The DHCP relay agent operates as the interface between DHCP clients and the server. The DHCP Relay Agent relays DHCP messages between DHCP clients and DHCP servers on different IP networks. For more information, read this topic. Show
Understanding DHCP Relay Agent OperationA Juniper Networks device operating as a DHCP relay agent forwards incoming requests from BOOTP and DHCP clients to a specified BOOTP or DHCP server. Client requests can pass through virtual private network (VPN) tunnels. You cannot configure a single device interface to operate as both a DHCP client and a DHCP relay. Note: The DHCP requests received on an interface are associated to a DHCP pool that is in the same subnet as the
primary IP address/subnet on an interface. If an interface is associated with multiple IP addresses/subnets, the device uses the lowest numerically assigned IP address as the primary IP address/subnet for the interface. To change the IP address/subnet that is listed as the primary address on an interface, use the Interaction Among the DHCP Relay Agent, DHCP Client, and DHCP ServersThe pattern of interaction among the DHCP Relay agent, DHCP client, and DHCP servers is the same regardless of whether the software installation is on a router or a switch. However, there are some difference in the details of usage. On routers—In a typical carrier edge network configuration, the DHCP client is on the subscriber’s computer, and the DHCP relay agent is configured on the router between the DHCP client and one or more DHCP servers. On switches—In a typical network configuration, the DHCP client is on an access device such as a personal computer and the DHCP relay agent is configured on the switch between the DHCP client and one or more DHCP servers. The following steps describe, at a high level, how the DHCP client, DHCP relay agent, and DHCP server interact in a configuration that includes two DHCP servers.
On all Junos OS devices, when the DHCP
relay is configured with
In such cases, the DHCP relay might fail to send the OFFER messages. This issue applies in Junos OS Releases 19.3R3, 19.4R2, 18.4R3, 19.4R1, 19.3R2, 18.4R3-S1, 17.4R3 releases. Minimum DHCP Relay Agent ConfigurationThis example shows the minimum configuration you need to use the extended DHCP relay agent on the router or switch: [edit forwarding-options] dhcp-relay { server-group { test 203.0.113.21; } active-server-group test; group all { interface fe-0/0/2.0; } } Note: The interface type in this topic is just an example. The
This example creates a server group and an active server group named Configuring DHCP Relay AgentThe DHCP relay agent operates as the interface between DHCP clients and the server. The DHCP Relay Agent relays DHCP messages between DHCP clients and DHCP servers on different IP networks. This example describes how to configure the DHCP relay agent on the SRX Series device. SRX series device acting as DHCP relay agent is responsible for forwarding the requests and responses between the DHCP clients and the server which are part of different routing instances.
RequirementsThis example uses the following hardware and software components:
OverviewYou can configure DHCP relay agent to provide additional security when exchanging DHCP messages between a DHCP server and DHCP clients that reside in different virtual routing instances. This type of configuration is for DHCP relay connection between a DHCP server and a DHCP client, when the DHCP server resides in a network that is isolated from the client network. TopologyTo exchange DHCP messages between different routing instances, you must enable both the server-facing interface and the client-facing interface of the DHCP relay agent to recognize and forward DHCP packets. The following Figure 1 shows DHCP performance as DHCP local server, DHCP client, and DHCP relay agent Figure 1: Understanding DHCP Services in a Routing Instance The following list provides an overview of the tasks required to create the DHCP message exchange between the different routing instances:
Configuration
CLI Quick ConfigurationThe following procedures describe the configuration tasks for creating the DHCP message exchange between the DHCP server and clients in different routing instances. To quickly configure this example, copy the following commands, paste them into a
text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the Quick configuration for Client-Facing Support: set routing-instances trust-vr instance-type virtual-router set routing-instances trust-vr interface ge-0/0/3.0 set interfaces ge-0/0/3 unit 0 family inet address 10.1.1.2/24 Quick configuration for Server-Facing Support: set routing-instances untrust-vr instance-type virtual-router set routing-instances untrust-vr interface ge-0/0/4.0 set routing-instances untrust-vr forwarding-options dhcp-relay forward-only-replies set interfaces ge-0/0/4 unit 0 family inet address 20.1.1.1/24 Quick configuration for DHCP Relay Support: set routing-instances untrust-vr forwarding-options dhcp-relay server-group dummy-config set routing-instances untrust-vr routing-options instance-import import_relay_route_to_server_vr set routing-instances untrust-vr routing-options static route 30.1.1.0/24 next-hop 20.1.1.2 set routing-instances trust-vr forwarding-options dhcp-relay server-group server-1 30.1.1.2 set routing-instances trust-vr forwarding-options dhcp-relay active-server-group server-1 set routing-instances trust-vr forwarding-options dhcp-relay group relay-in-vr interface ge-0/0/3.0 set routing-instances trust-vr routing-options instance-import export_dhcp_server_route set policy-options policy-statement export_dhcp_server_route term 1 from instance untrust-vr set policy-options policy-statement export_dhcp_server_route term 1 from route-filter 30.1.1.0/24 exact set policy-options policy-statement export_dhcp_server_route term 1 then accept set policy-options policy-statement export_dhcp_server_route term 2 then reject set policy-options policy-statement import_relay_route_to_server_vr term 1 from instance trust-vr set policy-options policy-statement import_relay_route_to_server_vr term 1 from route-filter 10.1.1.0/24 exact set policy-options policy-statement import_relay_route_to_server_vr term 1 then accept set policy-options policy-statement import_relay_route_to_server_vr term 2 then reject set routing-options static route 30.1.1.2/32 next-table untrust-vr.inet.0 Quick configuration for Security Zone to Allow the DHCP Protocol: set security policies default-policy permit-all set security zones security-zone untrust interfaces ge-0/0/4.0 host-inbound-traffic system-services all set security zones security-zone untrust interfaces ge-0/0/4.0 host-inbound-traffic protocols all set security zones security-zone trust interfaces ge-0/0/3.0 host-inbound-traffic system-services all set security zones security-zone trust interfaces ge-0/0/3.0 host-inbound-traffic protocols all ProcedureStep-by-Step ProcedureThe following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide. To configure support on the client-facing side of the DHCP relay agent:
ProcedureStep-by-Step ProcedureTo configure support on the server-facing side of the DHCP relay agent:
ProcedureStep-by-Step ProcedureTo configure the DHCP local server to support:
ProcedureStep-by-Step ProcedureTo configure the security zone to allow the DHCP Protocol:
Results
From configuration mode, confirm your configuration by entering the [edit] user@host# show routing-instances trust-vr { instance-type virtual-router; interface ge-0/0/3.0; }
[edit] user@host# show routing-instances untrust-vr { instance-type virtual-router; interface ge-0/0/4.0; forwarding-options { dhcp-relay { forward-only-replies; } } }
[edit] user@host# show routing-instances trust-vr { routing-options { instance-import export_dhcp_server_route; } forwarding-options { dhcp-relay { server-group { server-1 { 30.1.1.2; } } active-server-group server-1; group relay-in-vr { interface ge-0/0/3.0; } } } } untrust-vr { routing-options { static { route 30.1.1.0/24 next-hop 20.1.1.2; } instance-import import_relay_route_to_server_vr; } forwarding-options { dhcp-relay { server-group { dummy-config; } } } } [edit] user@host# show policy-options policy-statement export_dhcp_server_route { term 1 { from { instance untrust-vr; route-filter 30.1.1.0/24 exact; } then accept; } term 2 { then reject; } } policy-statement import_relay_route_to_server_vr { term 1 { from { instance trust-vr; route-filter 10.1.1.0/24 exact; } then accept; } term 2 { then reject; } } [edit] user@host# show routing-options static { route 30.1.1.2/32 next-table untrust-vr.inet.0; }
[edit] user@host# show security policies default-policy { permit-all; } [edit] user@host# show security zones security-zone HOST { interfaces { all; } } security-zone untrust { interfaces { ge-0/0/4.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } security-zone trust { interfaces { ge-0/0/3.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } If
you are done configuring the device, enter Verification
Verifying the DHCP Relay Statistics Configuration:
PurposeVerify that the DHCP Relay Statistics has been configured. Action
Verifying DHCP client bindings in the routing instance.
PurposeVerify that the DHCP client bindings in the routing instances has been configured. Action
Configuring a DHCP Relay Agent on EX Series SwitchesYou can configure an EX Series switch to act as an extended DHCP relay agent. This means that a locally attached host can issue a DHCP request as a broadcast message and the switch configured for DHCP relay relays the message to a specified DHCP server. Configure a switch to be a DHCP relay agent if you have locally attached hosts and a remote DHCP server. Before you begin:
To configure a switch to act as an extended DHCP relay agent server:
Configuring DHCP Smart Relay (Legacy DHCP Relay)You can use DHCP smart relay to provide redundancy and resiliency to your DHCP relay configuration. Smart relay provides additional relay functionality and requires all of the configuration settings required by DHCP relay. To use DHCP smart relay, you also need an interface with multiple IP addresses assigned to it. You can achieve this by doing either of the following tasks:
Once you have created an interface with multiple IP addresses, complete the smart relay configuration by entering one of the following statements:
When smart relay is configured for an interface, the switch initially sends DHCP request (discover) messages out of that interface using the primary address of the interface as the gateway IP address (in the giaddr field) for the DHCP message. If no DHCP offer message is received from a server in reply, the switch allows the client to send as many as three more discover messages using the same gateway IP address. If no DHCP offer message is received after three retries, the switch resends the discover message using the alternate IP address as the gateway IP address. If you configure more than two IP addresses on the relay agent interface, the switch repeats this process until a DHCP offer message is received or all of the IP addresses have been used without success. Disabling Automatic Binding of Stray DHCP RequestsDHCP requests that are received but have no entry in the database are known as stray requests. By default, DHCP relay, DHCP relay proxy, and DHCPv6 relay agent attempt to bind the requesting client by creating a database entry and forwarding the request to the DHCP server. If the server responds with an ACK, the client is bound and the ACK is forwarded to the client. If the server responds with a NAK, the database entry is deleted and the NAK is forwarded to the client. This behavior occurs regardless of whether authentication is configured. You can override the default configuration at the global level, for a named group of interfaces, or for a specific interface within a named group. Overriding the default causes DHCP relay, DHCP relay proxy, and DHCPv6 relay agent to drop all stray requests instead of attempting to bind the clients. Note: Automatic binding of stray requests is enabled by default.
The following two examples show a configuration that disables automatic binding of stray requests for a group of interfaces and a configuration that disables automatic binding on a specific interface. To disable automatic binding of stray requests on a group of interfaces:
To disable automatic binding of stray requests on a specific interface:
Using Layer 2 Unicast Transmission instead of Broadcast for DHCP PacketsYou can configure the DHCP relay agent to override the setting of the broadcast bit in DHCP request packets. DHCP relay agent then instead uses the Layer 2 unicast transmission method to send DHCP Offer reply packets and DHCP ACK reply packets from the DHCP server to DHCP clients during the discovery process. To override the default setting of the broadcast bit in DHCP request packets:
Changing the Gateway IP Address (giaddr) Field to the giaddr of the DHCP Relay AgentYou can configure the DHCP relay agent to change the gateway IP address (giaddr) field in packets that it forwards between a DHCP client and a DHCP server. To overwrite the giaddr of every DHCP packet with the giaddr of the DHCP relay agent before forwarding the packet to the DHCP server:
Configure DHCP Relay Agent to Replace Request and Release Packets with Gateway IP addressYou can configure the DHCP relay agent to replace request and release packets with the gateway IP address (giaddr) before forwarding the packet to the DHCP server. To replace the source address with giaddr:
Overriding the Default DHCP Relay Configuration SettingsYou can override the default DHCP relay configuration settings at the global level, for a named group of interfaces, or for a specific interface within a named group.
To override default DHCP relay agent configuration settings:
Disabling DHCP Relay Agent for Interfaces, for Groups, or GloballyYou can disable DHCP relay on all interfaces or a group of interfaces. To disable DHCP relay agent:
Example: Configuring DHCP Relay Agent Selective Traffic Processing Based on DHCP Option StringsThis example shows how to configure DHCP relay agent to use DHCP option strings to selectively identify, filter, and process client traffic.
RequirementsThis example uses the following hardware and software components:
Before you configure DHCP relay agent selective processing support, be sure you:
OverviewIn this example, you configure DHCP relay agent to use DHCP option strings in client packets to selectively identify, filter, and process client traffic. To configure selective processing, you perform the following procedures:
ConfigurationTo configure DHCP relay agent selective processing based on DHCP option information, perform these tasks:
CLI Quick ConfigurationTo quickly configure this example, copy the following commands, paste them in a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste
the command into the CLI at the set forwarding-options dhcp-relay relay-option option-number 60 set forwarding-options dhcp-relay relay-option equals ascii video-gold forward-only set forwarding-options dhcp-relay relay-option equals ascii video-bronze local-server-group servergroup-15 set forwarding-options dhcp-relay relay-option starts-with hexadecimal fffff local-server-group servergroup-east set forwarding-options dhcp-relay relay-option default-action drop Configuring DHCP Relay Agent To Selectively Process Client Traffic Based on DHCP Option StringsStep-by-Step ProcedureTo configure DHCP relay selective processing:
ResultsFrom
configuration mode, confirm the results of your configuration by issuing the [edit forwarding-options] user@host# show dhcp-relay { relay-option { option-number 60; equals { ascii video-gold { forward-only; } } equals { ascii video-bronze { local-server-group servergroup-15; } } default-action { drop; } starts-with { hexadecimal fffff { local-server-group servergroup-east; } } } } If you are done configuring the device, enter VerificationTo verify the status of DHCP relay agent selective traffic processing, perform this task: Verifying the Status of DHCP Relay Agent Selective Traffic Processing
PurposeVerify the DHCP relay agent selective traffic processing status. ActionDisplay statistics for DHCP relay agent. user@host> show dhcp relay statistics Packets dropped: Total 30 Bad hardware address 1 Bad opcode 1 Bad options 3 Invalid server address 5 No available addresses 1 No interface match 2 No routing instance match 9 No valid local address 4 Packet too short 2 Read error 1 Send error 1 Option 60 1 Option 82 2 Messages received: BOOTREQUEST 116 DHCPDECLINE 0 DHCPDISCOVER 11 DHCPINFORM 0 DHCPRELEASE 0 DHCPREQUEST 105 Messages sent: BOOTREPLY 0 DHCPOFFER 2 DHCPACK 1 DHCPNAK 0 DHCPFORCERENEW 0 Packets forwarded: Total 4 BOOTREQUEST 2 BOOTREPLY 2 MeaningThe Verifying and Managing DHCP Relay Configuration
PurposeView or clear address bindings or statistics for DHCP relay agent clients. Action
To clear or view information about client bindings and statistics in a routing instance, run the following commands:
Note: On all SRX Series devices, DHCP relay is unable to update the binding status based on DHCP_RENEW and DHCP_RELEASE messages. Extended DHCP Relay Agent OverviewYou can configure extended DHCP relay options on the router or on the switch and enable the router (or switch) to function as a DHCP relay agent. A DHCP relay agent forwards DHCP request and reply packets between a DHCP client and a DHCP server. DHCP relay supports the attachment of dynamic profiles and also interacts with the local AAA Service Framework to use back-end authentication servers, such as RADIUS, to provide subscriber authentication or DHCP client authentication. You can attach dynamic profiles and configure authentication support on a global basis or for a specific group of interfaces. Note: The PTX Series Packet Transport Routers do not support authentication for DHCP relay agents. On the routers, you can use DHCP relay in carrier edge applications such as video/IPTV to obtain configuration parameters, including an IP address, for your subscribers. On the switches, you can use DHCP relay to obtain configuration parameters including an IP address for DHCP clients. Note: The extended DHCP relay agent options configured with the For information about the DHCP/BOOTP relay agent, see Configuring Routers, Switches, and Interfaces as DHCP and BOOTP Relay Agents. You can also configure the extended DHCP relay agent to support IPv6 clients. SeeDHCPv6 Relay Agent Overview for information about the DHCPv6 relay agent feature. To configure the extended DHCP relay agent on the router (or switch), include the You can also include the
Interaction Among the DHCP Relay Agent, DHCP Client, and DHCP ServersThe pattern of interaction among the DHCP Relay agent, DHCP client, and DHCP servers is the same regardless of whether the software installation is on a router or a switch. However, there are some difference in the details of usage. On routers—In a typical carrier edge network configuration, the DHCP client is on the subscriber’s computer, and the DHCP relay agent is configured on the router between the DHCP client and one or more DHCP servers. On switches—In a typical network configuration, the DHCP client is on an access device such as a personal computer and the DHCP relay agent is configured on the switch between the DHCP client and one or more DHCP servers. The following steps describe, at a high level, how the DHCP client, DHCP relay agent, and DHCP server interact in a configuration that includes two DHCP servers.
DHCP Liveness DetectionLiveness detection for DHCP subscriber or DHCP client IP sessions utilizes an active liveness detection protocol to institute liveness detection checks for relevant clients. Clients are expected to respond to liveness detection requests within a specified amount of time. If the responses are not received within that time for a given number of consecutive attempts, then the liveness detection check fails and a failure action is implemented. Note: DHCP liveness detection either globally or per DHCP group. What is the address that sends the same message to all hosts on the local subnet?The Ethernet broadcast address is distinguished by having all of its bits set to 1. As such, its MAC address is the hexadecimal value of FF:FF:FF:FF:FF:FF. This address is used to transmit data to all of the hosts on the local subnet.
Which protocols do AAA servers usually support to communicate with enterprise resources choose two?TACACS+ and RADIUS are the predominant security server protocols used for AAA with network access servers, routers, and firewalls. These protocols are used to communicate access control information between the security server and the network equipment.
What command would you use to limit Telnet SSH access to a router?Interface ACL – this ACL is the one that controls the traffic on a telnet and a SSH protocol. In this case the ACL rule applies only to the traffic that is supposed to reach the WAE. The command ip-access group interface is applied for this interface ACL.
When reviewing the status of an interface if you see a port status setting of secure up?When reviewing the status of an interface, if you see a Port Status setting of Secure-up, what can you assume? The port has not been shut down.
|