- play_arrow Overview
- play_arrow Tenant Systems
- Tenant Systems Overview
- Security Zones for Tenant Systems
- Flow for Tenant Systems
- Flow Trace for Tenant Systems
- Firewall Authentication for Tenant Systems
- Security Policies for Tenant Systems
- Screen Options for Tenant Systems
- NAT for Tenant Systems
- Content Security for Tenant Systems
- IDP for Tenant Systems
- ALG for Tenant Systems
- DHCP for Tenant Systems
- Security Log for Tenant Systems
- AppQoS for Tenant Systems
- Application Security for Tenant Systems
- play_arrow Configuration Statements and Operational Commands
DHCP for Logical Systems
Understanding DHCP Support for Logical Systems
Starting in Junos OS Release 18.4R1, a logical system supports the DHCP client feature to learn IP addresses for interfaces assigned to the logical systems. Additionally, starting in Junos OS Release 18.4R1, logical systems support the DHCP relay feature. A DHCP relay agent forwards DHCP requests and responses between the DHCP client and the DHCP server.
A DHCP server allocates IP addresses and provides IP configuration settings such as the DNS server and default gateway to client hosts on a subnet served by an interface of a logical system. The DHCP allows network administrators centrally manage a pool of IP addresses among hosts and automate the assignment of IP addresses in a network within a logical system. An IP address is leased to a host for a limited time period, allowing the DHCP server to share a limited IP addresses among a group of hosts that do not require permanent IP addresses.
An interface of an SRX Series Firewall operating as a DHCP client receives the TCP or IP settings and the IP address from an external DHCP server.
An SRX Series Firewall operating as a DHCP relay agent for logical systems forwards incoming requests from the DHCP clients to a specified DHCP server. The client requests pass through interfaces on the logical systems.
Minimum DHCPv6 Relay Agent Configuration for Logical Systems
The following example describes the minimum configuration required to configure an SRX Series Firewall as a DHCPv6 relay agent for the logical system.
Before you begin determine the following:
The DHCPv6 relay group and the DHCP active server-group for logical system.
To configure the DHCP relay agent in a routing instance
for the logical system, configure the dhcp-relay statement
in the edit logical-systems LSYS1 routing-instances R1 hierarchy
level.
Example: Configuring the DHCPv6 Client for Logical Systems
This example shows how to configure an SRX Series Firewall as a DHCPv6 client for the logical systems.
Requirements
This example uses the following hardware and software components:
An SRX Series Firewall
Junos OS Release 18.4R1
Before you begin:
Read the Understanding DHCP Support for Logical Systems to understand how and where this procedure fits in the overall support for DHCP.
No special configuration beyond device initialization is required before configuring this feature.
Overview
In this example, the primary administrator configures an SRX Series Firewall as a DHCPv6 client for a logical system.
The DHCPv6 client for a logical system includes the following features:
Identity association for non-temporary addresses (IA_NA)
Identity association for prefix delegation (IA_PD)
Autoconfig or stateful mode
DHCP unique identifier (DUID)
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set logical-systems LSYS1 security zones security-zone trust host-inbound-traffic system-services all set logical-systems LSYS1 security zones security-zone trust host-inbound-traffic protocols all set logical-systems LSYS1 security zones security-zone trust interfaces ge-0/0/0.0 set logical-systems LSYS1 routing-instances r1 instance-type virtual-router set logical-systems LSYS1 routing-instances r1 interface ge-0/0/0.0 set logical-systems LSYS1 interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-type autoconfig set logical-systems LSYS1 interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-type stateful set logical-systems LSYS1 interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-ia-type ia-na set logical-systems LSYS1 interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-ia-type ia-pd set logical-systems LSYS1 interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-identifier duid-type duid-ll set logical-systems LSYS1 interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client req-option dns-server set protocols router-advertisement interface ge-0/0/0.0
Configuring DHCPv6 Client in a Logical System
Procedure
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
Configure the security zones to permit traffic for a logical system.
content_copy zoom_out_map[edit logical-systems LSYS1 security zones] user@host# set security-zone trust host-inbound-traffic system-services all user@host# set security-zone trust host-inbound-traffic protocols all user@host# set security-zone trust interfaces ge-0/0/0.0
Create a routing instance and assign the routing instance type for a logical system.
content_copy zoom_out_map[edit logical-systems LSYS1] user@host# set routing-instances r1 instance-type virtual-router
Specify the interface name for the routing instance.
content_copy zoom_out_map[edit logical-systems LSYS1] user@host# set routing-instances r1 interface ge-0/0/0.0
Configure the DHCPv6 client type. The client type can be
autoconfigorstatefulfor the logical system.To enable the DHCPv6 auto configuration mode, configure the client type as
autoconfig.content_copy zoom_out_map[edit logical-systems LSYS1 interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client] user@host# set client-type autoconfig
For stateful address assignment, configure the client type as
stateful.content_copy zoom_out_map[edit logical-systems LSYS1 interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client] user@host# set client-type stateful
Specify the identity association type.
To configure identity association for nontemporary address (IA_NA) assignment, specify the
client-ia typeasia-na.content_copy zoom_out_map[edit logical-systems LSYS1 interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client] user@host# set client-ia-type ia-na
To configure identity association for prefix delegation (IA_PD), specify the
client-ia-typeasia-pd.content_copy zoom_out_map[edit logical-systems LSYS1 interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client] user@host# set client-ia-type ia-pd
Configure the DHCPv6 client identifier by specifying the DHCP unique identifier (DUID) type for the logical system. The following DUID type is supported:
Link layer address (duid-ll)
content_copy zoom_out_map[edit tlogical-systems LSYS1 interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client] user@host# set client-identifier duid-type duid-ll
Specify the DHCPv6 client requested option as
dns-serverfor the logical system.content_copy zoom_out_map[edit logical-systems LSYS1 interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client] user@host# set req-option dns-server
Configure the router advertisement.
content_copy zoom_out_map[edit] user@host# set protocols router-advertisement interface ge-0/0/0.0
Results
From configuration mode, confirm your configuration by entering the
show logical-systems LSYS1command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.content_copy zoom_out_mapuser@host# show logical-systems LSYS1 interfaces { ge-0/0/0 { unit 0 { family inet6 { dhcpv6-client { client-type stateful; client-ia-type ia-na; client-ia-type ia-pd; client-identifier duid-type duid-ll; req-option dns-server; } } } } } routing-instances { r1 { instance-type virtual-router; interface ge-0/0/0.0; } } security { zones { security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/0.0; } } } }From configuration mode, confirm your configuration by entering the
show protocolscommand. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.content_copy zoom_out_mapuser@host# show protocols router-advertisement { interface ge-0/0/0.0; }
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
- Verifying the DHCPv6 Client for Logical Systems
- Verifying the DHCPv6 Client Binding for Logical Systems
- Verifying the DHCPv6 Client Statistics for Logical Systems
Verifying the DHCPv6 Client for Logical Systems
Purpose
Verify that the DHCPv6 client information is configured.
Action
From the operational mode, enter the show dhcpv6
client binding logical-systems LSYS1 command.
user@host> show dhcpv6 client binding logical-systems LSYS1
IP/prefix Expires State ClientType Interface Client DUID
2000::17/128 67762 BOUND STATEFUL ge-0/0/6.0 LL0x3-10:0e:7e:49:25:86
2000:100::/64 67762 BOUND STATEFUL ge-0/0/6.0 LL0x3-10:0e:7e:49:25:86
Meaning
The output displays the address binding information for the logical system.
Verifying the DHCPv6 Client Binding for Logical Systems
Purpose
Verify that the DHCPv6 client binding information is configured.
Action
From the operational mode, enter the show dhcpv6
client binding detail logical-systems LSYS1 command.
user@host> show dhcpv6 client binding detail logical-systems LSYS1
Client Interface/Id: ge-0/0/6.0
Hardware Address: 10:0e:7e:49:25:86
State: BOUND(DHCPV6_CLIENT_STATE_BOUND)
ClientType: STATEFUL
Lease Expires: 2018-11-09 07:11:47 UTC
Lease Expires in: 67760 seconds
Lease Start: 2018-11-08 07:11:47 UTC
Bind Type: IA_NA IA_PD
Preferred prefix length 0
Sub prefix length 0
Client DUID: LL0x3-10:0e:7e:49:25:86
Rapid Commit: Off
Server Identifier: fe80::46f4:77ff:fed6:670a
Client IP Address: 2000::17/128
Client IP Prefix: 2000:100::/64
DHCP options:
Name: server-identifier, Value: VENDOR0x00000583-0x34343a34
Meaning
The output displays the detailed client binding information for the logical system.
Verifying the DHCPv6 Client Statistics for Logical Systems
Purpose
Verify that the DHCPv6 client statistics information is configured.
Action
From the operational mode, enter the show dhcpv6
client statistics logical-systems LSYS1 command.
user@host> show dhcpv6 client statistics logical-systems LSYS1
Dhcpv6 Packets dropped:
Total 3
Bad Send 3
Messages received:
DHCPV6_ADVERTISE 1
DHCPV6_REPLY 1
DHCPV6_RECONFIGURE 0
Messages sent:
DHCPV6_DECLINE 0
DHCPV6_SOLICIT 1
DHCPV6_INFORMATION_REQUEST 0
DHCPV6_RELEASE 0
DHCPV6_REQUEST 1
DHCPV6_CONFIRM 0
DHCPV6_RENEW 0
DHCPV6_REBIND 0
Meaning
The output displays the information about the number of packets discarded, the number of messages received and the number of messages sent by the DHCP client for the logical system.
Example: Configuring the DHCPv6 Server Options for Logical Systems
This example shows how to configure DHCPv6 server options on SRX Series Firewalls for the logical system.
Requirements
This example uses the following hardware and software components:
An SRX Series Firewall
Junos OS Release 18.4R1
Before you begin determine the following:
The IPv6 address pool range and the IPv6 prefix for logical systems.
Overview
In this example, you set a default client limit as 200 for all
DHCPv6 groups. You then create a group called my-group that
contains at least one interface. In this case, the interface is ge-0/0/2.0.
You set a range of interfaces using the upto command and
set a custom client limit as 200 for group my-group that
overrides the default limit. Finally, you configure interface ge-0/0/2.0
with IPv6 address 2001:db8::1/64 and set router advertisement for
interface ge-0/0/2.0.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set logical-systems LSYS1 system services dhcp-local-server dhcpv6 group my-group overrides interface-client-limit 200 set logical-systems LSYS1 system services dhcp-local-server dhcpv6 group my-group interface ge-0/0/2.0 set logical-systems LSYS1 interfaces ge-0/0/2 unit 0 family inet6 address 2001:db8::1/64 set logical-systems LSYS1 access address-assignment pool my-pool family inet6 prefix 2001:db8::1/64 set logical-systems LSYS1 access address-assignment pool my-pool family inet6 range r1 low 2001:db8::1/64 set logical-systems LSYS1 access address-assignment pool my-pool family inet6 range r1 high 2001:db8::1/64 set logical-systems LSYS1 access address-assignment pool my-pool family inet6 dhcp-attributes maximum-lease-time 200 set logical-systems LSYS1 access address-assignment pool my-pool family inet6 dhcp-attributes option 21 string sip1.net set logical-systems LSYS1 protocols router-advertisement interface ge-0/0/2.0 prefix 2001:db8::1/64
Procedure
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure the DHCPv6 server options for logical systems:
Configure a DHCP local server.
content_copy zoom_out_map[edit logical-systems LSYS1] user@host# set system services dhcp-local-server dhcpv6
Set a default limit for all DHCPv6 groups.
content_copy zoom_out_map[edit logical-systems LSYS1 system services dhcp-local-server dhcpv6] user@host# set group my-group overrides interface-client-limit 200
Specify a group name and interface.
content_copy zoom_out_map[edit logical-systems LSYS1 system services dhcp-local-server dhcpv6] user@host# set group my-group interface ge-0/0/2.0
Configure an interface with an IPv6 address.
content_copy zoom_out_map[edit logical-systems LSYS1 interfaces] user@host# set ge-0/0/2 unit 0 family inet6 address 2001:db8::1/64
Configure an address-pool and specify the IPv6 family.
content_copy zoom_out_map[edit logical-systems LSYS1 access] user@host# set address-assignment pool my-pool family inet6 prefix 2001:db8::1/64
Configure the IPv6 prefix, the range name, and the IPv6 range for the DHCPv6 clients
content_copy zoom_out_map[edit logical-systems LSYS1 access] user@host# set address-assignment pool my-pool family inet6 range r1 low 2001:db8::1/64 user@host# set address-assignment pool my-pool family inet6 range r1 high 2001:db8::1/64
Configure the DHCPv6 attribute for the maximum lease time.
content_copy zoom_out_map[edit logical-systems LSYS1 access] user@host# set address-assignment pool my-pool family inet6 dhcp-attributes maximum-lease-time 200
Configure the user-defined option.
content_copy zoom_out_map[edit logical-systems LSYS1 access] user@host# set address-assignment pool my-pool family inet6 dhcp-attributes option 21 string sip1.net
Configure the router advertisement for the interface.
content_copy zoom_out_map[edit logical-systems LSYS1 protocols] user@host# set router-advertisement interface ge-0/0/2.0 prefix 2001:db8::1/64
Results
From configuration mode, confirm your configuration
by entering the show logical-systems LSYS1 command. If
the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
user@host# show logical-systems LSYS1
interfaces {
ge-0/0/2 {
unit 0 {
family inet6 {
address 2001:db8::1/64;
}
}
}
}
protocols {
router-advertisement {
interface ge-0/0/2.0 {
prefix 2001:db8::1/64;
}
}
}
system {
services {
dhcp-local-server {
dhcpv6 {
group my-group {
overrides {
interface-client-limit 200;
}
interface ge-0/0/2.0;
}
}
}
}
}
access {
address-assignment {
pool my-pool {
family inet6 {
prefix 2001:db8::1/64;
range r1 {
low 2001:db8::1/64;
high 2001:db8::1/64;
}
dhcp-attributes {
maximum-lease-time 200;
option 21 string sip1.net;
}
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying the DHCPv6 Local Server Configuration
Purpose
Displays the address bindings in the client table on the extended DHCPv6 local server.
Action
From operational mode, enter the show dhcpv6 server
binding summary command to display the address bindings in
the client table on the DHCPv6 local server.
user@host> show dhcpv6 server binding summary 5 clients, (0 init, 5 bound, 0 selecting, 0 requesting, 0 renewing, 0 releasing)
Meaning
The output displays the information about the DHCPv6 local server address binding summary.
