It’s been a while since I wrote up a new post, so I thought I would come back with a nice post about the changes in configuring DHCP Servers on the SRX’s. Since Junos 12.x a new DHCP process came out to help fix some long standing issues with the existing feature. In this post I will discuss the old configuration, some of the problems I would regularly encounter, and the configuration of the new DHCP process.

The SRX platform has had DHCP available since the platform originally was deployed. It is pretty simple to configure under System > Services > DHCP:

[edit system services]
    dhcp {
        pool 192.168.1.0/24 {
            address-range low 192.168.1.5 high 192.168.1.100;
            default-lease-time 3600;
            domain-name alostrealist.com;
            name-server {
                192.168.1.1;
            }
            router {
                192.168.1.1;
            }
        }
    }

[edit security zones security-zone trust]

interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { dhcp; } } } }

So this is pretty straightforward. In the case the SRX is passing out addresses for the 192.168.1.0/24 network, providing a name-server, domain name, and a default gateway.

This solution had its problems, and the big issue was related to setting up DHCP in routing instances. The SRX would drop the DHCP packets if the interface was bound to a routing an instance. In order to get around the limitation the interface would have to remain in the default routing instance, and a firewall filter would redirect DHCP packets from the routing instance into the default routing instance. This KB Article explains it in detail. In simple deployments this usually was not an issue, but for larger deployments with overlapping subnets this posed a huge problem without routing instance support.

The new DHCP daemon, JDHCP, was introduced in 12.1 for the SRX’s. This new daemon resolved the issue with DHCP in routing instances. Moreover the configuration was moved to the routing instance instead of globally.

[edit]
  routing-instances {
      JDHCP-VR {
          system {
              services {
                  dhcp-local-server {
                      group JDHCP-GROUP {
                          interface ge-0/0/1.0;
                      }
                  }
              }
          }
          access {
              address-assignment {
                  pool JDHCPVR-POOL {
                      family inet {
                          network 192.168.1.0/24;
                          range JDHCPVR-RANGE {
                              low 192.168.1.5;
                              high 192.168.1.100;
                          }
                          dhcp-attributes {
                              name-server {
                                  192.168.1.1;
                              }
                              router {
                                  192.168.1.1;
                              }
                          }
                      }
                  }
              }
          }
      }                                
  }

Now while setting up a DHCP Server in a cluster is still not officially supported I have found that JDHCP seems to be more stable on clustered SRX’s as well.

UPDATE: As of 12.1×47, DHCP on a SRX Cluster is now fully supported!

Tags: , , , ,

Clay is a recovering server guy that has learned how networks and security worked and used it to his advantage. He is always eager to learn a new technology or technique as there are never enough tools in the toolbox for solving problems in modern networking and server environment. Clay is always striving to make the "more perfect" network available to peers and users. He currently an active Juniper Ambassador, and has contributed to multiple Juniper Day One guides to solve both old and new problems that engineers face in their networks. Clay is a talented individual that enjoys the new challenges that are facing next generation networks, both large and small.

Clay has achieved two of the highest certifications from Juniper Networks: the JNCIE-SEC (Certification Number #69) for his proficiency in Juniper Networks security platforms, and the JNCIE-ENT (Certification Number #492) for his proficiency in Juniper Networks enterprise routing and switching platforms. He is also certified as a Pulse Secure Certified Instructor and Palo Alto Networks Certified Network Security Instructor. Outside of the of the certifications above, Clay also has experience with securing cloud-provider networks while ensuring the highest levels of performance to serve its users.

2 comments

  1. I hope that maybe you can help me out with a question. I had a single SRX210 configured with 2 routing-instances, both with JDHCP working. It was working great. Now I have 2 SRX210s in a cluster and updated to 12.1×47. I cannot get the JDHCP to work anymore. I put the 2 vlans that I had before into reth0 with vlan-tagging. You say that you have had DHCP working in a cluster before. Maybe you can see the issue that I am having? Here are the routing instance and the interfaces:

    ge-0/0/0 {
    gigether-options {
    redundant-parent reth0;
    }
    }
    ge-2/0/0 {
    gigether-options {
    redundant-parent reth0;
    }
    }

    reth0 {
    vlan-tagging;
    redundant-ether-options {
    redundancy-group 1;
    }
    unit 1 {
    vlan-id 1;
    family inet {
    address 10.10.1.1/24;
    }
    }
    unit 2 {
    vlan-id 2;
    family inet {
    address 10.10.2.1/24;
    }
    }
    }

    vlan {
    unit 1 {
    family inet {
    address 10.10.1.1/24;
    }
    }
    unit 2 {
    family inet {
    address 10.10.2.1/24;
    }
    }
    }

    vlan1_vr {
    instance-type virtual-router;
    system {
    services {
    dhcp-local-server {
    group VLAN1-JDHCP {
    interface reth0.1;
    interface vlan.1;
    }
    }
    }
    }
    access {
    address-assignment {
    pool VLAN1VR-POOL {
    family inet {
    network 10.10.1.0/24;
    range VLAN1VR-RANGE {
    low 10.10.1.11;
    high 10.10.1.254;
    }
    dhcp-attributes {
    router {
    10.10.1.1;
    }
    }
    }
    }
    }
    }
    interface reth0.1;
    interface vlan.1;
    routing-options {
    instance-import from_internet;
    }
    }

    Sorry the long post. Maybe I should use the srx as a dhcp server and just off-load that the a vm or even to my EX switches?

    Any advice you can provide is appreciated!

    Reply

    1. What does your security zone configuration look like? It may be something as simple as host-inbound-traffic isn’t set properly.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.