Home‎ > ‎Juniper‎ > ‎Basic JunOS Configs‎ > ‎

dhcp






DHCP Server: 

Define the DHCP service
! define the range (in this case between 128-159)
set system services dhcp pool 10.120.35.0/24 address-range low  10.120.35.128
set system services dhcp pool 10.120.35.0/24 address-range high 10.120.35.159
! list dns info
set system services dhcp pool 10.120.35.0/24 domain-name cmed.us
set system services dhcp pool 10.120.35.0/24 name-server 8.8.4.4
set system services dhcp pool 10.120.35.0/24 name-server 8.8.8.8
! def gateway and lease
set system services dhcp pool 10.120.35.0/24 router 10.120.35.1
set system services dhcp pool 10.120.35.0/24 default-lease-time 3600

then allow dhcp over the zone: 
set security zones  security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic systems-services dhcp

then make sure that interface fe-0/0/0.0 has the IP range 10.120.35.0/24

DHCP Relays

DHCP Relay (old): 

If you have a central dhcp server, and you need all dhcp requests forwarded to it, then setup a dhcp helper.  
set forwarding-options helpers bootp description "Global DHCP relay service"
set forwarding-options helpers bootp server 10.120.34.30
set forwarding-options helpers bootp maximum-hop-count 5
set forwarding-options helpers bootp interface fe-0/0/0.0


DHCP Relay (new)

DHCP client needs requests sent to the dhcp server "foreman01".

Where to send it: 
set forwarding-options dhcp-relay server-group forman01 10.36.35.30
how to collect it: 
set forwarding-options dhcp-relay group admin active-server-group forman01
set forwarding-options dhcp-relay group admin interface irb.43

And you can add multiple "vlan" lines to have a bunch of vlans all send to the "active-server-group", but you can also have multiple servers.  

DHCP Relay (multiple)

DHCP client "1a" and "1b" should have their dhcp traffic go to "forman01", where DHCP client "2" should go to "forman02"


For clients "1"
set forwarding-options dhcp-relay server-group forman01 10.36.35.30
set forwarding-options dhcp-relay group admin active-server-group forman01
set forwarding-options dhcp-relay group admin interface irb.41
set forwarding-options dhcp-relay group admin interface irb.43
For clients "2"
set forwarding-options dhcp-relay server-group forman02 10.36.34.30
set forwarding-options dhcp-relay group admin active-server-group forman02
set forwarding-options dhcp-relay group admin interface irb.40



DHCP Relay (multiple + multiple Hops)

This example is kind of crazy.  We've got THREE srx firewalls, and we need to send the dhcp packets though all of them and back.  This gets tricky because you need to setup the normal forwarding, and the policies, and then you also need to add some weirdness.  


From firewall "FHM-01"

 Note that when you're forwarding the packets to another firewall, then the recieving firewall will listen to traffic on "vlan.x".  But if the messages are all on the same firewall then the firewall will listen to traffic over a specific vlan interface "irb.x".  


DHCP forwarding for Clients "1"
set forwarding-options dhcp-relay server-group forman01 10.36.34.30
set forwarding-options dhcp-relay group admin active-server-group forman01
set forwarding-options dhcp-relay group admin interface vlan.41

DHCP forwarding for Clients "2"
set forwarding-options dhcp-relay server-group forman02 10.36.35.30
set forwarding-options dhcp-relay group admin active-server-group forman02
set forwarding-options dhcp-relay group admin interface vlan.42

Allow dhcp messages on the 41 vlan interface
set security zones security-zone mgmt4 interfaces vlan.43 host-inbound-traffic system-services dhcp

Policy from client to server: 
set security policies from-zone alpha to-zone link policy one match source-address 10.1.1.0/24
set security policies from-zone alpha to-zone link policy one match destination-address 10.36.34.30/32
set security policies from-zone alpha to-zone link policy one match application [ junos-bootps junos-bootpc ]
set security policies from-zone alpha to-zone link policy one then permit

set security policies from-zone beta to-zone link policy two match source-address 10.2.2.0/24
set security policies from-zone beta to-zone link policy two match destination-address 10.36.35.30/32
set security policies from-zone beta to-zone link policy two match application [ junos-bootps junos-bootpc ]
set security policies from-zone beta to-zone link policy two then permit

Policy from server to client: 
set security policies from-zone link to-zone alpha policy one match source-address 10.36.34.30/32
set security policies from-zone link to-zone alpha policy one match destination-address 10.1.1.0/24
set security policies from-zone link to-zone alpha policy one match application [ junos-bootps junos-bootpc ]
set security policies from-zone link to-zone alpha policy one then permit

set security policies from-zone link to-zone beta policy two match source-address 10.36.35.30/32
set security policies from-zone link to-zone beta policy two match destination-address 10.2.2.0/24
set security policies from-zone link to-zone beta policy two match application [ junos-bootps junos-bootpc ]
set security policies from-zone link to-zone beta policy two then permit



From firewall "FHM-02"

Setup the forwarding: 
This part is really weird...  The FHM-02 firewall DOES NOT have an interface on vlan 41 or 42, but we add the forwarding statements anyway.  It looks for packets with the vlan tags in them, and then forwards them onward to the forman servers.  

DHCP forwarding for Clients "1"
set forwarding-options dhcp-relay server-group forman01 10.36.34.30
set forwarding-options dhcp-relay group admin active-server-group forman01
set forwarding-options dhcp-relay group admin interface vlan.41

DHCP forwarding for Clients "2"
set forwarding-options dhcp-relay server-group forman02 10.36.35.30
set forwarding-options dhcp-relay group admin active-server-group forman02
set forwarding-options dhcp-relay group admin interface vlan.42


Policy from client to server: 
set security policies from-zone alpha to-zone link policy one match source-address 10.1.1.0/24
set security policies from-zone alpha to-zone link policy one match destination-address 10.36.34.30/32
set security policies from-zone alpha to-zone link policy one match application [ junos-bootps junos-bootpc ]
set security policies from-zone alpha to-zone link policy one then permit

Policy from server to client: 
set security policies from-zone link to-zone alpha policy one match source-address 10.36.34.30/32
set security policies from-zone link to-zone alpha policy one match destination-address 10.1.1.0/24
set security policies from-zone link to-zone alpha policy one match application [ junos-bootps junos-bootpc ]
set security policies from-zone link to-zone alpha policy one then permit

From firewall "MB2"

Setup the forwarding: 
This part is really weird...  The FHM-02 firewall DOES NOT have an interface on vlan 41 or 42, but we add the forwarding statements anyway.  It looks for packets with the vlan tags in them, and then forwards them onward to the forman servers.  

DHCP forwarding for Clients "1"
set forwarding-options dhcp-relay server-group forman01 10.36.34.30
set forwarding-options dhcp-relay group admin active-server-group forman01
set forwarding-options dhcp-relay group admin interface vlan.41

DHCP forwarding for Clients "2"
set forwarding-options dhcp-relay server-group forman02 10.36.35.30
set forwarding-options dhcp-relay group admin active-server-group forman02
set forwarding-options dhcp-relay group admin interface vlan.42



Troubleshooting: 

for dhcp relay: 
user@host> show system services dhcp relay—statistics
  Received Packets:				4 Forwarded Packets               4 Dropped Packets                 4     Due to missing interface in relay database: 4    	Due to missing matching routing instance: 0     Due to an error during packet read: 0     Due to an error during packet send: 0     Due to invalid server address: 0     Due to missing valid local address: 0     Due to missing route to server/client: 0

for dhcp services: (see what the configuration does)
user@host> show system services dhcp global
Global settings:
    	BOOTP lease length     	   infinite
  	DHCP lease times:
    	Default lease time         1 day
    	Minimum lease time         1 minute
    	Maximum lease time         infinite

	DHCP options:
    	Name: domain-name, Value: englab.juniper.net
    	Name: name-server, Value: [ 192.168.5.68, 172.17.28.101, 172.17.28.100 ]

view all the dhcp leases 
user@host> show system services dhcp binding
IP Address   Hardware Address   Type          Lease expires at
30.1.1.20  00:12:1e:a9:7b:81  dynamic       2007-05-11 11:14:43 PDT


DHCP Client:

You might need to put your firewall in a location where its interface is not static and instead it gets its IP from DHCP.  

Change the interface from static IP to dhcp: 
   set interfaces fe-0/0/1 unit 10 family inet dhcp
delete interfaces fe-0/0/1 unit 10 family inet address 198.18.0.254/24

Allow DHCP messages on the interface: 
set security zones security-zone dmz interfaces fe-0/0/1.10 host-inbound-traffic system-services dhcp

Save and quit: 
show | display set | match "fe-0/0/1 unit 10"
show | display set | match "fe-0/0/1.10"
commit check

commit confirmed 5 

Then confirm that the interface is Up, and if not force it up: 
run show interface terse 
run request system services dhcp renew fe-0/0/1.10
run show interface terse 

once it's up and working, save and quit
commit comment "dhcp on ext interface" and-quit
show configuration | no-more


References: 



Comments