Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to configure VRRP as a DHCP server

0

0

Article ID: KB29130 KB Last Updated: 26 Jan 2015Version: 2.0
Summary:

This article explains how VRRP, with two participating routers allocating IP addresses from separate ranges but in the same network, can be configured as a DHCP server.

Symptoms:

As the same virtual IP is configured as router on both servers, for any client both servers will be seen as the same. Although the client will accept IP from only one server, both servers end up binding IP from their pool to the same client MAC address.

SET UP:
                                   <-------------->SERVER1-SRX
                                                        |
CLIENT-SRX<--------------->SWITCH                      VRRP
                                                        |
                                   <-------------->SERVER2-SRX


SERVER1-SRX:

set system services dhcp pool 192.168.2.0/24 address-range low 192.168.2.4
set system services dhcp pool 192.168.2.0/24 address-range high 192.168.2.65
set system services dhcp pool 192.168.2.0/24 maximum-lease-time 604800
set system services dhcp pool 192.168.2.0/24 name-server 62.244.176.176
set system services dhcp pool 192.168.2.0/24 name-server 62.244.177.177
set system services dhcp pool 192.168.2.0/24 router 192.168.2.1
set interfaces fe-0/0/2 unit 0 family inet address 192.168.2.2/24 vrrp-group 1 virtual-address 192.168.2.1
set interfaces fe-0/0/2 unit 0 family inet address 192.168.2.2/24 vrrp-group 1 priority 150
set interfaces fe-0/0/2 unit 0 family inet address 192.168.2.2/24 vrrp-group 1 accept-data
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces fe-0/0/2.0

SERVER2-SRX:

set system services dhcp pool 192.168.2.0/24 address-range low 192.168.2.66
set system services dhcp pool 192.168.2.0/24 address-range high 192.168.2.127
set system services dhcp pool 192.168.2.0/24 maximum-lease-time 604800
set system services dhcp pool 192.168.2.0/24 name-server 62.244.176.176
set system services dhcp pool 192.168.2.0/24 name-server 62.244.177.177
set system services dhcp pool 192.168.2.0/24 router 192.168.2.1
set interfaces fe-0/0/2 unit 0 family inet address 192.168.2.3/24 vrrp-group 1 virtual-address 192.168.2.1
set interfaces fe-0/0/2 unit 0 family inet address 192.168.2.3/24 vrrp-group 1 priority 100
set interfaces fe-0/0/2 unit 0 family inet address 192.168.2.3/24 vrrp-group 1 accept-data
set security zones security-zone dhcp host-inbound-traffic system-services all
set security zones security-zone dhcp host-inbound-traffic protocols all
set security zones security-zone dhcp interfaces fe-0/0/2.0

CLIENT-SRX:

set interfaces fe-0/0/0 unit 0 family inet dhcp
set security zones security-zone dhcp host-inbound-traffic system-services all
set security zones security-zone dhcp host-inbound-traffic protocols all
set security zones security-zone dhcp interfaces fe-0/0/0.0

If the IP address on CLIENT-SRX is checked, it is found to be from SERVER1-SRX:

root@CLIENT-SRX# run show interfaces terse fe-0/0/0
Interface Admin Link Proto Local Remote
fe-0/0/0 up up
fe-0/0/0.0 up up inet 192.168.2.4/24

But the binding is seen on both servers for the same MAC address:

root@SERVER1-SRX# run show system services dhcp binding
IP address Hardware address Type Lease expires at
192.168.2.4 28:c0:da:e1:4a:40 dynamic 2014-05-19 14:01:32 UTC

root@SERVER2-SRX# run show system services dhcp binding
IP address Hardware address Type Lease expires at
192.168.2.66 28:c0:da:e1:4a:40 dynamic 2014-05-19 08:52:05 UTC
Cause:

Solution:

To avoid this problem, use a unique server identifier on DHCP servers. This same advice can be seen in RFC2131, pg 15:

"The client broadcasts a DHCPREQUEST message that MUST include the 'server identifier' option to indicate which
server it has selected " .

Use the following commands to configure a unique DHCP server identifier on both servers:

root@SERVER1-SRX# set system services dhcp pool 192.168.2.0/24 server-identifier 192.168.2.2

root@SERVER2-SRX# set system services dhcp pool 192.168.2.0/24 server-identifier 192.168.2.3

If the IP address on CLIENT-SRX is checked, it is found to be from SERVER2-SRX and binding is seen only on the same server:

root@CLIENT-SRX# run show interfaces terse fe-0/0/0
Interface Admin Link Proto Local Remote
fe-0/0/0 up up
fe-0/0/0.0 up up inet 192.168.2.66/24

root@SERVER1-SRX# run show system services dhcp binding

root@SERVER2-SRX# run show system services dhcp binding
IP address Hardware address Type Lease expires at
192.168.2.66 28:c0:da:e1:4a:40 dynamic 2014-05-19 09:07:15 UTC

Similar configuration is needed for JDHCP for users running 12.x version of Junos OS on on their SRX. The configuration for the two servers, as per the above scenario will become:

SERVER1-SRX:

set system services dhcp-local-server group dhcp-1 interface fe-0/0/2.0
set interfaces fe-0/0/2 unit 0 family inet address 192.168.2.2/24 vrrp-group 1 virtual-address 192.168.2.1
set interfaces fe-0/0/2 unit 0 family inet address 192.168.2.2/24 vrrp-group 1 priority 150
set interfaces fe-0/0/2 unit 0 family inet address 192.168.2.2/24 vrrp-group 1 accept-data
set access address-assignment pool pool1 family inet network 192.168.2.0/24
set access address-assignment pool pool1 family inet range range-4-65 low 192.168.2.4
set access address-assignment pool pool1 family inet range range-4-65 high 192.168.2.65
set access address-assignment pool pool1 family inet dhcp-attributes router 192.168.2.1
set access address-assignment pool pool1 family inet dhcp-attributes server-identifier 192.168.2.2
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces fe-0/0/2.0

SERVER2-SRX:

set system services dhcp-local-server group dhcp-1 interface fe-0/0/2.0
set interfaces fe-0/0/2 unit 0 family inet address 192.168.2.3/24 vrrp-group 1 virtual-address 192.168.2.1
set interfaces fe-0/0/2 unit 0 family inet address 192.168.2.3/24 vrrp-group 1 priority 100
set interfaces fe-0/0/2 unit 0 family inet address 192.168.2.3/24 vrrp-group 1 accept-data
set access address-assignment pool pool1 family inet network 192.168.2.0/24
set access address-assignment pool pool1 family inet range range-66-127 low 192.168.2.66
set access address-assignment pool pool1 family inet range range-66-127 high 192.168.2.127
set access address-assignment pool pool1 family inet dhcp-attributes router 192.168.2.1
set access address-assignment pool pool1 family inet dhcp-attributes server-identifier 192.168.2.3
set security zones security-zone dhcp host-inbound-traffic system-services all
set security zones security-zone dhcp host-inbound-traffic protocols all
set security zones security-zone dhcp interfaces fe-0/0/2.0
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search