DHCP Server:Define the DHCP service
! define the range (in this case between 128-159) set system services dhcp pool 10.120.35.0/24 address-range low 10.120.35.128 set system services dhcp pool 10.120.35.0/24 address-range high 10.120.35.159 ! list dns info set system services dhcp pool 10.120.35.0/24 domain-name cmed.us set system services dhcp pool 10.120.35.0/24 name-server 8.8.4.4 set system services dhcp pool 10.120.35.0/24 name-server 8.8.8.8 ! def gateway and lease set system services dhcp pool 10.120.35.0/24 router 10.120.35.1 set system services dhcp pool 10.120.35.0/24 default-lease-time 3600 then allow dhcp over the zone:
set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic systems-services dhcp then make sure that interface fe-0/0/0.0 has the IP range 10.120.35.0/24
DHCP RelaysDHCP Relay (old):If you have a central dhcp server, and you need all dhcp requests forwarded to it, then setup a dhcp helper.
set forwarding-options helpers bootp description "Global DHCP relay service" set forwarding-options helpers bootp server 10.120.34.30 set forwarding-options helpers bootp maximum-hop-count 5 set forwarding-options helpers bootp interface fe-0/0/0.0 DHCP Relay (new)Where to send it:
set forwarding-options dhcp-relay server-group forman01 10.36.35.30 set forwarding-options dhcp-relay group admin active-server-group forman01 set forwarding-options dhcp-relay group admin interface irb.43 And you can add multiple "vlan" lines to have a bunch of vlans all send to the "active-server-group", but you can also have multiple servers.
DHCP Relay (multiple)DHCP client "1a" and "1b" should have their dhcp traffic go to "forman01", where DHCP client "2" should go to "forman02"
For clients "1"
set forwarding-options dhcp-relay server-group forman01 10.36.35.30 set forwarding-options dhcp-relay group admin active-server-group forman01 set forwarding-options dhcp-relay group admin interface irb.41 set forwarding-options dhcp-relay group admin interface irb.43 set forwarding-options dhcp-relay server-group forman02 10.36.34.30 set forwarding-options dhcp-relay group admin active-server-group forman02 set forwarding-options dhcp-relay group admin interface irb.40 DHCP Relay (multiple + multiple Hops)This example is kind of crazy. We've got THREE srx firewalls, and we need to send the dhcp packets though all of them and back. This gets tricky because you need to setup the normal forwarding, and the policies, and then you also need to add some weirdness.
From firewall "FHM-01"
DHCP forwarding for Clients "1"
set forwarding-options dhcp-relay server-group forman01 10.36.34.30 set forwarding-options dhcp-relay group admin active-server-group forman01 set forwarding-options dhcp-relay group admin interface vlan.41 DHCP forwarding for Clients "2" set forwarding-options dhcp-relay server-group forman02 10.36.35.30 set forwarding-options dhcp-relay group admin active-server-group forman02 set forwarding-options dhcp-relay group admin interface vlan.42 Allow dhcp messages on the 41 vlan interface
set security zones security-zone mgmt4 interfaces vlan.43 host-inbound-traffic system-services dhcp Policy from client to server:
set security policies from-zone alpha to-zone link policy one match source-address 10.1.1.0/24 set security policies from-zone alpha to-zone link policy one match destination-address 10.36.34.30/32 set security policies from-zone alpha to-zone link policy one match application [ junos-bootps junos-bootpc ] set security policies from-zone alpha to-zone link policy one then permit
set security policies from-zone beta to-zone link policy two match source-address 10.2.2.0/24 set security policies from-zone beta to-zone link policy two match destination-address 10.36.35.30/32 set security policies from-zone beta to-zone link policy two match application [ junos-bootps junos-bootpc ] set security policies from-zone beta to-zone link policy two then permit Policy from server to client:
set security policies from-zone link to-zone alpha policy one match source-address 10.36.34.30/32 set security policies from-zone link to-zone alpha policy one match destination-address 10.1.1.0/24 set security policies from-zone link to-zone alpha policy one match application [ junos-bootps junos-bootpc ] set security policies from-zone link to-zone alpha policy one then permit
set security policies from-zone link to-zone beta policy two match source-address 10.36.35.30/32 set security policies from-zone link to-zone beta policy two match destination-address 10.2.2.0/24 set security policies from-zone link to-zone beta policy two match application [ junos-bootps junos-bootpc ] set security policies from-zone link to-zone beta policy two then permit From firewall "FHM-02"Setup the forwarding: This part is really weird... The FHM-02 firewall DOES NOT have an interface on vlan 41 or 42, but we add the forwarding statements anyway. It looks for packets with the vlan tags in them, and then forwards them onward to the forman servers. DHCP forwarding for Clients "1" set forwarding-options dhcp-relay server-group forman01 10.36.34.30 set forwarding-options dhcp-relay group admin active-server-group forman01 set forwarding-options dhcp-relay group admin interface vlan.41 DHCP forwarding for Clients "2" set forwarding-options dhcp-relay server-group forman02 10.36.35.30 set forwarding-options dhcp-relay group admin active-server-group forman02 set forwarding-options dhcp-relay group admin interface vlan.42 Policy from client to server:
set security policies from-zone alpha to-zone link policy one match source-address 10.1.1.0/24 set security policies from-zone alpha to-zone link policy one match destination-address 10.36.34.30/32 set security policies from-zone alpha to-zone link policy one match application [ junos-bootps junos-bootpc ] set security policies from-zone alpha to-zone link policy one then permit Policy from server to client:
set security policies from-zone link to-zone alpha policy one match source-address 10.36.34.30/32 set security policies from-zone link to-zone alpha policy one match destination-address 10.1.1.0/24 set security policies from-zone link to-zone alpha policy one match application [ junos-bootps junos-bootpc ] set security policies from-zone link to-zone alpha policy one then permit From firewall "MB2"Setup the forwarding: This part is really weird... The FHM-02 firewall DOES NOT have an interface on vlan 41 or 42, but we add the forwarding statements anyway. It looks for packets with the vlan tags in them, and then forwards them onward to the forman servers. DHCP forwarding for Clients "1" set forwarding-options dhcp-relay server-group forman01 10.36.34.30 set forwarding-options dhcp-relay group admin active-server-group forman01 set forwarding-options dhcp-relay group admin interface vlan.41 DHCP forwarding for Clients "2" set forwarding-options dhcp-relay server-group forman02 10.36.35.30 set forwarding-options dhcp-relay group admin active-server-group forman02 set forwarding-options dhcp-relay group admin interface vlan.42 Troubleshooting:for dhcp relay:
user@host> show system services dhcp relay—statistics
for dhcp services: (see what the configuration does)
user@host> show system services dhcp global
view all the dhcp leases
user@host> show system services dhcp binding
DHCP Client:You might need to put your firewall in a location where its interface is not static and instead it gets its IP from DHCP. Change the interface from static IP to dhcp: set interfaces fe-0/0/1 unit 10 family inet dhcp delete interfaces fe-0/0/1 unit 10 family inet address 198.18.0.254/24 Allow DHCP messages on the interface: set security zones security-zone dmz interfaces fe-0/0/1.10 host-inbound-traffic system-services dhcp show | display set | match "fe-0/0/1 unit 10" show | display set | match "fe-0/0/1.10" commit check commit confirmed 5 Then confirm that the interface is Up, and if not force it up: run show interface terse run request system services dhcp renew fe-0/0/1.10 run show interface terse once it's up and working, save and quit commit comment "dhcp on ext interface" and-quit show configuration | no-more References:
|