I have a question about how the SRX processes DHCP relay packets. I have a remote site with a Cisco switch trunked to an SRX which is connected to my DHCP server via a tunnel. The host DHCP requests are handled by the helper IPs on the Cisco. When I took over this network, the hosts were not able to get an IP via DHCP. After looking at the SRX config I noticed the irb interface was not included in the relay group. I added it and now the hosts are able to receive an IP from the server. My question is why does the interface on the SRX need to be in the relay group if the Cisco is handling the DHCP requests? Is it because it's seeing the unicast traffic on port 67 on the irb and knows that it is DHCP relay traffic and it won't process it unless the interface is in the relay group?
Thanks for any information on this.
Are the PCs in the same broadcast domain (same subnet) as the SRX? maybe the SRX is receiving the DHCP Discover messages directly and including the irb in the DHCP Relay Group triggered the DHCP relay funtionality in the firewall and it is actually performing this funtionality instead of the switch. Gather:
show dhcp relay binding
show dhcp relay statistics
Yes, the user vlan is trunked to the SRX. There is a user VLAN interface on the Cisco with the helper addresses configured but DHCP wasn't working on the hosts until I also added the user vlan irb interface to the relay active server group on the SRX, only the physical interface was added. I didn't do that until I looked at the dhcp relay stats and saw the dropped packets along with a statement saying the interface wasn't configure. I am thinking if the SRX sees a discover message on an interface that is configured as a relay it will take over as the relay (i.e. strip the old giaddr and replace it with it's own) and try to relay the packet itself? Since it wasn't configured in the relay group, the packets were dropped?
If the SRX has DHCP relay configuration and the IRB interface of the user vlan is included under this configuration, then the SRX will act as a DHCP relay. This is because the DHCP discover messages are broadcast and the SRX will recieved them via the user vlan on the IRB interface linked to this vlan; at this point the SRX will act as DHCP relay and will convert these broadcast DHCP Discover messages to Unicast and sent them to the DHCP server on a different subnet.
So even though there are helper IPs configured on the switch vlan interface, the broadcast will still be received on the SRX?
A broadcast by definition will reach all the hosts on the broadcast domain, this will include the switch and the SRX. If both are configured for relaying the DHCP Discover messages to the server, they will do it accordingly. The difference between the SRX and the switch sending the packets to the server, is that the packets from the switch could be dropped on the SRX if there is not a security-policy allowing these unicast packets. On the other hand, the unicast mesages sent from the SRX are generated from the firewall itself hence they dont require a security-policy permitting this traffic.
Hope this helps you.