SRX

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Can DHCP Server and Relay be on the same SRX?

    Posted 07-29-2020 14:22

    Greetings,

    We're testing a new DHCP configuration and are trying to figure out if we can set up a DHCP relay for a specific subnet / irb / vlan and leave the rest of the DHCP configuration alone?

    Basically we have the SRX acting as a DHCP server for all subnets, but we'd like to break off one subnet and send it's DHCP requests via relay to a DHCP server.  

    Is this possible?

    Thank you.



  • 2.  RE: Can DHCP Server and Relay be on the same SRX?

     
    Posted 07-29-2020 14:44

    Hi A.Vanson,

     

    Greetings, This should work, you just need to configure an IRB interface to encapsulate those discovers and send them to the server you desire, as a recommendation please eliminate the pool on the SRX acting as DHCP server for the VLAN you are trying to use the helper/relay function.

     

    This is the minimum configuration needed

    https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/security-dhcp-relay-agent-minimum-configuration.html

    If relay agent interfaces and server are in different Routing instances you can use this KB

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB28642&cat=JUNOSV_FIREFLY&actp=LIST

     

     

    If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \:)/

     

     

    Regards,

     

    Lil Dexx
    JNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB



  • 3.  RE: Can DHCP Server and Relay be on the same SRX?

    Posted 07-29-2020 15:49

    Thanks, @lildexx,

    I did look over that documentation, but it doesn't seem to tell me how to designate the specific subnet that I want to be relaying for?  Do you have any insights on this?  



  • 4.  RE: Can DHCP Server and Relay be on the same SRX?

     
    Posted 07-29-2020 17:15

     

    Hi A.Vanson

     

     

     

    Assuming that you already have the VLAN you want to be configured and the IRB associated with the VLAN you will just need to add the relay configuration and the security policies and the host inbound traffic to let the DHCP packets go back and forth. 

     

    In this configuration we can see that we have two servers acting, one for Data-Vlan and another one for Voice-Vlan: 

     

    forwarding-options {

        dhcp-relay {

            server-group {

                DATA{

                    128.129.130.131;  ---------> remote dhcp server

                    131.132.133.134; ---------> (optional) 2nd dhcp server

                }

                VOICE{

                    168.167.169.170;

                }

            }

            group DATA{

                active-server-group DATA;       

                interface ge-0/0/0.0;    ---------> Iinterface working as the gateway on the Data VLAN 

            }

            group VOICE{

                active-server-group VOICE;

                interface irb.10;    ---------> Interface working as a gateway on Voice VLAN

            }

        }

    }

     

     

    If you had this command: set forwarding-options active-server-group <name> will allow only a single group of servers to work. Most of the time this is used, not always you have several DHCP servers 

    Remember that  you cannot have a binding to two servers, the dhcp-relay agent will not let you do that unless you configure the following command: set forwarding-options dhcp-relay overrides delete-binding-on-renegotiation

     

     

    If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \:)/

     

    Regards,

     

     

    Lil Dexx
    JNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB



  • 5.  RE: Can DHCP Server and Relay be on the same SRX?

    Posted 07-29-2020 18:30

    Thank you, @lildexx,

    Well, I tried something like

    group all {
      interface irb.5
    }
    

    But then got an error, something like interface irb.5 already configured

    Is this related to the access address-assignment?  I deleted the pool for that irb from the address-assignment node, so I'm missing something.



  • 6.  RE: Can DHCP Server and Relay be on the same SRX?

    Posted 07-29-2020 22:07

    Hello Vanson,

     

    Can you tell me whether you are using JDHCP or DHCP server? The difference is JDHCP is the latest one and DHCP is deprecated in the latest Junos version. For more information, please check the following TSB - https://kb.juniper.net/InfoCenter/index?page=content&id=TSB16991&actp=METADATA

     

    If your configuration starts with "set access address-assignment" then it is JDHCP and if it starts with "set system services dhcp" then it is legacy DHCP.

     

    Note: Although a Juniper Networks device can act as a DHCP server, a DHCP client, or DHCP relay agent at the same time, you cannot configure more than one DHCP role on a single interface.

     

    It would be great if you can paste the exact error message so that we can take a look. Also, provide us with your existing DHCP configuration.



  • 7.  RE: Can DHCP Server and Relay be on the same SRX?

    Posted 07-30-2020 08:20

    Thanks for your assistance here.

     

    We're using JDHCP.

    The exact error is "Interface irb.5 already configured"

    The config for the dhcp relay was like this:

     

     

    dhcp-relay {
     server-group {
      dhcp-server {
       10.2.2.100;
      }
     }
     active-server-group dhcp-server;
     group dhcp {
      interface irb.5;
     }
    }

     

     

     

    IRB.5 is the L3 interface for a VLAN on the 192.168.5.0/24 subnet 

     

    Our current DHCP config is something like this, minus all the other pools we've set up for different VLANs / IRBs.  This pool shown is the one that we removed before committing the relay rules:

    access {
        address-assignment {
    pool Pool3 { family inet { network 192.168.5.0/24; range Pool3Pool { low 192.168.5.100; high 192.168.5.199; } dhcp-attributes { name-server { 10.2.2.100; 10.2.2.101; } router { 192.168.5.1; } } } }
    ...

     



  • 8.  RE: Can DHCP Server and Relay be on the same SRX?
    Best Answer

    Posted 07-30-2020 09:59

    Hi Vanson,

     

    As I mentioned earlier, you can't configure more than one DHCP role on a single interface. i.e. Interface irb.5 can only act as either JDHCP server or JDHCP relay agent or JDHCP client.

     

    The reason for the error is you have irb.5 configured both as JDHCP relay and JDHCP server because I believe you didn't get the IP address of irb.5 dynamically so I excluded the JDHCP client. Please correct me if I'm wrong on the last part.

     

    So, under "set system services dhcp-local-server group" check whether you have irb.5 configured. If so, please delete that line and check whether the commit is happening. Please note that this line is important for JDHCP server to function and deleting this line will break your DHCP server.

     

    If none of the above doesn't apply for your case, please provide me with the output of the following commands:

    user@host>  show interfaces terse | match inet | no-more

    user@host>  show configuration system services | display set | no-more

    (If you are having routing-instance, please run the below commands under routing-instance)

    user@host>  show configuration access address-assignment | display set | no-more

    user@host>  show configuration dhcp-relay | display set | no-more


    #iVanson


  • 9.  RE: Can DHCP Server and Relay be on the same SRX?

    Posted 07-31-2020 16:23

    Thanks for your help, I think that's it, the dhcp-local-server node does have irb.5 configured there.  I will delete it, and keep moving forward.