This article provides everything you need to setup a local DHCP server on a SRX security device.
JDHCPD vs DHCPD
JDHCPD provides more functionalities than DHCPD, so it is recommended to use JDHCPD on new setups. (Feature comparison)
DHCP and uRPF
If you have uRPF and DHCP setup on the same interface, by default all DHCP traffic will be dropped. To make DHCP work, you need to set up an exemption:
set firewall filter rpf-exception term dhcp from protocol udp
set firewall filter rpf-exception term dhcp from port dhcp
set firewall filter rpf-exception term dhcp then count dhcp
set firewall filter rpf-exception term dhcp then accept
set interfaces <interface-name> family inet rpf-check fail-filter rpf-exception
Using the (New) JDHCPD
This is the recommended method. (Official documentation)
In the Default Routing Instance
Note: this is what I use in my production environment. You might need to adjust some lines to match your needs. Also I have multiple groups and IP ranges, that’s why I used a config group so that I can apply the same config to all the IP ranges.
set system services dhcp-local-server group default-group interface <interface-name> [upto <interface-name>] [exclude]
set system services dhcp-local-server pool-match-order ip-address-first
set system services dhcp-local-server pool-match-order option-82
set system services dhcp-local-server route-suppression access-internal
set system services dhcp-local-server requested-ip-interface-match
set groups DHCP_SERVER_DEFAULTS access address-assignment pool <*> family inet dhcp-attributes maximum-lease-time 600
set groups DHCP_SERVER_DEFAULTS access address-assignment pool <*> family inet dhcp-attributes domain-name corp.contoso.com
set groups DHCP_SERVER_DEFAULTS access address-assignment pool <*> family inet dhcp-attributes name-server 8.8.8.8
set groups DHCP_SERVER_DEFAULTS access address-assignment pool <*> family inet dhcp-attributes name-server 8.8.4.4
set access address-assignment pool LAN family inet apply-groups DHCP_SERVER_DEFAULTS
set access address-assignment pool LAN family inet network 192.168.1.0/24
set access address-assignment pool LAN family inet range 0 low 192.168.1.100
set access address-assignment pool LAN family inet range 0 high 192.168.1.200
set access address-assignment pool LAN family inet dhcp-attributes router 192.168.1.1
In a Non-default Routing Instance or Logical System
Just config everything in the corresponding RI or LS.
set routing-instances VR1 system services dhcp-local-server group default-group interface <interface-name> [upto <interface-name>] [exclude]
set routing-instances VR1 system services dhcp-local-server pool-match-order ip-address-first
set routing-instances VR1 system services dhcp-local-server pool-match-order option-82
set routing-instances VR1 system services dhcp-local-server route-suppression access-internal
set routing-instances VR1 system services dhcp-local-server requested-ip-interface-match
set groups DHCP_SERVER_DEFAULTS routing-instances <*> access address-assignment pool <*> family inet dhcp-attributes maximum-lease-time 600
set groups DHCP_SERVER_DEFAULTS routing-instances <*> access address-assignment pool <*> family inet dhcp-attributes domain-name corp.contoso.com
set groups DHCP_SERVER_DEFAULTS routing-instances <*> access address-assignment pool <*> family inet dhcp-attributes name-server 8.8.8.8
set groups DHCP_SERVER_DEFAULTS routing-instances <*> access address-assignment pool <*> family inet dhcp-attributes name-server 8.8.4.4
set routing-instances VR1 access address-assignment pool LAN family inet apply-groups DHCP_SERVER_DEFAULTS
set routing-instances VR1 access address-assignment pool LAN family inet network 192.168.1.0/24
set routing-instances VR1 access address-assignment pool LAN family inet range 0 low 192.168.1.100
set routing-instances VR1 access address-assignment pool LAN family inet range 0 high 192.168.1.200
set routing-instances VR1 access address-assignment pool LAN family inet dhcp-attributes router 192.168.1.1
Debugging
show dhcp server binding [routing-instance <instance-name>]
To trace:
set system processes dhcp-service traceoptions level all
set system processes dhcp-service traceoptions flag all
The default log file name is jdhcpd.
Using the (legacy) DHCPD
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.100
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.200
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 name-server 8.8.8.8
set system services dhcp pool 192.168.1.0/24 name-server 8.8.4.4
set system services dhcp pool 192.168.1.0/24 domain-name corp.contoso.com
set system services dhcp pool 192.168.1.0/24 default-lease-time 3600
set system services dhcp pool 192.168.1.0/24 maximum-lease-time 3600
Debugging
show system services dhcp pool
show system services dhcp binding [<ip-address>] [detail]
show system services dhcp conflict
To trace:
set system services dhcp traceoptions flag all
The default log file name is dhcpd.