This article provides everything you need to setup a local DHCP server on a SRX security device.
JDHCPD vs DHCPD
JDHCPD provides more functionalities than DHCPD, so it is recommended to use JDHCPD on new setups. (Feature comparison)
DHCP and uRPF
If you have uRPF and DHCP setup on the same interface, by default all DHCP traffic will be dropped. To make DHCP work, you need to set up an exemption:
|
1 2 3 4 5 6 |
set firewall filter rpf-exception term dhcp from protocol udp set firewall filter rpf-exception term dhcp from port dhcp set firewall filter rpf-exception term dhcp then count dhcp set firewall filter rpf-exception term dhcp then accept set interfaces <interface-name> family inet rpf-check fail-filter rpf-exception |
Using the (New) JDHCPD
This is the recommended method. (Official documentation)
In the Default Routing Instance
Note: this is what I use in my production environment. You might need to adjust some lines to match your needs. Also I have multiple groups and IP ranges, that’s why I used a config group so that I can apply the same config to all the IP ranges.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
set system services dhcp-local-server group default-group interface <interface-name> [upto <interface-name>] [exclude] set system services dhcp-local-server pool-match-order ip-address-first set system services dhcp-local-server pool-match-order option-82 set system services dhcp-local-server route-suppression access-internal set system services dhcp-local-server requested-ip-interface-match set groups DHCP_SERVER_DEFAULTS access address-assignment pool <*> family inet dhcp-attributes maximum-lease-time 600 set groups DHCP_SERVER_DEFAULTS access address-assignment pool <*> family inet dhcp-attributes domain-name corp.contoso.com set groups DHCP_SERVER_DEFAULTS access address-assignment pool <*> family inet dhcp-attributes name-server 8.8.8.8 set groups DHCP_SERVER_DEFAULTS access address-assignment pool <*> family inet dhcp-attributes name-server 8.8.4.4 set access address-assignment pool LAN family inet apply-groups DHCP_SERVER_DEFAULTS set access address-assignment pool LAN family inet network 192.168.1.0/24 set access address-assignment pool LAN family inet range 0 low 192.168.1.100 set access address-assignment pool LAN family inet range 0 high 192.168.1.200 set access address-assignment pool LAN family inet dhcp-attributes router 192.168.1.1 |
In a Non-default Routing Instance or Logical System
Just config everything in the corresponding RI or LS.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
set routing-instances VR1 system services dhcp-local-server group default-group interface <interface-name> [upto <interface-name>] [exclude] set routing-instances VR1 system services dhcp-local-server pool-match-order ip-address-first set routing-instances VR1 system services dhcp-local-server pool-match-order option-82 set routing-instances VR1 system services dhcp-local-server route-suppression access-internal set routing-instances VR1 system services dhcp-local-server requested-ip-interface-match set groups DHCP_SERVER_DEFAULTS routing-instances <*> access address-assignment pool <*> family inet dhcp-attributes maximum-lease-time 600 set groups DHCP_SERVER_DEFAULTS routing-instances <*> access address-assignment pool <*> family inet dhcp-attributes domain-name corp.contoso.com set groups DHCP_SERVER_DEFAULTS routing-instances <*> access address-assignment pool <*> family inet dhcp-attributes name-server 8.8.8.8 set groups DHCP_SERVER_DEFAULTS routing-instances <*> access address-assignment pool <*> family inet dhcp-attributes name-server 8.8.4.4 set routing-instances VR1 access address-assignment pool LAN family inet apply-groups DHCP_SERVER_DEFAULTS set routing-instances VR1 access address-assignment pool LAN family inet network 192.168.1.0/24 set routing-instances VR1 access address-assignment pool LAN family inet range 0 low 192.168.1.100 set routing-instances VR1 access address-assignment pool LAN family inet range 0 high 192.168.1.200 set routing-instances VR1 access address-assignment pool LAN family inet dhcp-attributes router 192.168.1.1 |
Debugging
|
1 |
show dhcp server binding [routing-instance <instance-name>] |
To trace:
|
1 2 |
set system processes dhcp-service traceoptions level all set system processes dhcp-service traceoptions flag all |
The default log file name is jdhcpd .
Using the (legacy) DHCPD
|
1 2 3 4 5 6 7 8 |
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.100 set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.200 set system services dhcp pool 192.168.1.0/24 router 192.168.1.1 set system services dhcp pool 192.168.1.0/24 name-server 8.8.8.8 set system services dhcp pool 192.168.1.0/24 name-server 8.8.4.4 set system services dhcp pool 192.168.1.0/24 domain-name corp.contoso.com set system services dhcp pool 192.168.1.0/24 default-lease-time 3600 set system services dhcp pool 192.168.1.0/24 maximum-lease-time 3600 |
Debugging
|
1 2 3 |
show system services dhcp pool show system services dhcp binding [<ip-address>] [detail] show system services dhcp conflict |
To trace:
|
1 |
set system services dhcp traceoptions flag all |
The default log file name is dhcpd .