Switching

Hi,

We have an EX2200 which we are configuring to be compatible with a PXE boot system. We've got it working on our Brocade switches but Juniper is proving more difficult.

• "show helper statistics" shows 0 packets 
• the DHCP server is 3 hops away, but can be pinged from vlan.323
• traceoption logs show absolutely nothing
• IPs have been partially redacted 
• have tested with and without both the "relay-agent-option" and "broadcast" bootp settings.
• the server on v316 is definitely sending out a DHCP request. 

Can anyone shed some light on this? I'm totally stumped. 

# show interfaces ge-0/0/27 
unit 0 {
    family ethernet-switching {
        port-mode access;
        vlan {
            members v316;
        }
    }
}

# show vlans v316 
vlan-id 316;
interface {
    ge-0/0/27.0;
}
l3-interface vlan.323;

> show configuration interfaces vlan unit 323     
family inet {
    address 11.111.162.169/29;
}

# show forwarding-options 
helpers {
    traceoptions {
        file helper;
        level all;
        flag bootp;
    }
    bootp {
        relay-agent-option;
        server 11.111.162.15;
        maximum-hop-count 10;
        interface {
            vlan.323 {
                server 11.111.162.15;
                maximum-hop-count 10;
            }
        }
    }
}

> show helper statistics 
BOOTP:
  Received packets: 0
  Forwarded packets: 0
  Dropped packets: 0
    Due to no interface in DHCP Relay database: 0
    Due to no matching routing instance: 0
    Due to an error during packet read: 0
    Due to an error during packet send: 0
    Due to invalid server address: 0
    Due to no valid local address: 0
    Due to no route to server/client: 0

> show log helper 

{master:0}

> ping 11.111.162.15 source 11.111.162.169 
PING 11.111.162.15 (11.111.162.15): 56 data bytes
64 bytes from 11.111.162.15: icmp_seq=0 ttl=62 time=8.123 ms
64 bytes from 11.111.162.15: icmp_seq=1 ttl=62 time=3.237 ms

It does seem like it should work with this config, though the RVI numbering threw me for a second. What firmware are you running?

Thanks for the reply. We're running version 12.3R9.4.

> show version 
fpc0:
--------------------------------------------------------------------------
Hostname: ASW01
Model: ex2200-48p-4g
JUNOS Base OS boot [12.3R9.4]
JUNOS Base OS Software Suite [12.3R9.4]
JUNOS Kernel Software Suite [12.3R9.4]
JUNOS Crypto Software Suite [12.3R9.4]
JUNOS Online Documentation [12.3R9.4]
JUNOS Enterprise Software Suite [12.3R9.4]
JUNOS Packet Forwarding Engine Enterprise Software Suite [12.3R9.4]
JUNOS Routing Software Suite [12.3R9.4]
JUNOS Web Management [12.3R9.4]
JUNOS FIPS mode utilities [12.3R9.4]

One thing I thought might be causing issues was spanning tree protocol, so I disabled it globally.

> show spanning-tree statistics vlan vlan-id 316 
Spanning-tree is not enabled at global level for vlan 316.

Although this doesn't seem to have done much. The switch is still showing no DHCP packets under the show helper stats command.

The RVI numbering is quite confusing - no thanks to j-web for that!

I'm not sure if it's pertinent, but I noticed that the switch isn't getting ARP data for this vlan.

> show arp interface vlan.323

{master:0}

> show interfaces vlan.323
  Logical interface vlan.323 (Index 85) (SNMP ifIndex 619)
    Flags: Up SNMP-Traps 0x4000 Encapsulation: ENET2
    Input packets : 0
    Output packets: 50659
    Protocol inet, MTU: 1500
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 11.111.162.168/29, Local: 11.111.162.169, Broadcast: 11.111.162.175

{master:0}

 EDIT: Rather than using the bootp helper, we also tried using the DHCP relay stanza. That didn't work either. We tested this on a different port, vlan and pxe device.

# show forwarding-options dhcp-relay 
overrides {
    delete-binding-on-renegotiation;
}
server-group {
    pxe {
        11.111.162.15;
    }
}
active-server-group pxe;
group all {
    active-server-group pxe;
    interface vlan.418;
}

> show dhcp relay statistics 
Packets dropped:
    Total                      0

Messages received:
    BOOTREQUEST                0
    DHCPDECLINE                0
    DHCPDISCOVER               0
    DHCPINFORM                 0
    DHCPRELEASE                0
    DHCPREQUEST                0

Messages sent:
    BOOTREPLY                  0
    DHCPOFFER                  0
    DHCPACK                    0
    DHCPNAK                    0
    DHCPFORCERENEW             0

On an ex2200 running both 12.3R9 and 12.3R12 I see packets with your config. You might want to try posting the whole config as well as output of show interfaces terse, show vlans, and show route.

test@test> show helper statistics
BOOTP:
  Received packets: 5
  Forwarded packets: 0
  Dropped packets: 5
    Due to no interface in DHCP Relay database: 0
    Due to no matching routing instance: 0
    Due to an error during packet read: 0
    Due to an error during packet send: 5
    Due to invalid server address: 0
    Due to no valid local address: 0
    Due to no route to server/client: 0

Thanks. Here's the full config, albeit slightly sanitised. This is the version based on vlan418, rather than the initial config we posted.

# show 
## Last changed: 2017-02-15 11:27:29 EST
version 12.3R9.4;
system {
    host-name ASW-01;
    time-zone Australia/Sydney;
    location country-code AU;
    name-server {
        8.8.8.8;
        8.8.4.4;
    }
    services {
        ssh {
            protocol-version v2;
        }
        netconf {                       
            ssh;
        }
        web-management {
            http;
        }
    }
    syslog {
        user * {
            any emergency;
        }
        host 111.52.116.24 {
            any warning;
            authorization any;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
    ntp {
        server 218.100.43.70;
        server 216.218.254.202;
    }
}
chassis {
    alarm {
        management-ethernet {
            link-down ignore;
        }
    }
}
interfaces {
    ge-0/0/0 {
        description "Core: to SY3-BDR1";
        unit 0 {
            family inet {
                address 11.111.161.2/30;
            }
        }
    }
    ge-0/0/1 {
        ether-options {
            no-flow-control;
        }                               
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members v300;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members v304;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members v300;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members v300;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members v301;
                }
            }                           
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members v306;
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members v300;
                }
            }
        }
    }
    ge-0/0/8 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members v300;
                }
            }
        }
    }
    ge-0/0/9 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members v300;
                }
            }
        }
    }
    ge-0/0/10 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {                  
                    members v300;
                }
            }
        }
    }
    ge-0/0/11 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members v300;
                }
            }
        }
    }
    ge-0/0/12 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members v300;
                }
            }
        }
    }
    ge-0/0/13 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members v300;
                }
            }
        }
    }
    ge-0/0/14 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members v303;
                }
            }
        }
    }
    ge-0/0/15 {
        unit 0 {                        
            family ethernet-switching {
                port-mode access;
                vlan {
                    members v300;
                }
            }
        }
    }
    ge-0/0/16 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
            }
        }
    }
    ge-0/0/17 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members v305;
                }
            }
        }
    }
    ge-0/0/18 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members v418;
                }
            }
        }
    }
    ge-0/0/19 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members v307;
                }
            }
        }
    }
    ge-0/0/20 {
        unit 0 {                        
            family ethernet-switching {
                port-mode access;
                vlan {
                    members v309;
                }
            }
        }
    }
    ge-0/0/21 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members v310;
                }
            }
        }
    }
    ge-0/0/22 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members v311;
                }
            }
        }
    }
    ge-0/0/23 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members v302;
                }
            }
        }
    }
    ge-0/0/24 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members v312;
                }
            }
        }                               
    }
    ge-0/0/25 {
        ether-options {
            speed {
                auto-negotiation;
            }
        }
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/26 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/27 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan10;
                }
            }
        }
    }
    ge-0/0/28 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/29 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/30 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/31 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/32 {                         
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/33 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/34 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/35 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/36 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/37 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/38 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/39 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/40 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/41 {
        unit 0 {
            family ethernet-switching;  
        }
    }
    ge-0/0/42 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/43 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/44 {
        unit 0 {
            family inet {
                address 11.111.161.230/30;
            }
        }
    }
    ge-0/0/45 {
        disable;
        unit 0 {
            family inet {
                address 10.10.5.209/30;
            }
        }
    }
    ge-0/0/46 {
        unit 0 {
            family inet {
                address 10.10.10.2/30;
            }
            family inet6;
        }
    }
    ge-0/0/47 {
        description "Core: Link to SY3-CSW01 [1Gbps]";
        unit 0 {
            family inet {
                address 11.111.161.246/30;
            }
            family inet6 {
                address 0001:0001:0001:0001::2/64;
            }
        }
    }
    ge-0/1/0 {                          
        ether-options {
            speed {
                1g;
            }
        }
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/1/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/1/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/1/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    gre {
        unit 0 {
            tunnel {
                source 11.111.161.2;
                destination 11.111.161.98;
                ttl 225;
            }
            family inet {
                address 11.111.161.233/29;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input loopback-protect;
                }
            }
        }
    }
    me0 {
        unit 0 {                        
            family inet {
                address 192.168.2.1/24;
            }
        }
    }
    vlan {
        unit 10 {
            family inet {
                address 11.111.162.169/29;
            }
        }
        unit 300 {
            family inet {
                address 111.231.91.1/24;
            }
        }
        unit 301 {
            family inet {
                address 11.111.161.9/29;
            }
        }
        unit 302 {
            family inet {
                address 11.111.162.49/29;
            }
        }
        unit 303 {
            family inet {
                address 11.111.161.105/29;
            }
        }
        unit 305 {
            family inet {
                address 11.111.161.41/29;
            }
        }
        unit 306 {
            family inet {
                address 11.111.161.49/29;
            }
        }
        unit 307 {
            family inet {
                address 11.111.161.57/29;
            }
        }
        unit 309 {                      
            family inet {
                address 11.111.161.73/30;
            }
        }
        unit 310 {
            family inet {
                address 11.111.161.193/30;
            }
        }
        unit 311 {
            family inet {
                address 11.111.161.89/29;
            }
        }
        unit 312 {
            family inet {
                address 11.111.161.97/29;
            }
        }
        unit 313 {
            family inet {
                address 192.168.100.1/24;
            }
        }
        unit 314 {
            family inet {
                address 192.168.101.1/24;
            }
        }
        unit 315 {
            family inet {
                address 11.111.161.113/29;
            }
        }
        unit 316 {
            family inet {
                address 11.111.161.189/30;
            }
        }
        unit 317 {
            family inet {
                address 11.111.161.161/29;
            }
        }
        unit 319 {
            family inet {
                address 11.111.161.177/29;
            }
        }
        unit 320 {
            family inet {
                address 11.111.161.33/29;
            }
        }
        unit 321 {
            family inet {
                address 11.111.161.77/30;
            }
        }
        unit 322 {
            family inet {
                address 11.111.162.81/28;
            }
        }
        unit 418 {
            family inet {
                address 11.111.162.177/29;
            }
        }
    }
}
forwarding-options {
    helpers {
        traceoptions {
            file helper;
            level all;
            flag bootp;
        }
        bootp {
            relay-agent-option;
            server 11.111.162.15;
            maximum-hop-count 10;
            interface {
                vlan.418 {
                    server 11.111.162.15;
                    maximum-hop-count 10;
                }                       
            }
        }
    }
}
routing-options {
    rib inet6.0 {
        static {
            route ::/0 next-hop 0001:0001:1:1::1;
        }
    }
    static {
        route 192.168.200.0/24 next-hop gre.0;
        route 0.0.0.0/0 next-hop 11.111.161.245;
    }
}
protocols {
    ##
    ## Warning: requires 'ospf2' license
    ##
    ospf {
        export [ export-ospf export-connected ];
        area 0.0.0.0 {
            area-range 11.111.161.0/24;
            area-range 111.231.91.0/24;
            interface ge-0/0/0.0;
            interface ge-0/0/48.0;
            interface ge-0/0/47.0;
        }
    }
    ##
    ## Warning: configuration block ignored: unsupported platform (ex2200-48p-4g)
    ##
    ##
    ## Warning: requires 'ripng' license
    ##
    ripng {
        group ipv6;
    }
    igmp-snooping {
        vlan all;
    }
    mstp {
        disable;
    }
    lldp {
        interface all;
    }                                   
    lldp-med {
        interface all;
    }
}
policy-options {
    prefix-list snmp-management-ranges {
        11.111.161.78/32;
        11.111.162.15/32;
        111.29.85.31/32;
        111.52.116.24/32;
        111.231.91.5/32;
    }
    prefix-list ssh-management-ranges {
        11.111.161.1/32;
        11.111.161.245/32;
        11.111.162.27/32;
        111.29.84.59/32;
        111.52.116.24/32;
    }
    prefix-list web-management-ranges {
        11.111.162.27/32;
        111.29.84.59/32;
    }
    policy-statement export-connected {
        term export-connected {
            from protocol [ direct local ];
            then accept;
        }
    }
    policy-statement export-ospf {
        term direct {
            from protocol direct;
            then accept;
        }
    }
}
firewall {
    family inet {
        filter loopback-protect {
            term ssh-permit {
                from {
                    source-prefix-list {
                        ssh-management-ranges;
                    }
                    protocol tcp;
                    destination-port ssh;
                }                       
                then accept;
            }
            term ssh-discard {
                from {
                    protocol tcp;
                    destination-port ssh;
                }
                then {
                    discard;
                }
            }
            term snmp-permit {
                from {
                    source-address {
                        11.111.161.131/32;
                    }
                    source-prefix-list {
                        snmp-management-ranges;
                    }
                    protocol udp;
                    destination-port snmp;
                }
                then accept;
            }
            term ntp-permit {
                from {
                    source-address {
                        218.100.43.70/32;
                        216.218.254.202/32;
                    }
                    protocol udp;
                }
                then accept;
            }
            term dns-permit {
                from {
                    source-address {
                        8.8.8.8/32;
                        8.8.4.4/32;
                    }
                    protocol udp;
                    source-port domain;
                }
            }
            term icmp-permit {
                from {
                    protocol icmp;      
                }
                then accept;
            }
            term syslog {
                from {
                    destination-address {
                        111.52.116.24/32;
                    }
                }
                then accept;
            }
            term http-permit {
                from {
                    source-prefix-list {
                        web-management-ranges;
                    }
                    protocol tcp;
                    destination-port http;
                }
                then accept;
            }
            term ospf-permit {
                from {
                    protocol ospf;
                }
                then accept;
            }
        }
    }
}
ethernet-switching-options {
    voip;
    storm-control {
        interface all {
            level 50;
        }
    }
}
vlans {
    default {
        vlan-id 101;
    }
    v300 {
        description 111.231.91.0/24;
        vlan-id 300;
        l3-interface vlan.300;
    }                                   
    v301 {
        vlan-id 301;
        l3-interface vlan.301;
    }
    v302 {
        vlan-id 302;
        l3-interface vlan.302;
    }
    v303 {
        description 11.111.161.33/29;
        vlan-id 303;
        l3-interface vlan.303;
    }
    v304 {
        description 11.111.162.81/28;
        vlan-id 304;
        l3-interface vlan.322;
    }
    v305 {
        vlan-id 305;
        l3-interface vlan.305;
    }
    v306 {
        description 11.111.161.49/29;
        vlan-id 306;
        l3-interface vlan.306;
    }
    v307 {
        description 11.111.161.57/29;
        vlan-id 307;
        l3-interface vlan.307;
    }
    v308 {
        description 11.111.161.33/29;
        vlan-id 308;
        interface {
            ge-0/0/16.0;
        }
        l3-interface vlan.320;
    }
    v309 {
        vlan-id 309;
        l3-interface vlan.309;
    }
    v310 {
        vlan-id 310;
        l3-interface vlan.310;          
    }
    v311 {
        description 11.111.161.88/29;
        vlan-id 311;
        l3-interface vlan.311;
    }
    v312 {
        vlan-id 312;
        l3-interface vlan.312;
    }
    v313 {
        vlan-id 313;
        l3-interface vlan.315;
    }
    v314 {
        vlan-id 314;
        interface {
            ge-0/0/25.0;
        }
        l3-interface vlan.316;
    }
    v315 {
        vlan-id 315;
        interface {
            ge-0/0/26.0;
        }
        l3-interface vlan.317;
    }
    v316;
    v317 {
        vlan-id 317;
        interface {
            ge-0/0/28.0;
        }
        l3-interface vlan.319;
    }
    v318 {
        vlan-id 318;
        interface {
            ge-0/0/29.0;
        }
        l3-interface vlan.321;
    }
    v418 {
        vlan-id 418;
        l3-interface vlan.418;
    }                                   
    v900 {
        description "WANGUARD - BDR1";
        vlan-id 900;
        l3-interface vlan.313;
    }
    v901 {
        description "WANGUARD - BDR2";
        vlan-id 901;
        l3-interface vlan.314;
    }
    vlan10 {
        vlan-id 10;
        l3-interface vlan.10;
    }
}
poe {
    interface all;
}

The config is a bit of a mess, but I've been through the relevant sections a million times and it looks correct. Hopefully a fresh set of eyes will help! 

It's your loopback filter--try adding this. I don't have a dhcp server to test with but I think return traffic is directed to the dhcp client so you shouldn't need a filter for the return. If you do it should be pretty easy to add. I do see relay counters increasing after adding this term.

firewall {
    family inet {
        filter loopback-protect {
...
            term allow-dhcp {
                from {
                    source-address {
                        0.0.0.0/32;
                    }
                    destination-address {
                        255.255.255.255/32;
                    }
                    protocol udp;
                    destination-port 67;
                }
                then accept;
            }
        }
    }
}

Many thanks - that's done the trick.

The DHCP server is now issuing a lease, but it's not returning back to the PXE server. 

Would the return path also require adjustments to the firewall, although it shouldn't be hitting the loopback?