Junos
Highlighted
Junos

QFX5100 DHCP-Relay setup

‎04-01-2020 05:47 AM

I have a production QFX5100 that I'm currently working on. I've been tasked with setting up DHCP-relay to a remote DHCP server on our network. Other than the following forwarding-options, what else am I missing? I read online about routing-instances and other settings but I'm not sure if those are needed. Any information is greatly appreciated.

 

> show configuration forwarding-options
storm-control-profiles default {
all;
}
dhcp-relay {
overrides {
bootp-support;
delete-binding-on-renegotiation;
}
server-group {
ip-helper {
2.2.2.2;
}
}
active-server-group ip-helper;
group ip-helper {
interface all;
}
}

 

8 REPLIES 8
Highlighted
Junos

Re: QFX5100 DHCP-Relay setup

‎04-01-2020 12:36 PM

 

Hey JJnet479

 

 

On this configuration sample we can see that we have two servers acting, one for finance VLAN  and another one for Sales : 

forwarding-options {

    dhcp-relay {

        server-group {

            FINANCE{

                128.218.254.40;  ---------> remote dhcp server

                128.218.254.10; ---------> (optional) 2nd dhcp server

            }

            SALES{

                168.230.27.5;

            }

        }

        group FINANCES{

            active-server-group FINANCES;       

            interface ge-0/0/0.0;    ---------> This should be the interface working as the gateway on the VLAN that should use finance servers

        }

        group SALES{

            active-server-group SALES;

            interface ge-0/0/1.0;    ---------> This should be the interface working as the gateway on the VLAN that should use Sales server

        }

    }

}

 

 

If you had this command: set forwarding-options active-server-group <name> will allow only a single group of servers to work. Most of the time this is used, not always you have several DHCP servers 

Remember that  you cannot have a binding to two servers, the dhcp-relay agent will not let you do that unless you configure the following command: set forwarding-options dhcp-relay overrides delete-binding-on-renegotiation

 

This should do the job! if you have a routing instance you just need to add this configuration inside of the configuration 

 

 

If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \Smiley Happy/

Regards,

 

Lil Dexx
JNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB

Highlighted
Junos

Re: QFX5100 DHCP-Relay setup

‎04-02-2020 04:34 AM

Thanks for your reply. I did some renaming but this is what i have...
forwarding-options {

dhcp-relay {
server-group {
dhcp-server {
2.2.2.2; -------> remote DHCP server
}
}
group ip-helper-interfaces {
active-server-group dhcp-server;
interface xe-0/0/1.0;
}
}


For interface xe-0/0/1, it is not on a vlan, does it need to be? 

show configuration interfaces xe-0/0/1
description testing;
unit 0 {
family inet {
address x.x.x.x/30;
}
}

When I monitor the traffic for xe-0/0/1 i get:

monitor traffic interface xe-0/0/1 no-resolve
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on xe-0/0/1, capture size 96 bytes

15:22:00.932349 In IP [|ip]
15:22:00.943455 Out IP truncated-ip - 272 bytes missing! x.x.x.x > 255.255.255.255.68: BOOTP/DHCP, Reply, length 304
15:22:04.929299 In IP [|ip]
15:22:04.940425 Out IP truncated-ip - 272 bytes missing! x.x.x.x > 255.255.255.255.68: BOOTP/DHCP, Reply, length 304
15:22:04.962232 In arp who-has x.x.x.x tell x.x.x.x
15:22:05.475256 In arp who-has x.x.x.x tell x.x.x.x
15:22:06.519277 In arp who-has x.x.x.x tell x.x.x.x
15:22:08.553230 In arp who-has x.x.x.x tell x.x.x.x

This QFX5100 has all the IPs statically routed to it. Does DHCP-Relay need any other prerequisite for it to work correctly such as ospf? 

 

Highlighted
Junos

Re: QFX5100 DHCP-Relay setup

‎04-02-2020 01:07 PM

Hey JJnet479,

 

Hope you are doing well, For interface xe-0/0/1, it is not on a VLAN, does it need to be? 

 

 

Answer: Yes, remember that you have to configure the gateway for the VLAN you are willing to relay the discovers from your computers to the remote server under the active server group hierarchy, if you are using an IRB interface as a gateway for the VLAN you desired relay the DHCP traffic  ( which is the most common way to do it) configure this interface under active server group, not the physical interface, which I doubt that this is the gateway as it is a /30 interface/subnet ( only 2 hosts can exit in this subnet) 

 


If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \Smiley Happy/


Regards,

Lil Dexx
JNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB

Highlighted
Junos

Re: QFX5100 DHCP-Relay setup

‎04-08-2020 10:19 AM

Thank you for the reply LilDexx, I'm still having issues though. Here is an exact copy/paste from my configuration. The only thing I changed was the IP address to x.x.x.x/30 to keep that information private. On the DHCP server(dedicated server running software), I see the DHCPOFFER, DHCPREQUEST, then DHCPACK. After that the server I'm attempting PXE on displays ARP timeout. 

I have Cisco switches that just work with ip helper-address and I need to do the same thing with this Juniper QFX5100.

The software developers for the software we use that has the DCHP server on it, suggested STP but that yeilds the same results. Is there anything else I can try? Enable logging? 

show configuration interfaces xe-0/0/1
description PXE-testing;
unit 0 {
family ethernet-switching {
vlan {
members PXE;
}
}
}


show configuration interfaces irb.2
family inet {
address x.x.x.x/30;
}

 

show configuration forwarding-options
storm-control-profiles default {
all;
}
dhcp-relay {
overrides {
delete-binding-on-renegotiation;
}
server-group {
DHCP-RELAY {
2.2.2.2;
}
}
active-server-group DHCP-RELAY;
route-suppression {
destination;
}
group DHCP-RELAY {
active-server-group DHCP-RELAY;
interface irb.2;
}
}

show configuration vlans PXE
vlan-id 3;
l3-interface irb.2;

 

Highlighted
Junos

Re: QFX5100 DHCP-Relay setup

‎04-08-2020 02:03 PM

JJnet479,

 

Greetings, are you sure that your IRB should be a /30 ? as mentioned before this will allow only 2 IPs in that subnet, then can you do monitor traffic on that IRB to check the conversation and see what is missing? for privacy refer to this doc and compare how the conversation should look like including the pxe boot with what you have in your network: https://kb.juniper.net/InfoCenter/index?page=content&id=KB29822&actp=METADATA,

 

Now from what you shared, it seems like the server was able to hand out an IP, and we are just missing the PXE boot, Do you have an entry in the relay binding table?

Do you have any dhcp snooping in place? if yes please disable it also please check this doc: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/dhcp-snooping-network-security.ht...

 

 

 

If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \Smiley Happy/

Regards,

Lil Dexx
JNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB

Highlighted
Junos

Re: QFX5100 DHCP-Relay setup

[ Edited ]
‎04-09-2020 05:45 AM

Yes I'm using a /30 subnet on a dedicated server. This server is directly connected to xe-0/0/1 on the QFX5100. The DHCP request goes to a DHCP server(non Juniper) to PXE boot/install operating systems.(Current works with Cisco, ip helper-address 2.2.2.2). No snooping in place, disabled by default.

 

The end goal is to have unique /30, /29 etc for dedicated servers connected to this QFX5100 to send its DHCP request to the DHCP server for OS installs.

 

Also I'm not using private IPs and I'm changing them to x.x.x.x to keep the IPs hidden in this forum.

 

Here is the logs for the DCHP server:

 

Apr 9 08:01:10 remote dhcpd[20821]: DHCPDISCOVER from ec:f4:bb:dc:e1:58 via x.x.x.169
Apr 9 08:01:10 remote dhcpd[20821]: DHCPOFFER on x.x.x.170 to ec:f4:bb:dc:e1:58 via x.x.x.169
Apr 9 08:01:14 remote dhcpd[20821]: DHCPREQUEST for x.x.x.170 (2.2.2.2) from ec:f4:bb:dc:e1:58 via x.x.x.169
Apr 9 08:01:14 remote dhcpd[20821]: DHCPACK on x.x.x.170 to ec:f4:bb:dc:e1:58 via x.x.x.169

 

Here is the binding table:

 

IP address Session Id Hardware address Expires State Interface
0.0.0.0 598 ec:f4:bb:dc:e1:58 0 SELECTING irb.2

IP address Session Id Hardware address Expires State Interface
x.x.x.170 598 ec:f4:bb:dc:e1:58 86388 BOUND irb.2


Here is the traffic from irb.2:

 

monitor traffic interface irb.2 no-resolve size 1024
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on irb.2, capture size 1024 bytes

07:17:02.050041 In IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ec:f4:bb:dc:e1:58, length 548
07:17:06.013319 In IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ec:f4:bb:dc:e1:58, length 548
07:17:06.098388 Out IP x.x.x.169.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
07:17:10.020299 In IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ec:f4:bb:dc:e1:58, length 548
07:17:10.146104 Out IP x.x.x.169.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300
07:17:10.165237 In arp who-has x.x.240.1 tell x.x.x.170
07:17:10.676219 In arp who-has x.x.240.1 tell x.x.x.170
07:17:11.720287 In arp who-has x.x.240.1 tell x.x.x.170
07:17:13.749215 In arp who-has x.x.240.1 tell x.x.x.170

Highlighted
Junos

Re: QFX5100 DHCP-Relay setup

[ Edited ]
‎04-10-2020 07:19 AM

Hello,

I found that the issue was with how the DHCP server issues the gateway address for the /30 I'm using. Is there anything on the Juniper side that I can configure to set the gateway address for my DHCP request on the /30, ignoring what the DHCP server says it is?

For example:

My /30 is as follows:

x.x.254.168/30

The gateway ends in 169 but the DHCP server says the gateway is x.x.240.1, which is a parent address of a larger subnet

Thanks


Highlighted
Junos

Re: QFX5100 DHCP-Relay setup

‎04-10-2020 12:03 PM

 

 

 

Hello JJnet479,

 

Glad to hear that you are making some progress, now as mentioned before the /30 is just for 2 hosts, ( 2 usable IPs) if your gateway ( you SVI &IRB) already has 1, your DHCP server can/should only handout one more, you need fix the DHCP scope on the server to handout that one and only IP that remains in your /30 subnet, and also configure it to hand out the appropriate default gateway ( your SVI &IRB).

 

Here is how the flow should go:

 

Host 1 in VLAN A sends a discover --> irb.2  takes those discovers (your GW) with/ 30 subnet, he encapsulates those discovers and send then unicast to your server, your server has to reply with an IP within that /30 subnet ( which is just 1 option) and the default gateway ( your SVI &IRB) this needs to be configured on the server.

 

If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \Smiley Happy/

Regards,

Lil Dexx
JNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB