Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to configure JDHCP server in a logical system

0

0

Article ID: KB34617 KB Last Updated: 22 Jun 2019Version: 1.0
Summary:

This article provides information on how to configure an SRX device as a DHCP server when the server-side interface is in a logical-system.

Starting with Junos 12.x, the DHCP process has been modified and the new process is JDHCP. Additionally, starting in Junos OS Release 18.4R1, logical systems support the DHCP client and relay feature.

Solution:

Setup:

SRX(ge-0/0/0 logical-system) ---------- client

Create a logical-system and define the server-side interface:

set logical-systems lsys1-r5 interfaces ge-0/0/0 unit 0 family inet address 1.1.1.1/24

Configure the JDHCP server:

set logical-systems lsys1-r5 system services dhcp-local-server group SVR interface ge-0/0/0.0
set logical-systems lsys1-r5 access address-assignment pool SVR-POOL family inet network 1.1.1.0/24
set logical-systems lsys1-r5 access address-assignment pool SVR-POOL family inet range SVR-RANGE low 1.1.1.21
set logical-systems lsys1-r5 access address-assignment pool SVR-POOL family inet range SVR-RANGE high 1.1.1.31
set logical-systems lsys1-r5 access address-assignment pool SVR-POOL family inet dhcp-attributes name-server 8.8.8.8
set logical-systems lsys1-r5 access address-assignment pool SVR-POOL family inet dhcp-attributes router 1.1.1.1

Configure the necessary security zones and policies:

set logical-systems lsys1-r5 security policies default-policy permit-all
set logical-systems lsys1-r5 security zones security-zone Server-zone interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set logical-systems lsys1-r5 security zones security-zone Server-zone interfaces ge-0/0/0.0 host-inbound-traffic protocols all

Verification:

root@3600-5> show dhcp server binding logical-system lsys1-r5

IP address        Session Id  Hardware address   Expires     State      Interface
1.1.1.21            1         78:fe:3d:2d:78:00  85198       BOUND      ge-0/0/0.0          

root@3600-5> show dhcp server binding logical-system lsys1-r5 detail
Client IP Address:  2.2.2.21
     Hardware Address:             ac:4b:c8:db:50:00
     State:                        BOUND(LOCAL_SERVER_STATE_BOUND)
     Lease Expires:                2019-06-17 13:40:54 PDT
     Lease Expires in:             85273 seconds
     Lease Start:                  2019-06-15 10:23:17 PDT
     Last Packet Received:         2019-06-15 13:40:54 PDT
     Incoming Client Interface:    ge-0/0/0.0
     Server Identifier:            1.1.1.1
     Bootp Relay Address:          2.2.2.2
     Session Id:                   1
     Client Pool Name:             SVR-POOL
 
root@3600-5> show dhcp server statistics logical-system lsys1-r5
Packets dropped:
    Total                      0

Messages received:
    BOOTREQUEST                5
    DHCPDECLINE                0
    DHCPDISCOVER               4
    DHCPINFORM                 0
    DHCPRELEASE                0
    DHCPREQUEST                1

Messages sent:
    BOOTREPLY                  5
    DHCPOFFER                  4
    DHCPACK                    1
    DHCPNAK                    0
    DHCPFORCERENEW             0


Troubleshooting checklist:

  • Is DHCP enabled as a host-inbound-traffic system-service? This cannot be done at the zone hierarchy except with "any" or "all"
  • Is there another dhcp server on the network connecting to FE/GE ports? This can cause a conflict.


In a scenario where it isn't working, the first step is to identify the point of failure with a packet capture on the DHCP interface.

monitor traffic interface <dhcp-if> size 1500 noresolve no-domain-names matching "udp port 67" detail


For example:

[edit]
root@3600-8# ...domain-names matching "udp port 67" detail                    
Address resolution is OFF.
Listening on ge-0/0/1, capture size 1500 bytes

13:31:52.580638  In IP (tos 0x0, ttl  64, id 60018, offset 0, flags [none], proto: UDP (17), length: 315) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ac:4b:c8:db:50:00, length 287, xid 0x492dd449, Flags [Broadcast]
          Client-Ethernet-Address ac:4b:c8:db:50:00
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            Parameter-Request Option 55, length 9: 
              Default-Gateway, Lease-Time, Subnet-Mask, Domain-Name
              Domain-Name-Server, TFTP, BF, Option 120
              Netbios-Name-Server
            Requested-IP Option 50, length 4: 2.2.2.21
            DHCP-Message Option 53, length 1: Request
            Lease-Time Option 51, length 4: 86400
            Hostname Option 12, length 17: "jtac-SRX3600-r009"
13:31:52.590194 Out IP (tos 0x0, ttl  64, id 21079, offset 0, flags [none], proto: UDP (17), length: 303) 2.2.2.2.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 275, hops 1, xid 0x492dd449, Flags [Broadcast]
          Your-IP 2.2.2.21
          Client-Ethernet-Address ac:4b:c8:db:50:00
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: ACK
            Lease-Time Option 51, length 4: 86400
            Subnet-Mask Option 1, length 4: 255.255.255.0
            Server-ID Option 54, length 4: 1.1.1.1
            Default-Gateway Option 3, length 4: 2.2.2.2
            Domain-Name-Server Option 6, length 4: 8.8.8.8
^C
3 packets received by filter
0 packets dropped by kernel


Furthermore, traceoptions will help isolate the problem some more. The filters can be tailored per needs.

[edit]
root@3600-8# show system services dhcp| display set 
set system services dhcp traceoptions file dhcp-trace-lsys
set system services dhcp traceoptions level all
set system services dhcp traceoptions flag all

[edit]
root@3600-8# show security flow | display set 
set security flow traceoptions file flow-trace
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter pf1 logical-system lsys1-r5
set security flow traceoptions packet-filter pf1 source-port 68
set security flow traceoptions packet-filter pf1 destination-port 67
set security flow traceoptions packet-filter pf2 logical-system lsys1-r5
set security flow traceoptions packet-filter pf2 source-port 67
set security flow traceoptions packet-filter pf2 destination-port 68

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search