My setup is as follows.
SRX210
Internet via ge-0/0/0 and dhcp client.
ge-0/0/1 has is connected to a switch with ~50 computers behind it.
My configuration works fine with just a few computers connected to a test switch, however once I introduce the actual production switch with lots of computers behind it the DHCP stops working completely.
There's also a SSL VPN MAG2600 working in this setup, but removing that doesn't seem to make any difference.
Can you see something wrong with my configuration?
## Last changed: 2014-01-28 11:39:23 UTC version 11.4R7.5;
system {
root-authentication {
encrypted-password ""; ## SECRET-DATA
}
name-server {
1.1.1.1;#changed
1.1.1.1;
}
services {
ssh {
protocol-version v2;
}
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface [ vlan.0 vlan.100 ];
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.40 high 192.168.1.254;
default-lease-time 3600;
domain-name domain.info;
name-server {
1.1.1.1;#changed
1.1.1.1;
}
router {
192.168.1.1;
}
propagate-settings ge-0/0/0.0;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
interface-range interface-trust {
member ge-0/0/1;
member fe-0/0/3;
member fe-0/0/4;
member fe-0/0/5;
member fe-0/0/6;
member fe-0/0/7;
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/0 {
description Internet_Link;
unit 0 {
family inet {
dhcp {
update-server;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
vlan {
unit 0 {
family inet;
}
unit 100 {
family inet {
address 192.168.1.1/24;
}
}
}
}
protocols {
stp;
}
security {
address-book {
ssl-vpn {
address external-port 192.168.1.3/32;
address vpn-external 192.168.1.3/32;
address vpn-internal 192.168.1.2/32;
attach {
zone trust;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
rule internet-access {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
static {
rule-set ssl-vpn {
from zone untrust;
rule allow-ssl {
match {
destination-address 1.1.1.2/32; #changed
destination-port 443;
}
then {
static-nat {
prefix {
192.168.1.3/32;
mapped-port 443;
}
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone untrust {
policy untrust-allow-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy allow-ssl {
match {
source-address any;
destination-address vpn-external;
application [ junos-http junos-https junos-ping ];
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
vlan.100;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
https;
}
}
}
fe-0/0/2.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 100;
l3-interface vlan.100;
}
}
Edit: DHCP log sample
Jan 29 08:19:59 <== DHCPREQUEST
Jan 29 08:19:59 requester 0.0.0.0 if ge-0/0/1.0 hw type 1 hw len 6 secs 0 hops 0 ciaddr 0.0.0.0 giaddr 0.0.0.0
Jan 29 08:19:59 Looking for a lease w/hardware address `b4:b5:2f:7b:5c:59'
Jan 29 08:19:59 ...and client identifier:
Jan 29 08:19:59 01 b4 b5 2f 7b 5c 59
Jan 29 08:19:59 ...and address 192.168.1.40
Jan 29 08:19:59 ...and subnet 192.168.1.0/24
Jan 29 08:19:59 Found matching lease entry for `b4:b5:2f:7b:5c:59'
Jan 29 08:19:59 Lease #1...
Jan 29 08:19:59 ...has the correct client identifier
Jan 29 08:19:59 ...has the correct address
Jan 29 08:19:59 ...has the correct subnet
Jan 29 08:19:59 found: 04, satisfies: 07, exact: 07
Jan 29 08:19:59 Exact match
Jan 29 08:19:59 Client is in INIT-REBOOT state
Jan 29 08:19:59 saving lease 0x585200 to file `/var/db/leases/01b4b52f7b5c59.jdl'
Jan 29 08:19:59 ==> DHCPACK
Jan 29 08:19:59 -- looking for pool with subnet 192.168.1.40, prefix length 32
Jan 29 08:19:59 -- [pfxlen 24] Found pool `192.168.1.0/24'
Jan 29 08:19:59 flushed options on binding
Jan 29 08:19:59 set next server address to 0.0.0.0
Jan 29 08:19:59 set client address to 192.168.1.40
Jan 29 08:19:59 Default lease time 1 hour obtained from `Pool' scope
Jan 29 08:19:59 Flag = 4 Expiry = 16099 days, 9 hours, 19 minutes, 59 seconds
Jan 29 08:19:59 Flag = 4 16099 days, 8 hours, 44 minutes, 46 seconds
Jan 29 08:19:59 Using default lease time of 1 hour
Jan 29 08:19:59 Maximum lease time infinite obtained from `Global' scope
Jan 29 08:19:59 adding option `subnet-mask' code 1 to binding
Jan 29 08:19:59 adding option `broadcast-address' code 28 to binding
Jan 29 08:19:59 client requested option `subnet-mask' code 1
Jan 29 08:19:59 client requested option `domain-name' code 15
Jan 29 08:19:59 client requested option `router' code 3
Jan 29 08:19:59 client requested option `name-server' code 6
Jan 29 08:19:59 client requested option `wins-server' code 44
Jan 29 08:19:59 client requested option `netbios-node-type' code 46
Jan 29 08:19:59 client requested option `netbios-scope' code 47
Jan 29 08:19:59 client requested option `router-discovery' code 31
Jan 29 08:19:59 client requested option `static-routes' code 33
Jan 29 08:19:59 client requested option code 121
Jan 29 08:19:59 client requested option code 249
Jan 29 08:19:59 client requested option code 252
Jan 29 08:19:59 client requested option `vendor-encap-options' code 43
Jan 29 08:19:59 found option `subnet-mask' code 1 in `Binding' scope 0x56e400
Jan 29 08:19:59 serving option `subnet-mask' code 1 to client
Jan 29 08:19:59 found option `router' code 3 in `Pool' scope 0x56f000
Jan 29 08:19:59 serving option `router' code 3 to client
Jan 29 08:19:59 found option `name-server' code 6 in `Pool' scope 0x56f000
Jan 29 08:19:59 serving option `name-server' code 6 to client
Jan 29 08:19:59 found option `domain-name' code 15 in `Pool' scope 0x56f000
Jan 29 08:19:59 serving option `domain-name' code 15 to client
Jan 29 08:19:59 skipping option code 31, not found in scope
Jan 29 08:19:59 skipping option code 33, not found in scope
Jan 29 08:19:59 skipping option code 43, not found in scope
Jan 29 08:19:59 skipping option code 44, not found in scope
Jan 29 08:19:59 skipping option code 46, not found in scope
Jan 29 08:19:59 skipping option code 47, not found in scope
Jan 29 08:19:59 skipping option code 121, not found in scope
Jan 29 08:19:59 skipping option code 249, not found in scope
Jan 29 08:19:59 skipping option code 252, not found in scope
Jan 29 08:19:59 saving lease 0x585200 to file `/var/db/leases/01b4b52f7b5c59.jdl'
Jan 29 08:19:59 Packing 56 bytes of options
Jan 29 08:19:59 packing option `dhcp-message-type' code 53 with 1 bytes of data
Jan 29 08:19:59 packing option `server-identifier' code 54 with 4 bytes of data
Jan 29 08:19:59 packing option `dhcp-lease-time' code 51 with 4 bytes of data
Jan 29 08:19:59 packing option `subnet-mask' code 1 with 4 bytes of data
Jan 29 08:19:59 packing option `router' code 3 with 4 bytes of data
Jan 29 08:19:59 packing option `name-server' code 6 with 8 bytes of data
Jan 29 08:19:59 packing option `domain-name' code 15 with 17 bytes of data
Jan 29 08:19:59 broadcasting the response
Jan 29 08:19:59 sendmsg() from 192.168.1.15 to port 68 at 255.255.255.255 via routing instance default sucess
Jan 29 08:19:59 sent packet from 192.168.1.15 to 255.255.255.255 port 68 out interface ge-0/0/1.0 routing instance default
Jan 29 08:19:59 ==> DHCPACK [done]