SRX

Hi,

I have a question about DHCP. I resolved the last topic problem that I posted here.

I don´t know if I must to do of this mode (see the code). I want that vlan1 has DHCP pool 192.169.x.x and vlan2 has 192.168.x.x .

So I don´t know if I have to create one server DHCP or it isn´t necesary.



Thanks.

regards.

## Last changed: 2015-01-23 21:13:43 GMT
version 12.1X44-D30.4;
system {

    name-resolution {
        no-resolve-on-input;
    }
    services {
        web-management {
            https {
                system-generated-certificate;
                interface [ vlan.2 vlan.1 fe-0/0/0.0 ];
            }
            session {
                idle-timeout 600;
            }
        }
        dhcp {
            pool 192.169.0.0/16 {
                address-range low 192.169.1.3 high 192.169.1.253;
                name-server {
                    8.8.8.8;
                    8.8.4.4;
                }
                router {
                    192.169.1.254;
                }
             propagate-settings vlan.1;
         }
        
         pool 192.168.0.0/16 {
               address-range low 192.168.1.3 high 192.168.1.253;
               name-server {
                  8.8.8.8;
                  8.8.4.4;
               }
               router {
                  192.168.1.254;
               }
          propagate-settings vlan.2;
         }
      }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ntp {
        server 0.uk.ntp.pool.org;
    }
}
interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan2;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan1;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan2;
                }
            }
        }
    }
    vlan {
        unit 1 {
            family inet {
                address 192.168.1.254/16;
            }
        }
        unit 2 {
            family inet {
                address 192.169.1.254/16;
            }
        }
    }
}
protocols {
    stp;
}
security {
    
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
   
    policies {
        from-zone Internet to-zone AccessPoint {
            policy All_Internet_AccessPoint {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone AccessPoint to-zone Internet {
            policy All_Internet_AccessPoint {
                match {
                    source-address ipaccesspointx;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone Internet to-zone MonitoringSecurity {
            policy All_Internet_MonitoringSecurity {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone MonitoringSecurity to-zone Internet {
            policy All_Internet_MonitoringSecurity {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone AccessPoint to-zone MonitoringSecurity {
            policy All_AccessPoint_MonitoringSecurity {
                match {
                    source-address ipaccesspointx;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone MonitoringSecurity to-zone AccessPoint {
            policy All_AccessPoint_MonitoringSecurity {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone AccessPoint {
            interfaces {
                vlan.2 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            https;
                            dhcp;
                        }
                    }
                }
            }
        }
        security-zone MonitoringSecurity {
            interfaces {
                vlan.1 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            https;
                            dhcp;
                        }
                    }
                }
            }
        }
        security-zone Internet {
            host-inbound-traffic {
                system-services {
                    ping;
                    http;
                    https;
                }
            }
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                            dhcp;
                            https;
                            http;
                        }
                    }
                }
            }
        }
    }
}
vlans {
    vlan1 {
        vlan-id 3;
        l3-interface vlan.1;
    }
    vlan2 {
        vlan-id 2;
        l3-interface vlan.2;
    }
}

What exactly is your question? 

I will say that 192.169.0.0/16 is not part of private IP space - that network is actually assigned to a real person/company by the ARIN registry, so if your users ever need to communicate with anyone at that address space, they will not be able to do so.

Also,the 'propagate-settings' does not do what I think you think it does.  'propagate-settings' will take the DHCP-assigned parameters of an interface that is acting as a DHCP client and propagate those settings to your downstream DHCP clients.  That part of the config as it is really doesn't do anything.  If you want to propagate the DHCP-assigned settings of the fe-0/0/0.0 interface to your LAN DHCP clients, you need to specify 'propagate-settings fe-0/0/0.0'.

Your configuration, points above notwithstanding, will work fine for two separate DHCP pools in two separate VLANs.  Bear in mind that your config uses the older style DHCP config.  For newer style DHCP config, please see:

http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/topic-map/dhcp-security-local-server.html

Thanks very much.

I believed that I can use all 192.x.x.x network with subnet mask /16. I know this detail now, Thanks!.

I am using the version 12.1x44 I don´t know if this Dhcp new mode is compatible. 

My real question, if I want that my router will be dhcp client in interface 0.0 and dhcp server (with 2 diferents pools) in vlan1 and vlan 2, is my code right??? or I only can define the propagate settings with interfaces names (fe 0/0/1.0 fe 0/0/2.0 for example)

Also I have another question, please.

If my devices are set up with subnet mask /16 (vlan1) but I have one interface with /24 and I create one static route that all packet with 192.168.3.x will be sent to througt this interface ... Could create problems of packets routing???

I know that this config is not recommend but I have a lot of devices with this mask and I dont wan´t change this network.

A lot of thanks.

Kind regards.

You can configure something like below

under system services

dhcp-local-server {
            group VLAN1 {
                interface fe-0/0/1.0;
            }
            group VLAN2 {
                interface fe-0/0/2.0;
            }
        }

under access you can configure something like below...

access {
    address-assignment {
        pool VLAN1{
            family inet {
                network 192.168.1.x/24;
                range VLAN1 {
                    low 192.168.1.50;
                    high 192.168.1.250;
                }
                dhcp-attributes {
                    maximum-lease-time 259200;
                    grace-period 259200;
                    domain-name domain.tld;
                    name-server {
                        x.x.x.x;
                        x.x.x.x;
                    }
                    router {
                        192.168.1.1;
                    }
                }
                host no-clue {
                    hardware-address 00:00:00:00:00:00;
                    ip-address x.x.x.x;
                }
                host no-clue-2 {
                    hardware-address 00:00:00:00:00:01;
                    ip-address 172.31.2.50;
                }
            }
        }
        pool VLAN2 {
            family inet {
                network 192.168.2.0/24;
                range VLAN2 {
                    low 192.168.2.150;
                    high 192.168.2.200;
                }
                dhcp-attributes {
                    maximum-lease-time 259200;
                    domain-name domain.tld;
                    name-server {
                        x.x.x.x;
                        x.x.x.x;
                    }
                    router {
                        192.168.2.1;
                    }
                }
            }
        }
}

Thanks for all!!!

but this respond generate me more question 😞 . If you could answer me, I will be great you.

1) when you link dhcp to Group, It`s possible type this.

dhcp-local-server {
            group VLAN1 {
                members vlan.1;
            }
            group VLAN2 {
                member vlan2;  (If you name this vlan like vlan2 like my last code)
            }
        }

2) Is The distributtion the blocks like "access" inside the text code obligatory?? 

for example 

services {}

access{}

polity{}

etc

I don´t know if you undertand me.

3) I don´t know because you type this

host no-clue {
                    hardware-address 00:00:00:00:00:00;
                    ip-address x.x.x.x;
                }
                host no-clue-2 {
                    hardware-address 00:00:00:00:00:01;
                    ip-address 172.31.2.50;

4) the last question is about I told you in my last topic

Thanks MarcTB because you are really helping me.

Regards

---

@farguisito wrote:

Thanks for all!!!

 

but this respond generate me more question 😞 . If you could answer me, I will be great you.

 

 

1) when you link dhcp to Group, It`s possible type this.

 

 

dhcp-local-server {
            group VLAN1 {
                members vlan.1;
            }
            group VLAN2 {
                member vlan2;  (If you name this vlan like vlan2 like my last code)
            }
        }

 

 

2) Is The distributtion the blocks like "access" inside the text code obligatory?? 

 

for example 

 

services {}

access{}

polity{}

etc

 

I don´t know if you undertand me.

 

3) I don´t know because you type this

 

host no-clue {
                    hardware-address 00:00:00:00:00:00;
                    ip-address x.x.x.x;
                }
                host no-clue-2 {
                    hardware-address 00:00:00:00:00:01;
                    ip-address 172.31.2.50;

 

4) the last question is about I told you in my last topic

 

Spoiler

If my devices are set up with subnet mask /16 (vlan1) but I have one interface with /24 and I create one static route that all packet with 192.168.3.x will be sent to througt this interface ... Could create problems of packets routing???

 

I know that this config is not recommend but I have a lot of devices with this mask and I dont wan´t change this network.

Thanks MarcTB because you are really helping me.

 

 

Regards

---

On point 1.

You always have to declare the interface the dhcp-server is listening on in the group

so for you it then could be

dhcp-local-server {
            group VLAN1 {
                interface vlan1;
            }
            group VLAN2 {
                interface vlan2; 
            }
        }

point 2 can you explain a little more before I can answer your question

point 3 : is the config part where you declare a host a static ip in the dhcp config. You declare hosts mac-address and it's static IP.

point 4:  no that will not be a problem. You even don't need a static towards the interface that is having the /24 allocation connected. smaller subnets always are a more preffered route then a large /16

Hope this explains it a bit