Configure an Interface as a DHCP Server
Table of Contents
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
Configure an Interface as a DHCP Server
The prerequisites for this task are:
- Configure a Layer 3 Ethernet or Layer 3 VLAN interface.
- Assign the interface to a virtual router and a zone.
- Determine a valid pool of IP addresses from your network plan that you can designate to be assigned by your DHCP server to clients.
- Collect the DHCP options, values, and Vendor Class Identifiers you plan to configure.
Capacities are as follows:
- For firewall models other than PA-5200 Series and PA-7000 Series firewalls, see the Product Selection tool.
- On PA-5220 firewalls, you can configure a maximum of 500 DHCP servers and a maximum of 2,048 DHCP relay agents minus the number of DHCP servers configured. For example, if you configure 500 DHCP servers, you can configure 1,548 DHCP relay agents.
- On PA-5250, PA-5260, and PA-7000 Series firewalls, you can configure a maximum of 500 DHCP servers, and a maximum of 4,096 DHCP relay agents minus the number of DHCP servers configured. For example, if you configure 500 DHCP servers, you can configure 3,596 DHCP relay agents.
Perform the following task to configure
an interface on the firewall to act as a DHCP server.
- Select an interface to be a DHCP Server.
- SelectandNetworkDHCPDHCP ServerAddanInterfacename or select one.
- ForMode, selectenabledorautomode. Auto mode enables the server and disables it if another DHCP server is detected on the network. Thedisabledsetting disables the server.
- (Optional) SelectPing IP when allocating new IPif you want the server to ping the IP address before it assigns that address to its client.If the ping receives a response, that means a different device already has that address, so it is not available. The server assigns the next address from the pool instead. This behavior is similar to Optimistic Duplicate Address Detection (DAD)forIPv6,RFC 4429.After you set options and return to the DHCP server tab, theProbe IPcolumn for the interface indicates ifPing IP when allocating new IPwas selected.
- Configure the predefined DHCP Options that the server sends to its clients.
- In the Options section, select aLeasetype:
- Unlimitedcauses the server to dynamically choose IP addresses from theIP Poolsand assign them permanently to clients.
- Timeoutdetermines how long the lease will last. Enter the number ofDaysandHours, and optionally the number ofMinutes.
- Inheritance Source—LeaveNoneor select a source DHCP client interface or PPPoE client interface to propagate various server settings into the DHCP server. If you specify anInheritance Source, select one or more options below that you wantinheritedfrom this source.
Specifying an inheritance source allows the firewall to quickly add DHCP options from the upstream server received by the DHCP client. It also keeps the client options updated if the source changes an option. For example, if the source replaces its NTP server (which had been identified as thePrimary NTPserver), the client will automatically inherit the new address as itsPrimary NTPserver.When inheriting DHCP option(s) that contain multiple IP addresses, the firewall uses only the first IP address contained in the option to conserve cache memory. If you require multiple IP addresses for a single option, configure the DHCP options directly on that firewall rather than configure inheritance.- Check inheritance source status—If you selected anInheritance Source, clicking this link opens theDynamic IP Interface Statuswindow, which displays the options that were inherited from the DHCP client.
- Gateway—IP address of the network gateway (an interface on the firewall) that is used to reach any device not on the same LAN as this DHCP server.
- Subnet Mask—Network mask used with the addresses in theIP Pools.
For the following fields, click the down arrow and selectNone, orinherited, or enter a remote server’s IP address that your DHCP server will send to clients for accessing that service. If you selectinherited, the DHCP server inherits the values from the source DHCP client specified as theInheritance Source.- Primary DNS,Secondary DNS—IP address of the preferred and alternate Domain Name System (DNS) servers.
- Primary WINS,Secondary WINS—IP address of the preferred and alternate Windows Internet Naming Service (WINS) servers.
- Primary NIS,Secondary NIS—IP address of the preferred and alternate Network Information Service (NIS) servers.
- Primary NTP,Secondary NTP—IP address of the available Network Time Protocol servers.
- POP3 Server—IP address of Post Office Protocol (POP3) server.
- SMTP Server—IP address of a Simple Mail Transfer Protocol (SMTP) server.
- DNS Suffix—Suffix for the client to use locally when an unqualified hostname is entered that it cannot resolve.
- (Optional) Configure a vendor-specific or custom DHCP option that the DHCP server sends to its clients.
- In the Custom DHCP Options section,Adda descriptiveNameto identify the DHCP option.
- Enter theOption Codeyou want to configure the server to offer (range is 1-254). (See RFC 2132 for option codes.)
- If theOption Codeis43, theVendor Class Identifierfield appears. Enter a VCI, which is a string or hexadecimal value (with 0x prefix) used as a match against a value that comes from the client Request containing option 60. The server looks up the incoming VCI in its table, finds it, and returns Option 43 and the corresponding option value.
- Inherit from DHCP server inheritance source—Select it only if you specified anInheritance Sourcefor the DHCP Server predefined options and you want the vendor-specific and custom options also to beinheritedfrom this source.
- Check inheritance source status—If you selected anInheritance Source, clicking this link opensDynamic IP Interface Status, which displays the options that were inherited from the DHCP client.
- If you did not selectInherit from DHCP server inheritance source, select anOption Type:IP Address,ASCII, orHexadecimal. Hexadecimal values must start with the 0x prefix.
- Enter theOption Valueyou want the DHCP server to offer for thatOption Code. You can enter multiple values on separate lines.
- ClickOK.
- (Optional) Add another vendor-specific or custom DHCP option.
- Repeat the prior step to enter another custom DHCP Option.
- You can enter multiple option values for anOption Codewith the sameOption Name, but all values for anOption Codemust be the same type (IP Address,ASCII, orHexadecimal). If one type is inherited or entered and a different type is entered for the sameOption Codeand the sameOption Name, the second type will overwrite the first type.When entering multiple values for an option, enter the values in the order of preference, or else move the Custom DHCP Options to achieve the preferred order in the list. Select an option and clickMove UporMove Down.
- You can enter anOption Codemore than once by using a differentOption Name. In this case, theOption Typefor the Option Code can differ among the multiple option names.
- ClickOK.
- Identify the stateful pool of IP addresses from which the DHCP server chooses an address and assigns it to a DHCP client.If you are not the network administrator for your network, ask the network administrator for a valid pool of IP addresses from the network plan that can be designated to be assigned by your DHCP server.
- In theIP Poolsfield,Addthe range of IP addresses from which this server assigns an address to a client. Enter an IP subnet and subnet mask (for example, 192.168.1.0/24) or a range of IP addresses (for example, 192.168.1.10-192.168.1.20).
- An IP Pool or aReserved Addressis mandatory for dynamic IP address assignment.
- An IP Pool is optional for static IP address assignment as long as the static IP addresses that you assign fall into the subnet that the firewall interface services.
- (Optional) Repeat this step to specify another IP address pool.
- (Optional) Specify an IP address from the IP pools that will not be assigned dynamically. If you also specify aMAC Address, theReserved Addressis assigned to that device when the device requests an IP address through DHCP.See the DHCP Addressing section for an explanation of allocation of aReserved Address.
- In theReserved Addressfield, clickAdd.
- Enter an IP address from theIP Pools(format x.x.x.x) that you do not want to be assigned dynamically by the DHCP server.
- (Optional) Specify theMAC Address(format xx:xx:xx:xx:xx:xx) of the device to which you want to permanently assign the IP address you just specified.
- (Optional) Repeat the prior two steps to reserve another address.
- Commit your changes.ClickOKandCommit.