Using a Juniper Networks NetScreen Firewall as a DHCP Server

You can determine if a Juniper Networks NetScreen firewall running the ScreenOS operating system is functioning as a DHCP server from its command line interface by issuing the command get dhcp server
ns5xp-> get dhcp server
trust: DHCP server is enabled

In the output above, I can see that the Netscreen firewall is serving as a DHCP server on the "trust" zone. You can see what zones exist for the firewall by using the command get interface.

ns5xp-> get interface

A - Active, I - Inactive, U - Up, D - Down, R - Ready

Interfaces in vsys Root:
Name           IP Address         Zone        MAC            VLAN State VSD     
trust          192.168.0.1/24     Trust       0010.db0c.7dd4    -   U   -
untrust        192.168.1.2/26     Untrust     0010.db0c.7dd3    -   U   -
vlan1          0.0.0.0/0          VLAN        0010.db0c.7dde    1   D   -

You can also check on the DHCP server status for a particular interface, such as the "trust" interface by using a command such as the following one:

ns5xp-> get interface trust dhcp server
Mode:   ENABLED
State:  ON
DHCP send zero next server ip value.

There are options you can put at the end of that command to obtain additional information:

ns5xp-> get interface trust dhcp server ?
>                    redirect output
|                    match output
<return>
ip                   show all dhcp IP state
option               show all dhcp options

The ip option can be used to see what IP addresses are available from the DHCP server and which have been assigned.

ns5xp-> get interface trust dhcp server ip ?
>                    redirect output
|                    match output
<return>
allocate             show dhcp allocated IP
idle                 show dhcp idle IP

If the command get interface trust dhcp server ip is issued, the entire IP address range would be listed including available addresses and those assigned with those assigned having a status of "COMMIT". Using get interface trust dhcp server ip allocate would show me only those IP addresses that have been assigned by the DHCP server on the NetScreen firewall.

ns5xp-> get interface trust dhcp server ip allocate
       IP               State        MAC        Lease Time
 192.168.0.42           COMMIT  *008cfa71e9e4   4232 minutes

In the case above, I can see that a system with media access control (MAC) address of 008cfa71e9e4 was assigned the IP address 192.168.0.42 and the remaining time on the lease for the IP address is about 70.5 minutes. If I issued the command a few minutes later, I would see the lease time decremented showing the time remaining on the lease on the subsequent issue of the command.

I can use a MAC address lookup tool to obtain vendor information for the network interface card in the device with the MAC address of 00:8c:fa:71:e9:e4, since the first three octets or 24 bits of the MAC address identify the vendor of a network interface.

I can see the lease time used by the DHCP server, the DNS server addresses, gateway address, etc. that it will assign using the get interface trust dhcp server option.

Generic Category (English)120x600
ns5xp-> get interface trust dhcp server option
DHCP Server Options:
        Lease:          3 days 0 hours 0 minutes
        IP Range:       192.168.0.33 - 192.168.0.126
        Netmask:        255.255.255.0
        Gateway:        192.168.0.1
        Domain Name:
        DNS:            192.168.0.27    208.67.222.222  0.0.0.0
        WINS:           0.0.0.0         0.0.0.0
        SMTP:           0.0.0.0
        POP3:           0.0.0.0
        NEWS:           0.0.0.0
        NetInfo:        0.0.0.0         0.0.0.0
ns5xp->

I can use a set interface trust dhcp server command to disble the DHCP server on the NetScreen firewall or change options.

ns5xp-> set interface trust dhcp server ?
auto                 enable DHCP server in 'auto probing' mode
disable              disable DHCP server
enable               enable DHCP server
ip                   IP(s)
option               dhcp options
service              enable DHCP server

I can change the value for an option using by using the set interface trust dhcp server option command.

ns5xp-> set interface trust dhcp server option ?
dns1                 dns
dns2                 dns
dns3                 dns
domainname           domain name
gateway              client gateway
lease                lease
netmask              netmask
news                 news
nis1                 net info server
nis2                 net info server
nistag               net info tag
pop3                 pop3
smtp                 smtp
wins1                wins
wins2                wins

If I wanted to change the IP address for the first DNS server assigned by DHCP, I could use the command

ns5xp-> set interface trust dhcp server option dns1 192.168.0.15
ns5xp->

If I wanted the systems that had received the DHCP configuration information from the NetScreen firewall to use the new DNS server setting rather than the old one, I need to issue a command at each system to renew its DHCP information. On a Microsoft Windows system, I could issue the command ipconfig /renew to have the system query the DHCP server immediately for new configuration information.

 

TechRabbit ad 300x250 newegg.com

Justdeals Daily Electronics Deals1x1 px

Valid HTML 4.01 Transitional

Created: Sunday January 11, 2015