SRX

Juniper SRX100 version 10.3R2.11.  Attempting to add three more vlans as follows:

 

fe-0/0/7 192.168.15.0/24

fe-0/0/6 192.168.10.0/24

fe-0/0/5 192.168.5.0/24

 

Of course, the default 192.168.1.0/24 is still there for fe-0/0/1 - fe-0/0/4.  For vlan.0 eveything works fine.  But for vlan.3, if I specify static IP's I can get online.  Not so much if I use DHCP.  Note that I want DCHP only for 192.168.1.0/24 (vlan.0)and 192.168.15.0/24 (vlan.3), not for the other vlans. 

 

Can I get you guys to take a look to see what I'm doing wrong?  Here is my config:

 

## Last changed: 2012-10-20 00:27:18 EDT
version 10.3R2.11;
system {
    host-name JUNIPER;
    time-zone America/New_York;
    root-authentication {
        encrypted-password "meh";
    }
    name-server {
        209.18.47.61;
        209.18.47.62;
    }
    login {
        user Administrator {
            full-name Administrator;
            uid 2001;
            class super-user;
            authentication {
                encrypted-password "meh";
            }
        }
    }
    services {
        ssh;
        telnet;
        web-management {
            http {
                interface vlan.0;
            }
            https {
                system-generated-certificate;
                interface vlan.0;
            }
        }
        dhcp {
            router {
                192.168.1.1;
                192.168.15.1;
            }
            pool 192.168.1.0/24 {
                address-range low 192.168.1.2 high 192.168.1.254;
                propagate-settings fe-0/0/0;
            }
            pool 192.168.15.0/24 {
                address-range low 192.168.15.10 high 192.168.15.254;
                propagate-settings fe-0/0/0;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
    fe-0/0/1 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    fe-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust2;
                }
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust3;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust4;
                }
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 127.0.0.1/32;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
        unit 1 {
            family inet {
                address 192.168.5.1/24;
            }
        }
        unit 2 {
            family inet {
                address 192.168.10.1/24;
            }
        }
        unit 3 {
            family inet {
                address 192.168.15.1/24;
            }
        }
    }
}
protocols {
    stp;
}
security {
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
                vlan.1;
                vlan.2;
                vlan.3;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                fe-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
    vlan-trust2 {
        vlan-id 4;
        l3-interface vlan.1;
    }
    vlan-trust3 {
        vlan-id 5;
        l3-interface vlan.2;
    }
    vlan-trust4 {
        vlan-id 6;
        l3-interface vlan.3;
    }
}

 

Thanks in advanced!!

 

JamesNT

Hi JamesNT,

 

I think the problem is with default gateway .  Try this  -- Instead of defining router statement globally under dhcp , define it under pool .

 

delete system services dhcp router
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
set system services dhcp pool 192.168.15.0/24 router 192.168.15.1

OK, I defined the gateway per scope as JunosOS_Fan (Pradeep?) recommended.  The issue is that the computers on that interface are not getting DHCP addresses at all.  So we may have solved "a" problem but not "the" problem.  Computers connected to fe-0/0/7 cannot get DHCP and therefore default to 169.254.164.213.

 

Computers on fe-0/0/1-4 can still get DHCP addresses.

 

JamesNT

Have a look at my example config

 

It has multiple DHCP pools across multiple interfaces/vlans and security zones

 

It appears I have my DHCP set up the same way yours is (I did add the default lease time like you have, though), along with my vlans.  I don't have auto-negotiation in my interfaces, however. 

 

I still am not seeing a reason this thing will not hand out DHCP addresses to the third vlan.

 

Maybe I'm blind?

 

JamesNT

 I would suggest downloading a newer version of Junos. 10.3 is a bit old

 

 

Juniper recommend JUNOS 11.4R5.5

 

 

However you will need a Juniper support contact, or be within the warrantee period to get the download.

 

Please re-post your current config.

 

OK, two things:

 

1.  The way I had DHCP set up in which two default gateways were propagated to both vLANS was wrong.  JunOS_Fan pointed that out.  While this was "a" problem, it was not "THE" problem since computers on the other VLAN weren't getting DHCP requests fulfilled at all.

 

2.  Upgrading to 11.4R5.5 fixed the issue with DHCP not fulfillng requests.  This was suggested by johnrbaker and this solution did solve "THE" problem.

 

I'm going to click Accept As Solution for johnrbaker, but I would like for notable mention to go out to JunOS_Fan.  He was correct, after all, and did solve "a" problem.

 

JamesNT

"I would like for notable mention to go out to JunOS_Fan"

 

Toss him a kudo.

Done!  I forgot about those!

 

JamesNT

JamesNT is correct about the router being added each of the DHCP pools. I did the same as you when I first setup my config.

I would also suggest the you create a security zone per vlan, as this will allow you to create policies to control traffic to/from each vlan.

This is to avoid installing multiple default gateways in the clients. In this case the clients in both 192.168.1.0/24 and 192.168.15.0/24 networks receive two default gateways - 192.168.1.1 and 192.168.15.1 and they prefer them in the same order.  For clients in 192.168.1.0/24 network ,everything is working fine because the first preferred one is 192.168.1.1,which is not the case for clients in 192.168.15.0/24. 

 

We can verify the routing table on a client in 192.168.15.0/24 network and see if it has installed two default routes(and their preferences)  or only one with 192.168.1,1 as the next-hop . If it installs only one(192.168.1.1)  , then I will suspect arp resolution issue for this not to work from clients in 192.168.15.0/24 network.

 

 

By configuring individual router statements inside each pool, should eliminate this issue.