 PM

You appear to be missing the dhcp options for each of your server segments.  You'll need to configure these for each of the server segments on the subinterfaces:


set interface ethernet0/2.1 dhcp server option gateway 10.20.2.1
set interface ethernet0/2.1 dhcp server option netmask 255.255.255.0
set interface ethernet0/2.1 dhcp server option domainname company.com
set interface ethernet0/2.1 dhcp server option dns1 x.x.x.x
set interface ethernet0/2.1 dhcp server option dns2 x.x.x.x

Also the dhcp pools are not ippools.  Remove those and set these instead

set interface ethernet0/2.1 dhcp server ip 10.20.2.30 to 10.3.2.150

I think the rest is right as it is.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home