Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

SRX Getting Started - Configure Global DHCP Relay Service

0

0

Article ID: KB15755 KB Last Updated: 13 Apr 2015Version: 9.0
Summary:

This article describes how to configure, verify, and troubleshoot global DHCP relay service.

For other topics, go to the SRX Getting Started main page.

Symptoms:

Configure global DHCP relay service on SRX devices.

Cause:

Solution:

This section contains the following:

An SRX Series device can act as a DHCP client, DHCP server, and DHCP relay agent at the same time, but you cannot configure more than one DHCP role on a single interface.
For information about configuring the device as a DHCP server, see KB15754 - SRX Getting Started - Configure DHCP Server.
For information about configuring the device as a DHCP client, see KB15753 - SRX Getting Started - Configure DHCP Client.

Note : This article contains an example for configuring DHCP Relay Agent with a single server. For an example on configuring DHCP Relay Agent with Multiple Clients and Servers, refer to DHCP Relay Agent Configuration with Multiple Clients and Servers.

Overview

The following lists the traffic flow when a DHCP DISCOVER message is sent:

  1. A DHCP client, such as a PC, broadcasts a DHCP DISCOVER message.
  2. The SRX Series device converts this packet from broadcast to unicast.
  3. The DHCP server sends the DHCP OFFER message back to the router as unicast.
  4. The SRX Series device converts the DHCP OFFER message back to broadcast, which is sent out on the interface of the original device.

 

J-Web Configuration

Note: This example does not use every option available for DHCP relay configuration. For information about additional DHCP relay configuration options in J-Web, see Configuring BOOTP or DHCP Relay with Quick Configuration, and Configuring DHCP with a Configuration Editor.

To configure an SRX Series device as a relay agent to forward incoming BOOTP or DHCP requests from BOOTP or DHCP clients to a BOOTP server:
  1. Select Configure > Services > DHCP > Boot DHCP Relay.
  2. To enable the DHCP relay agent to relay incoming BOOTP or DHCP requests to a BOOTP server, select DHCP Relay Agent.
  3. In the Maximum Hop Count box, type the maximum number of hops allowed per packet. For example, 4.
  4. In the Description of Servers box, type a description for the relay service. For example, "Global DHCP relay service."
  5. In the Servers/Routing Instance area, type the IP address of the server to which requests are forwarded, for example 192.18.24.38, and click Add.
  6. In the Interfaces area, enter in the interface that will be receiving the bootp requests, for example ge-0/0/0.0, and click Add.
  7. Click Apply.
  8. If you are finished configuring the device, click Commit to commit the configuration.
  9. Make sure that you have a security policy that allows the session from the DHCP server to the DHCP client apart for the policy from trust to untrust.

 

CLI Configuration

To configure an SRX Series device as a relay agent to forward incoming requests from BOOTP or DHCP clients to a BOOTP or DHCP server:

  1. Provide a description for the relay service. In this example, "Global DHCP relay service" is the descriptive text.
    user@host# set forwarding-options helpers bootp description "Global DHCP relay service"
  2. Specify the IP address of the server to which requests are forwarded. In this example, the IP address is 192.18.24.38.
    user@host# set forwarding-options helpers bootp server 192.18.24.38
  3. Specify the maximum number of hops allowed per packet. In this example, the hop count is 4.
    user@host# set forwarding-options helpers bootp maximum-hop-count 4
  4. Specify the interface bootp requests will be received on.
    user@host# set forwarding-options helpers bootp interface fe-0/0/7.0
  5. Specify DHCP as an allowed inbound service for each interface that is associated with DHCP. In the following example, DHCP is configured as an inbound service for fe-0/0/7 and fe-0/0/8.
user@host# set security zones security-zone trust interfaces fe-0/0/7 host-inbound-traffic system-services dhcp
user@host# set security zones security-zone untrust interfaces fe-0/0/8 host-inbound-traffic system-services dhcp
       6.   Make sure that you have a security policy that allows the session from the DHCP server to the DHCP client apart for the policy from trust to untrust.
                   
           user@host# set security zones security-zone untrust address-book address DHCP-server 192.18.24.38
user@host# set security policies from-zone trust to-zone untrust policy DHCP-request match source- address any
user@host# set security policies from-zone trust to-zone untrust policy DHCP-request match destination-address DHCP-server
user@host# set security policies from-zone trust to-zone untrust policy DHCP-request match application any
user@host# set security policies from-zone trust to-zone untrust policy DHCP-request then permit
user@host# set security policies from-zone untrust to-zone trust policy DHCP-reply match source-address DHCP-server
user@host# set security policies from-zone untrust to-zone trust policy DHCP-reply match destination-address any
user@host# set security policies from-zone untrust to-zone trust policy DHCP-reply match application any
user@host# set security policies from-zone untrust to-zone trust policy DHCP-reply then permit

 

Technical Documentation

Administration Guide for Security Devices - See 'Configuring a DHCP Relay Agent' and 'Example: Configuring the Device as a BOOTP or DHCP Relay Agent'

 

Verification

 To verify that the DHCP relay configuration, use the following operational mode command:

user@host> show system services dhcp relay-statistics

For sample output for this command, see Displaying DHCP Relay Statistics.

For information about verifying DHCP configuration, see Verifying a DHCP Configuration.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search