Skrevet av Emne: Juniper SRX: DHCP Relay with multiple client and server sets  (Lest 7745 ganger)

ATC

  • Gjest
  • [applaud]0
  • [smite]0
  • Tried setting up a DHCP relay service on an SRX 3400 cluster as per this documentation:
    http://www.juniper.net/techpubs/en_US/junos9.3/topics/example/dhcp-subscriber-access-dhcp-relay-multiple-client-configuration.html

    dhcp-relay {
        traceoptions {
            file dhcp.log size 10k files 2 world-readable;
            flag all;
        }
        overrides {
            layer2-unicast-replies;
        }
        server-group {
            Intern {
                10.80.2.41;
                10.80.2.42;
            }
            Sikret {
                10.80.4.41;
                10.80.4.42;
            }
            Elev {
                10.80.6.41;
                10.80.6.42;
            }
        }
        group Intern {
            active-server-group Intern;
            interface reth1.32;
        }
        group IKT {
            active-server-group Intern;
            interface reth1.9;
        }
        group Sikret {
            active-server-group Sikret;
            interface reth1.56;
        }
        group Elev {
            active-server-group Elev;
            interface reth1.16;
        }
    }

    DHCP refused to work on the clients, tracing the activity on the SRX revealed messages like these:
    Jun 22 08:04:48 07:12:42.1018227:CID-01:FPC-05:PIC-00:THREAD_ID-15:RT:  packet dropped, packet dropped: for self but not interested.

    We then confirmed our growing suspicion that the service was not even running:

    {primary:node0}
    root@raradh-fw-02> show system services dhcp relay-statistics
    node0:
    --------------------------------------------------------------------------
    warning: dhcp subsystem not running - not needed by configuration.

    {primary:node0}
    root@raradh-fw-02> restart dhcp
    warning: dhcp subsystem not running - not needed by configuration.



    ATC

    • Gjest
  • [applaud]0
  • [smite]0
  • Use "helper bootp" instead, like so:

    forwarding-options {
        helpers {
            bootp {
                interface {
                    reth1.9 {
                        description "IKT klient";
                        server 10.80.2.41;
                        server 10.80.2.42;
                    }
                    reth1.32 {
                        description "INTERN klient";
                        server 10.80.2.41;
                        server 10.80.2.42;
                    }
                    reth1.56 {
                        description "SIKRET klient";
                        server 10.80.4.41;
                        server 10.80.4.42;
                    }                      
                    reth1.16 {              
                        description "ELEV klient";
                        server 10.80.6.41;  
                        server 10.80.6.42;  
                    }                      
                }                          
            }                              
        }                                  
    }    

    Also, remember to enable the system-service "bootp" on the relevant zones, like so:

    security {
        zones {
            security-zone vlan9_ikt_klienter {
                interfaces {                
                    reth1.9 {              
                        host-inbound-traffic {
                            system-services {
                                ping;      
                                bootp;      
                            }              
                        }                  
                    }                      
                }                          
            }                              
        }
    }