Forums.ATC.no

Teknisk => Generelt teknisk => Emne startet av: ATC på 22. Juni 2010, 15:17 pm

Tittel: Juniper SRX: DHCP Relay with multiple client and server sets
Skrevet av: ATC22. Juni 2010, 15:17 pm
Tried setting up a DHCP relay service on an SRX 3400 cluster as per this documentation:
http://www.juniper.net/techpubs/en_US/junos9.3/topics/example/dhcp-subscriber-access-dhcp-relay-multiple-client-configuration.html

dhcp-relay {
    traceoptions {
        file dhcp.log size 10k files 2 world-readable;
        flag all;
    }
    overrides {
        layer2-unicast-replies;
    }
    server-group {
        Intern {
            10.80.2.41;
            10.80.2.42;
        }
        Sikret {
            10.80.4.41;
            10.80.4.42;
        }
        Elev {
            10.80.6.41;
            10.80.6.42;
        }
    }
    group Intern {
        active-server-group Intern;
        interface reth1.32;
    }
    group IKT {
        active-server-group Intern;
        interface reth1.9;
    }
    group Sikret {
        active-server-group Sikret;
        interface reth1.56;
    }
    group Elev {
        active-server-group Elev;
        interface reth1.16;
    }
}

DHCP refused to work on the clients, tracing the activity on the SRX revealed messages like these:
Jun 22 08:04:48 07:12:42.1018227:CID-01:FPC-05:PIC-00:THREAD_ID-15:RT:  packet dropped, packet dropped: for self but not interested.

We then confirmed our growing suspicion that the service was not even running:

{primary:node0}
root@raradh-fw-02> show system services dhcp relay-statistics
node0:
--------------------------------------------------------------------------
warning: dhcp subsystem not running - not needed by configuration.

{primary:node0}
root@raradh-fw-02> restart dhcp
warning: dhcp subsystem not running - not needed by configuration.
Tittel: [Solved] Juniper SRX: DHCP Relay with multiple client and server sets
Skrevet av: ATC22. Juni 2010, 15:17 pm
Use "helper bootp" instead, like so:

forwarding-options {
    helpers {
        bootp {
            interface {
                reth1.9 {
                    description "IKT klient";
                    server 10.80.2.41;
                    server 10.80.2.42;
                }
                reth1.32 {
                    description "INTERN klient";
                    server 10.80.2.41;
                    server 10.80.2.42;
                }
                reth1.56 {
                    description "SIKRET klient";
                    server 10.80.4.41;
                    server 10.80.4.42;
                }                      
                reth1.16 {              
                    description "ELEV klient";
                    server 10.80.6.41;  
                    server 10.80.6.42;  
                }                      
            }                          
        }                              
    }                                  
}    

Also, remember to enable the system-service "bootp" on the relevant zones, like so:

security {
    zones {
        security-zone vlan9_ikt_klienter {
            interfaces {                
                reth1.9 {              
                    host-inbound-traffic {
                        system-services {
                            ping;      
                            bootp;      
                        }              
                    }                  
                }                      
            }                          
        }                              
    }
}