A lot of people seem to struggle with DHCP on Juniper devices. Juniper didn’t really help when they released the JDCHP process / config. This article tries to show how to configure DHCP for client, server and relay. In both the old Legacy DHCP and JDHCP.
Client
Normal DHCP
WARNING
Let’s start of with a warning from Juniper:
Starting with Junos OS Release 15.1X49-D60 and Junos OS Release 17.3R1, the legacy DHCPD (DHCP daemon) configuration on all SRX Series devices is being deprecated and only the new JDHCP CLI is supported. When you upgrade to Junos OS Release 15.1X49-D60 and later releases on a device that already has the DHCPD configuration, the following warning messages are displayed: WARNING: The DHCP configuration command used will be deprecated in future Junos releases. WARNING: Please see documentation for updated commands.
So the old way of configuring DHCP is deprecated. Try to change your configs for the future. Cause after an upgrade, your configuration might be invalid.
So for reference, the “legacy way” of configuring DHCP:
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
}
And also config required for security devices:
security {
zones {
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
}
}
}
}
This is usually why dhcp client isn’t working on SRX. People forget to open up the host-inbound-traffic.
Verification:
root> show interfaces ge-0/0/0 terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 192.168.1.24/24
JDHCP
Jdhcp is the way to go for all Junos devices. If you are configuring something new or migrating something, please change the dhcp configuration to this more recent standard. Here is how you configure dhcp using the JDHCP standard:
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp-client;
}
}
}
}
The host-inboud-traffic setting stays the same.
security {
zones {
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
}
}
}
}
If the DHCP server gives you a default gateway, the junos device will install it in the routing table:
root> show route inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Access-internal/12] 00:01:03 > to 192.168.1.1 via ge-0/0/0.0 192.168.1.0/24 *[Direct/0] 00:01:03 > via ge-0/0/0.0 192.168.1.24/32 *[Local/0] 00:01:03 Local via ge-0/0/0.0
Combination
It is not possible to combine the legacy configuration and JDHCP configuration. You will get an error when you try to configure it like that.
It’s probably best to change all configuration to the newer JDHCP configuration.
root# show interfaces
ge-0/0/0 {
unit 0 {
family inet {
dhcp-client;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
##
## Warning: Incompatible with the client configured under 'family inet dhcp-client'
##
dhcp;
}
}
}
[edit]
root# commit check
[edit interfaces ge-0/0/1 unit 0 family inet]
'dhcp'
Incompatible with the client configured under 'family inet dhcp-client'
error: configuration check-out failed: (statements constraint check failed)
So that was easy. Let’s try to configure a dhcp server and see the differences.
Server
Legacy
The legacy configuration is quite easy.
system {
services {
dhcp {
domain-name acme.local;
name-server {
8.8.8.8;
}
pool 192.168.200.0/24 {
address-range low 192.168.200.10 high 192.168.200.200;
router {
192.168.200.1;
}
}
}
}
}
And of course the host inboud traffic (for SRX):
security {
zones {
security-zone trust {
tcp-rst;
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
dhcp;
}
}
}
}
}
}
}
You also need an interface:
interfaces {
ge-0/0/2.0 {
unit 0 {
family inet {
address 192.168.200.1/24;
}
}
}
}
Verification:
root> show system services dhcp binding IP address Hardware address Type Lease expires at 192.168.200.10 00:0c:29:b1:fd:e7 dynamic 2018-10-27 23:18:23 UTC
Oh and when you have a legacy style server config, but have a JDHCP style client config, this will not commit. Junos will tell you that:
[edit interfaces ge-0/0/0 unit 0 family inet]
'dhcp-client'
Incompatible with the dhcp server configured under 'system services dhcp'
[edit interfaces ge-0/0/1 unit 0 family inet]
'dhcp-client'
Incompatible with the dhcp server configured under 'system services dhcp'
error: commit failed: (statements constraint check failed)
JDHCP
So, legacy config seemed pretty obvious. JDCHP is a bit less obvious in my opinion:
system {
services{
dhcp-local-server {
group group1 {
interface ge-0/0/2.0;
}
}
}
}
access {
address-assignment {
pool p200 {
family inet {
network 192.168.200.0/24;
range range1 {
low 192.168.200.20;
high 192.168.200.200;
}
dhcp-attributes {
name-server {
4.4.4.4;
}
router {
192.168.200.1;
}
}
}
}
}
}
And maybe obvious by now, you cannot combine it with legacy dhcp configuration.
DHCP-Relay
When you are not running a DHCP service on your switch/router/security device/…, you might be running it on a different server. When this server is not in the same subnets as the clients are, you are required to relay or forward the dhcp requests to this server.
How to configure this in Junos
Legacy
forwarding-options {
helpers {
bootp {
server 192.168.200.1;
interface {
ge-0/0/1;
}
}
}
}
And you need to configure the interface
interfaces {
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.250.1/24;
}
}
}
}
You also need to configure a policy to allow the dhcp offers and acks:
security {
policies {
from-zone relay-server-zone to-zone dhcp-client-zone {
policy dhcp-relay-allow {
match {
source-address any;
destination-address any;
application junos-dhcp-relay;
}
then {
permit;
}
}
}
}
}
JDHCP
forwarding-options {
dhcp-relay {
server-group {
dhcp-server {
192.168.20.1;
}
}
active-server-group dhcp-server;
group dhcp-group {
interface ge-0/0/1.0;
}
}
}
The rest stays the same, interface:
interfaces {
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.250.1/24;
}
}
}
}
And the security policy also stays necessary on security devices:
security {
policies {
from-zone relay-server-zone to-zone dhcp-client-zone {
policy dhcp-relay-allow {
match {
source-address any;
destination-address any;
application junos-dhcp-relay;
}
then {
permit;
}
}
}
}
}
Conclusion
I hope you can see the difference in the two configuration methods. Maybe it wasn’t clear, but combining legacy and JDHCP is not possible :). I’m guessing it has to do with the processes running in the background. In most cases the Junos OS will warn you that it’s not possible and not commit the config. But actually when trying relay and client it actually commited, but didn’t work :). Well anyway just try to configure it all the same way. And that way should be JDHCP.
Good luck and thanks for reading.
Sources
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/dhcp-client-cli.html
https://www.juniper.net/documentation/en_US/junos/topics/example/security-device-dhcp-client-configuring.html
https://www.juniper.net/documentation/en_US/junos/topics/example/dhcp-complete-configuration-statements.html
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/security-dhcp-relay-agent-minimum-configuration.html
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/dhcp-and-bootp-relay-agents-qfx-series3.html
https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/traceoptions-edit-system-processes-dhcp-service.html