ScreenOS Cookbook…..

March 11, 2015

screenOS cookbook






ScreenOS is one of the operating system that has been used in Juniper Network switch and routers operating system. If you buy a switch or a Juniper’s router , you would like to check ScreenOS installed in it. ScreenOS is used to administer the traffic flow of network design  that uses OSPF , BGP , VPN , NAT , DHCP and so on…Recently , I just borrowed a ScreenOS Cookbook from the National Library (PNM) . It’s quite a good book to read if you’re planning to be a Network Administrator that uses Juniper’s switches and routers product line. Administering ScreenOS is quite easy and challenging , just like you administer the CISCO IOS Software in CISCO’s product line that consist of switch and router. We can use ScreenOS to administer firewall configuration , wireless , route mode and static routing , transparent mode and so on….

DHCP Server Maintenance.

You can use ScreenOS’s get commands to view a feature’s functionality. In the get interface wireless2 dhcp server command , the DHCP server is enabled and on , and is not using the next server option which allows configuration information to be shared among multiple DHCP servers. Also , the DHCP client will update information to the server component.

The get interface <interface name> dhcp server ip allocate command shows the allocated IPs per interface , as well as the Media Access Control (MAC) address and time remaining in the lease. As each interface can have its own DHCP settings , different ranges may be configured on the device. To reset the DHCP leases , use the clear dhcp server <interface name> ip command. You can use this command to clear all leases or just a particular IP address:


FIREWALL-A->clear dhcp erver wireless ip all

FIREWALL-A->get db str


Use get commands:

FIREWALL-A->get interface wireless2 dhcp server

FIREWALL-A->get interface wireless1 dhcp server option.

When the clear dhcp server <interface name> ip all command is issued , the flash:dhcpserv1.txt file is modified. This file is used to store DHCP lease information so that leases can survice a system reboot. When the file is modified, each interface that is not cleared has the lease information for that interface rewritten so as to preserve the information.

The get interface <interface name> dhcp server option command shows all options configured on the DHCP server for that interface , including custom options. When custom options are configured , each option appears in the command output with the name Custom , and the code in parentheses immediately following.

Configure DHCP Relay

FIREWALL-A->set interface ethernet2 dhcp relay service

FIREWALL-A->set interface ethernet2 dhcp relay server-name

FIREWALL-A->set address untrust DHCP_SVR_10.3.1.1

FIREWALL-A->set policy from untrust to trust DHCP_SVR_10.3.1.1 any dhcp-relay permit log

Juniper Network’s firewall system products , which include the NS5000 Series and the ISG Series , do not have DHCP server functionality built-in. As these devices are typically used to protect large-scale environtments , they are frequently sandwiched in between pairs of routers. Furthermore , DHCP servers are often already available and installed elsewhere  in the network. Occasionally , however , hosts requiring DHCP services are directly connected to the firewall.

To accommodate DHCP services for hosts that connect to the firewall as their gateway , you can set up DHCP relay. To configure DHCP relay , simply enable the DHCP relay service on the interface , and configure the server address to forward the DHCP messages.

If you want to send these messages across a tunnel , use the set interface <interface name> dhcp relay vpn command. Additionally , a policy which permits dhcp-relay from the server to the client side-in this case , from untrust to trust-is required.

You can verify that DHCP relay is enabled on the interface by using the get interface command:

FIREWALL-A->get int eth2

For more concise output , use the get interface <interface name> dhcp relay command:

FIREWALL-A->get int eth2 dhcp relay


p/s:- ScreenOS uses CLI like in CISCO IOS Software…We can manage the network connection and network design using ScreenOS. We can also uses multicast traffic through a transparent mode device and create a virtual systems.(Later in the last chapter).. Some of this article are excerpt taken from ScreenOS Cookbook by Stefan Brunner , Vik Davar , David Delcourt , Ken Draper , Joe Kelly & Sunil Wadhwa from O’reilly.




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: