SRX

Expand all | Collapse all

How to install DHCP for VLAN in SRX300

Jump to Best Answer
  • 1.  How to install DHCP for VLAN in SRX300

    Posted 08-20-2019 18:23

    I have a diagram as same as bellow:

    srx1.PNG

    I want to configure DHCP for VLAN10 to clients can get ip information dynamically from the Router (my dhcp configured here).

    here is configuration Juniper recommend:

    ////

    set system services ssh
    set security policies from-zone Trust to-zone Untrust policy trust-untrust match source-address any
    set security policies from-zone Trust to-zone Untrust policy trust-untrust match destination-address any
    set security policies from-zone Trust to-zone Untrust policy trust-untrust match application any
    set security policies from-zone Trust to-zone Untrust policy trust-untrust then permit
    
    set security policies from-zone Untrust to-zone DMZ policy trust-untrust match source-address any
    set security policies from-zone Untrust to-zone DMZ policy trust-untrust match destination-address any
    set security policies from-zone Untrust to-zone DMZ policy trust-untrust match application junos-http
    set security policies from-zone Untrust to-zone DMZ policy trust-untrust match application junos-https
    set security policies from-zone Untrust to-zone DMZ policy trust-untrust then permit
    
    set security policies from-zone Trust to-zone DMZ policy trust-untrust match source-address any
    set security policies from-zone Trust to-zone DMZ policy trust-untrust match destination-address any
    set security policies from-zone Trust to-zone DMZ policy trust-untrust match application any
    set security policies from-zone Trust to-zone DMZ policy trust-untrust then permit
    
    set security zones security-zone MGMT host-inbound-traffic system-services all
    set security zones security zone MGMT interface ge-0/0/0.0
    set security zones security-zone Untrust interfaces ge-0/0/1.0
    set security zones security-zone DMZ interfaces ge-0/0/2.0
    set security zones security-zone Trust interfaces ge-0/0/3.0
    
    set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan-20
    set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-10
    set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-10
    set interfaces ge-0/0/3 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-10
    set interfaces irb unit 20 family inet address 10.0.0.254/24
    
    set protocols l2-learning global-mode transparent-bridge
    set vlans vlan-10 vlan-id 10
    set vlans vlan-20 vlan-id 20
    set vlans vlan-20 l3-interface irb.20

    ////

    What I need change? thank you so much!



  • 2.  RE: How to install DHCP for VLAN in SRX300

    Posted 08-20-2019 18:45

    Hi sanvinh

     

    Do you need the firewall operating in transparent mode? Im not sure if DHCP is supported when transparent mode is enabled:

     

    "On SRX300, SRX320, SRX340, SRX345, and SRX550M devices, the DHCP server propagation is not supported in Layer 2 transparent mode."

     

    Ref: https://www.juniper.net/documentation/en_US/junos/topics/concept/security-layer2-bridging-switching-overview.html

     

    In transparent mode the SRX interfaces facing the hosts are configured for family bridge so they are not L3 interfaces. I think you need L3 interfaces (a L3 device) if you want them to work as DHCP server.

     



  • 3.  RE: How to install DHCP for VLAN in SRX300

    Posted 08-20-2019 18:59
     

    NOTE 

    On all SRX Series devices, DHCPv4 is supported only in Layer 3 mode; the DHCP server and DHCP client are not supported in Layer 2 transparent mode.

     

     

    https://www.juniper.net/documentation/en_US/junos/topics/concept/security-dhcp-server-client-relay-agent-overivew.html



  • 4.  RE: How to install DHCP for VLAN in SRX300

    Posted 08-20-2019 19:43

    its not necessary to set SRX in transparent mode. I want hosts behind SRX to operate as DHCP clients. DHCP server configured in Router. SRX operates as Switch but has full security function of Firewall



  • 5.  RE: How to install DHCP for VLAN in SRX300
    Best Answer

     
    Posted 08-21-2019 00:22

    If you want the router acting as DHCP Server and the SRX to act as a switch with security features, then you are looking to configure the SRX in transparent mode.

     

    Please share:

          > show ethernet-switching global-information

          > show interfaces terse

          > show interfaces extensive

           > show security polices

    I also found that application "any" is not supported on the security-policies, so you might want to change that:

     A security policy for transparent mode is similar to a policy configured for Layer 3 zones, with the following exceptions:

    • Application ANY is not supported.

    Ref: https://www.juniper.net/documentation/en_US/junos/topics/concept/security-policy-transport-mode-understanding.html

     

    Based on the same document it looks like the DHCP packets should be allowed:

     

    ==============================================================================

     By default, Layer 2 forwarding performs the following actions:

    • Allows Address Resolution Protocol (ARP) and Layer 2 non-IP multicast and broadcast traffic

    ==============================================================================

     

    Make sure you dont have the option "block-non-ip-all"configured else DHCP traffic will be dropped.

     



  • 6.  RE: How to install DHCP for VLAN in SRX300

     
    Posted 08-21-2019 00:39

    Take a packet capture on the hosts (and on the router if possible) to see the DHCP conversation between them and the router to see if this reveals anything important. Traffic might be passing through the SRX but the problem might rely on the DHCP negotiation itself.

     

     



  • 7.  RE: How to install DHCP for VLAN in SRX300

    Posted 08-21-2019 03:37

    here is my full configuration:

    version 15.1X49-D45;
    system {
        host-name SRX300;
        time-zone GMT;
        root-authentication {
            encrypted-password "$5$gYBe3xAi$XtkAVzxrfvGduzBhlDHn.GMBq2K6KTtgQ7/po.PX700"; ## SECRET-DATA
        }
        name-server {
            208.67.222.222;
            208.67.220.220;
        }
        name-resolution {
            no-resolve-on-input;
        }
        services {
            ssh;
            telnet;
            web-management {
                http {
                    interface ge-0/0/1.0;
                }
                https {
                    system-generated-certificate;
                    interface ge-0/0/1.0;
                }
                session {
                    idle-timeout 60;
                }
            }
            dhcp {
                propagate-settings ge-0/0/0;
            }
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any critical;
                authorization info;
            }
            file interactive-commands {
                interactive-commands error;
            }                               
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
        ntp {
            server us.ntp.pool.org;
        }
    }
    security {
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        policies {
            from-zone Trust to-zone Untrust {
                policy Trust-Untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }                       
                }
            }
        }
        zones {
            security-zone ADMIN {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/5.0;
                }
            }
            security-zone Server {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                }
            }
            security-zone Untrust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/0.0;
                }
            }
            security-zone Trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/1.0;
                }
            }
            security-zone DMZ {
                host-inbound-traffic {
                    system-services {
                        all;                
                    }
                }
                interfaces {
                    ge-0/0/2.0;
                }
            }
            security-zone ADMIN-2 {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/3.0;
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family ethernet-switching {
                    interface-mode access;
                    vlan {
                        members vlan-10;
                    }
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    interface-mode access;
                    vlan {
                        members vlan-10;
                    }
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    interface-mode access;
                    vlan {
                        members vlan-10;    
                    }
                }
            }
        }
        ge-0/0/3 {
            unit 0 {
                family ethernet-switching {
                    interface-mode access;
                    vlan {
                        members vlan-20;
                    }
                }
            }
        }
        ge-0/0/5 {
            unit 0 {
                family inet {
                    address 10.0.0.1/24;
                }
            }
        }
        irb {
            unit 20 {
                family inet {
                    address 20.0.0.1/24;
                }
            }
        }
    }
    protocols {
        l2-learning {
            global-mode transparent-bridge;
        }
    }
    vlans {
        vlan-10 {
            vlan-id 10;
        }
        vlan-20 {
            vlan-id 20;
            l3-interface irb.20;
        }
    }

    I want clients in Trust and DMZ zones can get IP dynamically from DHCP Server on Router.

    what's incorrect?



  • 8.  RE: How to install DHCP for VLAN in SRX300

    Posted 08-21-2019 18:45

    @mrojas:

    How could i remove option "Block-non-ip-all"?

    I searched for it but no guide correct



  • 9.  RE: How to install DHCP for VLAN in SRX300

    Posted 08-21-2019 19:27
    Sanvinh,

    From your configuration, I don't see block-non-ip-all configured. So, no need to worry about.


  • 10.  RE: How to install DHCP for VLAN in SRX300

    Posted 08-22-2019 01:24

    @noobmsater:

    Yah. I set security flow ethernet-switching bypass-non-ip-unicast. but it till cannot get ip dynamically.

    any sugguestion?



  • 11.  RE: How to install DHCP for VLAN in SRX300

    Posted 08-26-2019 02:38

    I set security flow ethernet-switching bypass-non-ip-unicast.

    rarely an interface didn't send dhcp info to client face it. but others worked!

    thank for everyone for paying attention!