Juniper ZTP – How to Set Up DHCP Server

dhcpjuniperjuniper-exjuniper-srx

I am currently trying to configure DHCP as part of a ztp setup. Right now my topology is as follows:

ex2200(me0,10.0.20.2)->(ge-0/0/1,10.0.20.1)srx100(fe-0/0/2,10.0.80.1)<-(eth0,10.0.80.2)centos6.7_dhcp_server

I have the dhcp server on the 10.0.80.0/24 subnet, and I want it to assign IP addresses into the 10.0.20.0/24 subnet.

set vendor-string = option vendor-class-identifier;
option space ZTPDEMO;
option ZTPDEMO.image-file-name code 0 = text;
option ZTPDEMO.config-file-name code 1 = text;
option ZTPDEMO.image-file-type code 2 = text;
option ZTPDEMO.transfer-mode code 3 = text;
option ZTPDEMO-encapsulation code 43 = encapsulate ZTPDEMO;
option ZTPDEMO.image-file-type "symlink";
option option-150 code 150 = ip-address;

host CAN1 {
 hardware ethernet 80:ac:ac:4c:84:ff;
 fixed-address 10.0.20.3;
 option host-name "to-mdf-ex22-sw5";
 option vendor-class-identifier "Juniper-ex2200-48p-4g;
 option option-150 10.0.80.2;
 option ZTPDEMO.transfer-mode "http";
 option ZTPDEMO.config-file-name "to-mdf-ex22-sw5-config.txt";
 option ZTPDEMO.image-file-name "jinstall-ex-2200-15.1R5.5-domestic-signed.tgz";
}
subnet 10.0.20.0 netmask 255.255.255.0 {
 option domain-name-servers 8.8.8.8;
 option routers 10.0.20.1;
 default-lease-time 600;
 max-lease-time 7200;
 authoritative;
 option ZTPDEMO.transfer-mode "http";
 pool {
        range dynamic-bootp 10.0.20.3 10.0.20.254;
        option OPTION-150 10.0.80.2;
        option P61.config-file-name "default-ex2200-c-12p.config";
      }
}

And here is the error I receive:

Feb 15 06:26:35 localhost dhcpd: Internet Systems Consortium DHCP Server 4.1.1-P1
Feb 15 06:26:35 localhost dhcpd: Copyright 2004-2010 Internet Systems Consortium.
Feb 15 06:26:35 localhost dhcpd: All rights reserved.
Feb 15 06:26:35 localhost dhcpd: For info, please visit https://www.isc.org/software/dhcp/
Feb 15 06:26:35 localhost dhcpd: Not searching LDAP since ldap-server, ldap-port and ldap-base-dn were not specified in the config file
Feb 15 06:26:35 localhost dhcpd: Wrote 0 deleted host decls to leases file.
Feb 15 06:26:35 localhost dhcpd: Wrote 0 new dynamic host decls to leases file.
Feb 15 06:26:35 localhost dhcpd: Wrote 0 leases to leases file.
Feb 15 06:26:35 localhost dhcpd: 
Feb 15 06:26:35 localhost dhcpd: No subnet declaration for eth0 (10.0.80.2).
Feb 15 06:26:35 localhost dhcpd: ** Ignoring requests on eth0.  If this is not what
Feb 15 06:26:35 localhost dhcpd:    you want, please write a subnet declaration
Feb 15 06:26:35 localhost dhcpd:    in your dhcpd.conf file for the network segment
Feb 15 06:26:35 localhost dhcpd:    to which interface eth0 is attached. **
Feb 15 06:26:35 localhost dhcpd: 
Feb 15 06:26:35 localhost dhcpd: 
Feb 15 06:26:35 localhost dhcpd: Not configured to listen on any interfaces!
Feb 15 06:26:35 localhost dhcpd: 
Feb 15 06:26:35 localhost dhcpd: This version of ISC DHCP is based on the release available
Feb 15 06:26:35 localhost dhcpd: on ftp.isc.org.  Features have been added and other changes
Feb 15 06:26:35 localhost dhcpd: have been made to the base software release in order to make
Feb 15 06:26:35 localhost dhcpd: it work better with this distribution.
Feb 15 06:26:35 localhost dhcpd: 
Feb 15 06:26:35 localhost dhcpd: Please report for this software via the CentOS Bugs Database:
Feb 15 06:26:35 localhost dhcpd:     http://bugs.centos.org/
Feb 15 06:26:35 localhost dhcpd: 
Feb 15 06:26:35 localhost dhcpd: exiting.
[root@localhost dhcp]# service ssh start

A few other tidbits: iptables is off, and the port is configured statically on the server: eth0 10.0.80.2 255.255.255.0, gateway 10.0.80.1.

Anyone have any ideas what I am doing wrong?

Best Answer

Okay, solution found. Expanded subnet, and made some config changes on srx (had ports configured for wrong family).

Related Solutions

Juniper SRX240 and EX2200 Network Configuration

To answer this question, I'll go through your configuration piece by piece.

Your SRX240 configuration is essentially correct and should work, with one small issue, that is your WAN/Internet interface (ge-0/0/0) appears to be using DHCP:

SRX:

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
[...]

While you've got a default gateway defined:

SRX:

routing-options {
    static {
        route 0.0.0.0/0 next-hop 10.129.152.129;
    }
}

Likely, your default gateway is provided by DHCP, so you probably don't need/want to define it statically. If 10.129.152.129 is not in your dhcp address/netmask though, JunOS is probably ignoring it, and since you also said that you were able to successfully get Internet connectivity when directly plugged into the SRX, this is probably not causing a problem. To get rid of this for cleanliness, issue the following commands on the SRX240:

SRX:

configure
delete routing-options static
commit

On to the switches. You didn't tell us which port on the SRX240 is connected to which port on the EX2200, so this is hard to answer, but based on the configuration provided I can deduce that your WAN/Internet link is ge-0/0/0 on the SRX240, and that at least one switch is plugged into one of the other interfaces on the SRX (ge-0/0/1 through 15.)

With the configuration you provided (for only the EX2200-24, and not the EX2200-48), your topology should work as long as port ge-0/0/0 through 21 are connected to the SRX. If, however the SRX is plugged into ports 22 or 23 on the the EX, you have a problem, because those ports are in trunk mode and the SRX isn't configured for or expecting VLAN-tagged ethernet frames.

EX:

interfaces {
[...]
    ge-0/0/22 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members all;
                }
            }
        }
    }
    ge-0/0/23 {
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members all;
                }
            }
        }
    }
[...]

Also, if all you really wanted was a flat L2 topology, you have some configuration left over from someone that didn't:

EX:

ge-0/0/XX {
    unit 0 {
        family ethernet-switching {
            vlan {
                members public-eth;
            }
        }
    }
}

and

EX:

vlans {
    management {
        vlan-id 10;
        l3-interface vlan.10;
    }
    private-eth {
        vlan-id 20;
    }
    public-eth {
        vlan-id 30;
    }
    wan {
        vlan-id 100;
        l3-interface vlan.100;
    }
}

and

EX:

interfaces {
[...]
    vlan {
        unit 10 {
            family inet {
                address 192.168.1.2/24;
            }
        }
        unit 100 {
            family inet {
                address 10.129.152.135/25;
            }
        }
    }

You can see several IP addresses, vlans and such configured. To get back to the most basic of L2 functionality, we should remove some of that old unnecessary configuration (as long as you're sure that this is your network and you're not a rogue going against the wishes of your network admin.)

EX:

configure
delete interfaces ge-0/0/0
delete interfaces ge-0/0/1
delete interfaces ge-0/0/2
delete interfaces ge-0/0/3
delete interfaces ge-0/0/4
delete interfaces ge-0/0/5
delete interfaces ge-0/0/6
delete interfaces ge-0/0/7
delete interfaces ge-0/0/8
delete interfaces ge-0/0/9
delete interfaces ge-0/0/10
delete interfaces ge-0/0/11
delete interfaces ge-0/0/12
delete interfaces ge-0/0/13
delete interfaces ge-0/0/14
delete interfaces ge-0/0/15
delete interfaces ge-0/0/16
delete interfaces ge-0/0/17
delete interfaces ge-0/0/18
delete interfaces ge-0/0/19
delete interfaces ge-0/0/20
delete interfaces ge-0/0/21
delete interfaces ge-0/0/22
delete interfaces ge-0/0/23
set interfaces ge-0/0/0.0 family ethernet-switching
set interfaces ge-0/0/1.0 family ethernet-switching
set interfaces ge-0/0/2.0 family ethernet-switching
set interfaces ge-0/0/3.0 family ethernet-switching
set interfaces ge-0/0/4.0 family ethernet-switching
set interfaces ge-0/0/5.0 family ethernet-switching
set interfaces ge-0/0/6.0 family ethernet-switching
set interfaces ge-0/0/7.0 family ethernet-switching
set interfaces ge-0/0/8.0 family ethernet-switching
set interfaces ge-0/0/9.0 family ethernet-switching
set interfaces ge-0/0/10.0 family ethernet-switching
set interfaces ge-0/0/11.0 family ethernet-switching
set interfaces ge-0/0/12.0 family ethernet-switching
set interfaces ge-0/0/13.0 family ethernet-switching
set interfaces ge-0/0/14.0 family ethernet-switching
set interfaces ge-0/0/15.0 family ethernet-switching
set interfaces ge-0/0/16.0 family ethernet-switching
set interfaces ge-0/0/17.0 family ethernet-switching
set interfaces ge-0/0/18.0 family ethernet-switching
set interfaces ge-0/0/19.0 family ethernet-switching
set interfaces ge-0/0/20.0 family ethernet-switching
set interfaces ge-0/0/21.0 family ethernet-switching
set interfaces ge-0/0/22.0 family ethernet-switching
set interfaces ge-0/0/23.0 family ethernet-switching
delete interfaces vlan.100
delete vlans
delete snmp
rename interfaces vlan.10 to unit 0
set vlans default l3-interface vlan.0
set vlans default vlan-id 1
delete routing-options
set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1

commit

The above commands do the following:

Clear the current configuration of each of the interfaces on the switch
Create new blank/default configuration for each of the same interfaces
Get rid of the probably unused IP address on vlan 100
Remove SNMP configuration (which is not relevant to your stated goal)
Consolidate everything to the default VLAN (all of the interfaces are automatically members of "default" if another VLAN isn't specified.)
Change the Management VLAN to the default VLAN, as it normally would be on a factory-fresh JunOS install
Set the default gateway to be the Firewall, which is not strictly necessary in this topology since the EX is just acting as a layer 2 switch in this case, but at least you'll be able to ping hosts on the internet from the switch if everything is working.

You'll probably want to do something similar for the EX2200-48 that you didn't give the configuration for, but hopefully you can look at the commands above and perform a similar procedure. If you flatten the topology as I've described, all of your clients will get their IP addresses from the SRX240 and will get internet access.

Juniper Routing – Solving One Way Communication Issues

Figured out what was going on. This is unique to SRX devices as they are security devices. I had to add host-system-services inbound ping to my trust zone, like so:

admin@wb1# set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping

Best Answer

Related Solutions

Juniper SRX240 and EX2200 Network Configuration

Juniper Routing – Solving One Way Communication Issues

Related Topic