Knowledge Search


×
 

[SRX] Configuring JDHCP relay in a logical system

  [KB34624] Show Article Properties


Summary:

This article provides information about configuring SRX devices as JDHCP relays.

 

Symptoms:

Starting with SRX 12.x, the DHCP process has been modified to the new JDHCP process. Additionally, starting from Junos OS Release 18.4R1, logical systems support the DHCP relay feature. For more information about DHCP in logical systems, refer to DHCP for Logical Systems.

A DHCP relay agent forwards DHCP requests and responses between the DHCP client and the DHCP server.

For configuring a JDHCP server in a logical system, refer to KB34617 - [SRX] How to configure JDHCP server in a logical system.

 

Solution:

Setup

 
DHCP Server (1.1.1.1) ---- (1.1.1.2) ge-0/0/0 SRX-Relay ge-0/0/1 (2.2.2.2) ----- Client
 

To configure JDHCP relay on the SRX device:

set logical-systems lsys1-r8 forwarding-options dhcp-relay server-group dhcp-grp 1.1.1.1
set logical-systems lsys1-r8 forwarding-options dhcp-relay server-group dhcp-grp 2.2.2.2
set logical-systems lsys1-r8 forwarding-options dhcp-relay group dhcp-grp active-server-group dhcp-grp
set logical-systems lsys1-r8 forwarding-options dhcp-relay group dhcp-grp interface ge-0/0/1.0
 

To configure security and interface:

set logical-systems lsys1-r8 interfaces ge-0/0/0 unit 0 family inet address 1.1.1.2/24
set logical-systems lsys1-r8 interfaces ge-0/0/1 unit 0 family inet address 2.2.2.2/24


set logical-systems lsys1-r8 security policies default-policy permit-all
set logical-systems lsys1-r8 security zones security-zone Relay-zone host-inbound-traffic system-services all
set logical-systems lsys1-r8 security zones security-zone Relay-zone host-inbound-traffic protocols all
set logical-systems lsys1-r8 security zones security-zone Relay-zone interfaces ge-0/0/0.0
set logical-systems lsys1-r8 security zones security-zone Relay-zone interfaces ge-0/0/1.0
 

Verification

[edit]
root@3600-8# run show dhcp relay statistics logical-system lsys1-r8 
Packets dropped:
    Total                        28
    dhcp-service total           28


Messages received:
    BOOTREQUEST                  4
    DHCPDECLINE                  0
    DHCPDISCOVER                 1
    DHCPINFORM                   0
    DHCPRELEASE                  0
    DHCPREQUEST                  3


Messages sent:
    BOOTREPLY                    3
    DHCPOFFER                    1
    DHCPACK                      1
    DHCPNAK                      1
    DHCPFORCERENEW               0


[edit]
root@3600-8# run show dhcp relay binding logical-system lsys1-r8 

IP address        Session Id  Hardware address   Expires     State           Interface
2.2.2.21            2                 ac:4b:c8:db:50:00    84513       BOUND      ge-0/0/1.0          
 

Troubleshooting Checklist

  • Is JDHCP enabled as a host-inbound-traffic system-service? This cannot be done at the zone hierarchy except with "any" or "all."

  • Is there another JDHCP server on the network that connects to the FE/GE ports? This can cause a conflict.

  • Is the relay-interface configured to listen to the JDHCP broadcast on the correct interface?

  • Is there a route for the JDHCP server and is the server reachable on the correct interface?

  • Are there security policies configured to permit JDHCP traffic from a client to the server as well as from the server to the client?

 

In a scenario where the configured JDHCP relay is not working, the first step is to identify the point of failure with a packet capture on the dhcp-relay interface.

monitor traffic interface <dhcp-if> size 1500 noresolve no-domain-names matching "udp port 67" detail

For Example

[edit]
root@3600-8# ...domain-names matching "udp port 67" detail                    
Address resolution is OFF.
Listening on ge-0/0/1, capture size 1500 bytes


13:31:52.580638  In IP (tos 0x0, ttl  64, id 60018, offset 0, flags [none], proto: UDP (17), length: 315) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ac:4b:c8:db:50:00, length 287, xid 0x492dd449, Flags [Broadcast]
          Client-Ethernet-Address ac:4b:c8:db:50:00
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            Parameter-Request Option 55, length 9: 
              Default-Gateway, Lease-Time, Subnet-Mask, Domain-Name
              Domain-Name-Server, TFTP, BF, Option 120
              Netbios-Name-Server
            Requested-IP Option 50, length 4: 2.2.2.21
            DHCP-Message Option 53, length 1: Request
            Lease-Time Option 51, length 4: 86400
            Hostname Option 12, length 17: "jtac-SRX3600-r009"
13:31:52.590194 Out IP (tos 0x0, ttl  64, id 21079, offset 0, flags [none], proto: UDP (17), length: 303) 2.2.2.2.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 275, hops 1, xid 0x492dd449, Flags [Broadcast]
          Your-IP 2.2.2.21
          Client-Ethernet-Address ac:4b:c8:db:50:00
          Vendor-rfc1048 Extensions
            Magic Cookie 0x63825363
            DHCP-Message Option 53, length 1: ACK
            Lease-Time Option 51, length 4: 86400
            Subnet-Mask Option 1, length 4: 255.255.255.0
            Server-ID Option 54, length 4: 1.1.1.1
            Default-Gateway Option 3, length 4: 2.2.2.2
            Domain-Name-Server Option 6, length 4: 8.8.8.8
^C
3 packets received by filter
0 packets dropped by kernel
 

Additionally, traceoptions can help isolate the problem some more, and filters can be customized as per requirement.

[edit]
root@3600-8# show system services dhcp| display set 
set system services dhcp traceoptions file dhcp-trace-lsys
set system services dhcp traceoptions level all
set system services dhcp traceoptions flag all


[edit]
root@3600-8# show security flow | display set 
set security flow traceoptions file flow-trace
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter pf1 logical-system lsys1-r8 
set security flow traceoptions packet-filter pf1 source-port 68
set security flow traceoptions packet-filter pf1 destination-port 67
set security flow traceoptions packet-filter pf2 logical-system lsys1-r8
set security flow traceoptions packet-filter pf2 source-port 67
set security flow traceoptions packet-filter pf2 destination-port 68

 

Related Links: