DNS Servers per DHCP Pool on FTD/FDM

bmurphree@myemma.com · ‎03-01-2020

I'm glad not to be the only person complaining about this. DHCP flexibility on a NGFW FTD device is all but completely useless compared to the older ASA. I don't mean to be so unkind toward Cisco, but the FTD requires a significant amount of priming and digging. I've lost weeks of time trying to work around these limitations, and finding myself in sheer regret, and costing Cisco at least a dozen unresolved TAC cases.

For DHCP limitations:

You cannot provide DHCP on a sub-interface
You cannot provide DHCP options
You cannot provide separate DNS servers per DHCP pool.

What Cisco has done is wreck the small/branch office offerings with a baffling exclusion of these options, not to mention many other very important functions that are badly needed to be carried over from ASA.

That said, you can hack it, but you have to apply specific options via the Lina_cli tool, and they're not perpetual. You must manually re-apply them each time you push changes to the device:

In expert mode:

sudo su

LinaConfigTool "dhcpd dns [dns_server_2] [dns_server_2] interface [interface]"

Example: LinaConfigTool "dhcpd dns 10.1.1.10 10.1.1.11 interface inside"
Again, while this solves the problem of providing different DNS servers per pool, you must re-apply them each time you deploy any changes to the device through FDM and probably FMC.

The reason is, the deployment code overwrites everything that doesn't match the committed changes, unfortunately. You can't be selective like you can with other tools.

"You can't fix what you can't see"

RFC 1925

Mohammed Ashraf Ali · ‎03-16-2020

Thanks for the information,

But how about running multiple commands at a time , like enabling an specific interface

Interface Gi1/1

no shutdown

How we can run this using LinaConfigTool .

Regards,

Ashraf

bmurphree@myemma.com · ‎03-16-2020

I believe you can do it this way:

LinaConfigTool "interface Ethernet1/7" "ip address 10.2.6.1 255.255.255.0" "no shut"

where the subsequent commands are simply separated by a space. That said, not every instance of this works. For example, "nameif", and "security-level", which seem to have been deprecated, and it could be that this example will also fail. There's no way to predict it, and obviously there's no readily handy documentation or "useful" Command Reference.

I learned this example from an FDM failure, where it could not "un-do" something it deployed successfully.

RFC 1925

bmurphree@myemma.com · ‎09-07-2021

I wanted to comment an update. 7.0.0 code for the FTD, and we still have a blacklisted/blocked dhcpd dns command. Why? This makes for quite a challenge for smaller sites where the FTD needs to supply DHCP, but we don't wish to use the same DNS per VLAN/interface.

(example):
dhcpd dns 1.1.1.1 8.8.8.8 interface byod

dhcpd dns 192.168.1.15 192.168.1.16 interface inside

RFC 1925

Piotr Kowalczyk · ‎02-15-2022

I know, this is old post, but perhaps somebody found a solution for this issue? I mean LinaConfigTool "dhcpd dns 1.1.1.1 8.8.8.8 interface [interface]" works well and would do for me, but it doesn't stay after restart and I didn't found the way to save it to srtup-config.