SRX

 View Only
last person joined: 16 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX DHCP leases being issued to wrong vlan

    Posted 12-05-2020 08:44
    Come someone advise what I'm doing wrong with the setup of an SRX300 in relation to DHCP.

    I've got interface Ge-0/0/1 -> 0/0/4 and 0/0/6 -> 0/0/7 configured in the trust zone on the default trust vlan "3" with irb.0 10.0.20.1/24 configured with a DHCP scope (10.0.20.0//24) which is working fine. DHCP leases are issued and working properly.

    I've configured a second vlan 21 which utilises irb.21 (10.0.21.1/24) and interface Ge-0/0/5 is only interface in Vlan21. A DHCP scope of 10.0.21.0/24 has been configured however when I connect a client to interface ge-0/0/5 I get a dhcp lease in the above 10.0.20.0/24 instead of in the 10.0.21.0/24 ranges/subnet. When I configure a static IP in the 10.0.21.0/24 range manually on a client connected to Ge-0/0/5 I can ping the irb.21 interface.

    Could someone please provide some guidance as to why I getting a vlan3/trust DHCP lease within vlan21?



    user@FW01# run show configuration | display set | match ge-0/0/5
    set interfaces interface-range ETH-SWITCH-VL21 member ge-0/0/5
    set interfaces ge-0/0/5 unit 0 family ethernet-switching interface-mode access
    set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members VL21
    
    [edit]
    user@FW01# run show vlans
    
    Routing instance        VLAN name             Tag          Interfaces
    default-switch          VL21                  21
                                                               ge-0/0/5.0
    default-switch          default               1
    
    default-switch          vlan-trust            3
                                                               ge-0/0/1.0
                                                               ge-0/0/2.0
                                                               ge-0/0/3.0
                                                               ge-0/0/4.0
                                                               ge-0/0/6.0
    
    [edit]
    user@FW01# run show dhcp server binding
    IP address        Session Id  Hardware address   Expires     State      Interface
    10.0.20.22        2           34:e6:d7:52:7a:##  86251       BOUND      irb.0
    
    [edit]
    user@FW01# run clear dhcp server binding all
    
    [edit]
    user@FW01# run show dhcp server binding
    IP address        Session Id  Hardware address   Expires     State      Interface
    10.0.20.22        3           34:e6:d7:52:7a:##  86393       BOUND      irb.21
    
    user@FW01# run show configuration
    ## Last commit: 2020-12-05 13:32:18 UTC by user
    version 18.4R3-S4.2;
    system {
        login {
            user user {
                uid 2000;
                class super-user;
                authentication {
                    encrypted-password ######; ## SECRET-DATA
                }
            }
        }
        root-authentication {
            encrypted-password ######; ## SECRET-DATA
        }
        services {
            ssh;
            netconf {
                ssh;
            }
            dhcp-local-server {
                group jdhcp-group {
                    interface irb.0;
                    interface irb.21;
                }
            }
            web-management {
                https {
                    system-generated-certificate;
                }
            }
        }
        host-name FW01;
        domain-name oe.local;
        name-server {
            8.8.8.8;
            8.8.4.4;
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any notice;
                authorization info;
            }
            file interactive-commands {
                interactive-commands any;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate;
        }
    }
    security {
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone trust;
                    to zone untrust;
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone trust {
                policy trust-to-trust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone trust to-zone untrust {
                policy trust-to-untrust {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    irb.0 {
                        host-inbound-traffic {
                            system-services {
                                https;
                                dhcp;
                                users;
                                ping;
                                traceroute;
                                ssh;
                            }
                        }
                    }
                    irb.21 {
                        host-inbound-traffic {
                            system-services {
                                dhcp;
                                users;
                                ping;
                                ssh;
                            }
                        }
                    }
                }
            }
            security-zone untrust {
                screen untrust-screen;
                interfaces {
                    pp0.0;
                }
            }
            security-zone Outside {
                description Internet;
                interfaces {
                    ge-0/0/0.0;
                }
            }
        }
    }
    interfaces {
        interface-range ETH-SWITCH-VL21 {
            member ge-0/0/5;
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members VL21;
                    }
                }
            }
        }
        ge-0/0/0 {
            unit 0 {
                encapsulation ppp-over-ether;
            }
        }
        ge-0/0/1 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/3 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/4 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/5 {
            unit 0 {
                family ethernet-switching {
                    interface-mode access;
                    vlan {
                        members VL21;
                    }
                }
            }
        }
        ge-0/0/6 {
            unit 0 {
                family ethernet-switching {
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/7 {
            unit 0 {
                family inet {
                    dhcp {
                        vendor-id Juniper-srx300;
                    }
                }
            }
        }
        irb {
            unit 0 {
                family inet {
                    address 10.0.20.1/24;
                }
            }
            unit 21 {
                family inet {
                    address 10.0.21.1/24;
                }
            }
        }
        pp0 {
            unit 0 {
                ppp-options {
                    chap {
                        default-chap-secret #########; ## SECRET-DATA
                        local-name ########;
                        passive;
                    }
                }
                pppoe-options {
                    underlying-interface ge-0/0/0.0;
                    idle-timeout 0;
                    auto-reconnect 2;
                    client;
                }
                family inet {
                    mtu 1492;
                    negotiate-address;
                }
            }
        }
    }
    access {
        address-assignment {
            pool VLAN-20 {
                family inet {
                    network 10.0.20.0/24;
                    range junosRange {
                        low 10.0.20.21;
                        high 10.0.20.100;
                    }
                    dhcp-attributes {
                        router {
                            10.0.20.1;
                        }
                        propagate-settings irb.0;
                    }
                }
            }
            pool VLAN-21 {
                family inet {
                    network 10.0.21.0/24;
                    range VLAN-21-DHCP {
                        low 10.0.21.21;
                        high 10.0.21.100;
                    }
                    dhcp-attributes {
                        router {
                            10.0.21.1;
                        }
                        propagate-settings irb.21;
                    }
                }
            }
        }
    }
    vlans {
        VL21 {
            vlan-id 21;
            l3-interface irb.21;
        }
        vlan-trust {
            vlan-id 3;
            l3-interface irb.0;
        }
    }
    protocols {
        l2-learning {
            global-mode switching;
        }
        rstp {
            interface all;
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop pp0.0;
        }
    }
    
    ​


  • 2.  RE: SRX DHCP leases being issued to wrong vlan

    Posted 12-05-2020 11:49
    quick compare of mine.. I have my 2 groups in my  sys service dhcp-local-server ​
    group jdhcp-group {
    interface irb.0;
    }
    group jdhcp-phone {
    interface irb.3000;
    }


  • 3.  RE: SRX DHCP leases being issued to wrong vlan
    Best Answer

    Posted 12-05-2020 11:59
    By comparison the OP has the following:

            dhcp-local-server {
                group jdhcp-group {
                    interface irb.0;
                    interface irb.21;​


    I believe you need to break out your interfaces into different groups (I don't currently have access to the FW where I am using the built in DHCP option, but I can double check it on Monday). You're applying vlan20 settings to group jdhcp-group so any interface within this group is getting the vlan20 settings.

    In tgreaser's configuration he has two different groups each having a different interface assigned to it thus separating the DHCP configurations.




  • 4.  RE: SRX DHCP leases being issued to wrong vlan

    Posted 12-05-2020 22:35
    Thanks for the guidance. Changing the Vlan-21 DHCP server interface configuration to a different group seems to have fixed the issue.

    dhcp-local-server {
    group jdhcp-group {
    interface irb.0;
    }
    group DHCP-GRP-VL21 {
    interface irb.21;

    user@W01# run show dhcp server binding
    IP address Session Id Hardware address Expires State Interface
    10.0.20.21 3 c8:f7:50:6b:##:## 85880 BOUND irb.0
    10.0.21.22 4 c8:f7:50:6b:##:## 86011 BOUND irb.21


    ------------------------------
    Dave N
    ------------------------------



  • 5.  RE: SRX DHCP leases being issued to wrong vlan

     
    Posted 12-06-2020 02:58
    Scopes are completely separate from groups. You do not have to put each interface in a separate group unless they have different requirements outside the scopes that you then configure per group (authentication or overrides for example).

    It's more likely the 2nd client was originally part of vlan 3 and the OP is seeing this behavior:

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB32226


  • 6.  RE: SRX DHCP leases being issued to wrong vlan

    Posted 12-06-2020 03:02
    Thanks for the correction and the clarification smicker.