The NetScreen-5/5XP/25/50/100/204/208 support DHCP relay agent, which receives DHCP information from a DHCP server and relays that information to hosts on the trusted network.

Example:

PC ---NS-5XP_A(DHCP relay)------INTERNET------NS-5XP_B---DHCP server

• PC: DHCP enabled
• NS-5XP_A(DHCP relay)

Trust IP address: 20.1.1.1/24
Untrust IP address: 1.1.1.1/24
Untrust Gateway: 1.1.1.2

• NS-5XP_B

Trust IP address: 30.1.1.1/24
Untrust IP address: 1.1.1.2/24
Untrust Gateway: 1.1.1.1

• DHCP server: 30.1.1.2/24

IP range: 20.1.1.10 ~ 20.1.1.254
subnet mask: 255.255.255.0
Router(default gateway): 20.1.1.1
DNS: 164.124.101.2
Domain: YourDomain.com

Step 1) Make sure that Site-to-Site VPN works fine.

Step 2) Enable DHCP relay and configure DHCP relay options on NS-5XP_A

On the CLI:

set dhcp relay service (enable DHCP relay)
set dhcp relay server-name "30.1.1.2"

ns5xp-> get dhcp relay
DHCP relay agent is enabled
DHCP Server is: "30.1.1.2"
VPN encryption is disabled

On the WebUI:

Configure > DHCP tab > DHCP Relay Agent > Put DHCP server IP address (30.1.1.2)

Step 3) Enable DHCP relay debug

On the CLI:

debug dhcp relay 1

Step 4) Verify the contents of debug buffer

On the CLI:

ns5xp-> get dbuf stream
##2002-03-06 19:30:45 system-debugging: DHCP: read unrecognized option 251
##2002-03-06 19:30:45 system-debugging: (length 1)
##2002-03-06 19:30:45 system-debugging: DHCP: received discover msg from MAC 0004
e22ed291: request IP 0.0.0.0
##2002-03-06 19:30:45 system-debugging: Unbale to relay DHCP message: Set trust
interface to route mode

NOTE: To make DHCP relay through VPN, please use  "Use Trust Interface as Source IP for VPN" option.

Step 5) To enable "Use Trust Interface as Source IP for VPN" option

On the CLI:

set dhcp relay vpn

ns5xp-> get dhcp relay
DHCP relay agent is enabled
DHCP Server is: "30.1.1.2"
VPN encryption is enabled

On the WebUI:

Configure > DHCP tab > DHCP Relay Agent > check "Use Trust Interface as Source IP for VPN"

Step 6) After that, verify the contents of debug buffer

ns5xp-> get db str
##2002-03-06 20:05:58 system-debugging: DHCP: read unrecognized option 251
##2002-03-06 20:05:58 system-debugging: (length 1)
##2002-03-06 20:05:58 system-debugging: DHCP: received discover msg from MAC 0004e22ed291: request IP 0.0.0.0
##2002-03-06 20:05:58 system-debugging: Send request to 30.1.1.2 by DHCP relay (VPN enable)
##2002-03-06 20:05:58 system-debugging: Receive response for DHCP relay
##2002-03-06 20:05:58 system-debugging: Relay response to DHCP client: 20.1.1.10 (0004e22ed291)

Step 7) Unset DHCP relay debug

On the CLI:

debug dhcp relay 0

NOTE: Currently "undebug dhcp relay 1" is NOT working, use "debug dhcp relay 0" to disable DHCP relay debug.

Step 8) Check IP configuration on PC

On the command prompt, type ipconfig /all

Ethernet adapter SMC:

Connection-specific DNS Suffix  . : YourDomain.com
Description . . . . . . . . . . . : SMC EZ CardBus-
Physical Address. . . . . . . . . : 00-04-E2-2E-D2-
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 20.1.1.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 20.1.1.1
DHCP Server . . . . . . . . . . . : 30.1.1.2
DNS Servers . . . . . . . . . . . : 164.124.101.2

• KB7120 - How do I set up a DHCP relay through a VPN?


• KB3390 - Can a NetScreen firewall be used as a DHCP server in a DHCP relay environment?


• KB19962 - ScreenOS DHCP Server not responding to DHCP request sent by a DHCP Relay Agent