Mailing List Archive

Maybe try layer2-unicast-replies?

On Wed, Jan 16, 2019 at 08:38:34AM -0500, Michael Davis wrote:
> We use SRX's in pkt mode at some remote sites that don't need full blown
> VPN/FW
> security, mostly older SRX100s and SRX240s.? We've recently installed a
> SRX1500
> at a larger site and everything works as expected, except none of the
> VoIP phones
> are getting their addresses from the dhcp relay.? We have 6 VLANs on
> site and all
> of them get dhcp as expected, except the VoIP phones.? Putting a laptop
> on the
> VoIP VLAN gets an IP correctly.? Monitoring and mirroring the VLAN shows
> the dhcp
> reply packets being broadcast to the IRB, but the phones just stay in
> the selecting
> state in the binding table.
>
> This is the first SRX running the JDHCP code levels so that's suspect,
> but can't for
> the life of me see why only the phones are having issues.
>
> We were running the recommended 15.1X49-D150.2 and I upgraded this morning
> to 15.1X49-D160.2 without any change.
>
> Has anyone run into such an issue before?
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Thanks.. Not valid for SRX1500 platform.

On 1/16/19 9:37 AM, Anderson, Charles R wrote:
> Maybe try layer2-unicast-replies?
>
> On Wed, Jan 16, 2019 at 08:38:34AM -0500, Michael Davis wrote:
>> We use SRX's in pkt mode at some remote sites that don't need full blown
>> VPN/FW
>> security, mostly older SRX100s and SRX240s.  We've recently installed a
>> SRX1500
>> at a larger site and everything works as expected, except none of the
>> VoIP phones
>> are getting their addresses from the dhcp relay.  We have 6 VLANs on
>> site and all
>> of them get dhcp as expected, except the VoIP phones.  Putting a laptop
>> on the
>> VoIP VLAN gets an IP correctly.  Monitoring and mirroring the VLAN shows
>> the dhcp
>> reply packets being broadcast to the IRB, but the phones just stay in
>> the selecting
>> state in the binding table.
>>
>> This is the first SRX running the JDHCP code levels so that's suspect,
>> but can't for
>> the life of me see why only the phones are having issues.
>>
>> We were running the recommended 15.1X49-D150.2 and I upgraded this morning
>> to 15.1X49-D160.2 without any change.
>>
>> Has anyone run into such an issue before?
> __

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

What make/model are your IP phones? Are you doing dhcp-snooping on a
separate switch? If so, I'd advise disabling dhcp-snooping on the
SRX. Are you doing voip-vlan?

We are using Avaya 96xx-series phones on EX4200, EX4300, and EX3400
switches. The switches are doing voip-vlan and dhcp-snooping. The
EX3400 switches are behind MX150 routers using the new jdhcpd relay on
MX150 17.3R2. This is my config which works fine with our IP phones:

set forwarding-options dhcp-relay overrides allow-snooped-clients
set forwarding-options dhcp-relay overrides trust-option-82
set forwarding-options dhcp-relay server-group DHCP-SERVERS a.b.c.d
set forwarding-options dhcp-relay server-group DHCP-SERVERS w.x.y.z
set forwarding-options dhcp-relay active-server-group DHCP-SERVERS
set forwarding-options dhcp-relay group DHCP-RELAYS interface ae0.50
set forwarding-options dhcp-relay no-snoop


On Wed, Jan 16, 2019 at 09:41:49AM -0500, Michael Davis wrote:
> Thanks.. Not valid for SRX1500 platform.
>
> On 1/16/19 9:37 AM, Anderson, Charles R wrote:
> > Maybe try layer2-unicast-replies?
> >
> > On Wed, Jan 16, 2019 at 08:38:34AM -0500, Michael Davis wrote:
> >> We use SRX's in pkt mode at some remote sites that don't need full blown
> >> VPN/FW
> >> security, mostly older SRX100s and SRX240s.? We've recently installed a
> >> SRX1500
> >> at a larger site and everything works as expected, except none of the
> >> VoIP phones
> >> are getting their addresses from the dhcp relay.? We have 6 VLANs on
> >> site and all
> >> of them get dhcp as expected, except the VoIP phones.? Putting a laptop
> >> on the
> >> VoIP VLAN gets an IP correctly.? Monitoring and mirroring the VLAN shows
> >> the dhcp
> >> reply packets being broadcast to the IRB, but the phones just stay in
> >> the selecting
> >> state in the binding table.
> >>
> >> This is the first SRX running the JDHCP code levels so that's suspect,
> >> but can't for
> >> the life of me see why only the phones are having issues.
> >>
> >> We were running the recommended 15.1X49-D150.2 and I upgraded this morning
> >> to 15.1X49-D160.2 without any change.
> >>
> >> Has anyone run into such an issue before?
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Thanks.  These are many different models of Cisco phones, as well
as panasonic cordless voip phones.

We are doing snooping on the access switches (ex3300s), but we've
always done this and have tried turning it on/off both the EX's as well
as the SRX.  The Cisco phones use voice-vlan lldp detection and are in
the binding table on the correct vlan.  The panasonic are hardwired
to the voice-vlan.

My SRX dhcp relay config is the same and since it works for other
devices on the voice-vlan (don't have the no-snoop option), I have
to suspect that these older phones are expecting a unicast dhcp
reply that the SRX appears unable to deliver.  I may try a jump up to
JunOS 17 just as a last test, but I'm not optimistic..

thanks
mike


On 1/16/19 10:16 AM, Anderson, Charles R wrote:
> What make/model are your IP phones? Are you doing dhcp-snooping on a
> separate switch? If so, I'd advise disabling dhcp-snooping on the
> SRX. Are you doing voip-vlan?
>
> We are using Avaya 96xx-series phones on EX4200, EX4300, and EX3400
> switches. The switches are doing voip-vlan and dhcp-snooping. The
> EX3400 switches are behind MX150 routers using the new jdhcpd relay on
> MX150 17.3R2. This is my config which works fine with our IP phones:
>
> set forwarding-options dhcp-relay overrides allow-snooped-clients
> set forwarding-options dhcp-relay overrides trust-option-82
> set forwarding-options dhcp-relay server-group DHCP-SERVERS a.b.c.d
> set forwarding-options dhcp-relay server-group DHCP-SERVERS w.x.y.z
> set forwarding-options dhcp-relay active-server-group DHCP-SERVERS
> set forwarding-options dhcp-relay group DHCP-RELAYS interface ae0.50
> set forwarding-options dhcp-relay no-snoop
>
>
> On Wed, Jan 16, 2019 at 09:41:49AM -0500, Michael Davis wrote:
>> Thanks.. Not valid for SRX1500 platform.
>>
>> On 1/16/19 9:37 AM, Anderson, Charles R wrote:
>>> Maybe try layer2-unicast-replies?
>>>
>>> On Wed, Jan 16, 2019 at 08:38:34AM -0500, Michael Davis wrote:
>>>> We use SRX's in pkt mode at some remote sites that don't need full blown
>>>> VPN/FW
>>>> security, mostly older SRX100s and SRX240s.  We've recently installed a
>>>> SRX1500
>>>> at a larger site and everything works as expected, except none of the
>>>> VoIP phones
>>>> are getting their addresses from the dhcp relay.  We have 6 VLANs on
>>>> site and all
>>>> of them get dhcp as expected, except the VoIP phones.  Putting a laptop
>>>> on the
>>>> VoIP VLAN gets an IP correctly.  Monitoring and mirroring the VLAN shows
>>>> the dhcp
>>>> reply packets being broadcast to the IRB, but the phones just stay in
>>>> the selecting
>>>> state in the binding table.
>>>>
>>>> This is the first SRX running the JDHCP code levels so that's suspect,
>>>> but can't for
>>>> the life of me see why only the phones are having issues.
>>>>
>>>> We were running the recommended 15.1X49-D150.2 and I upgraded this morning
>>>> to 15.1X49-D160.2 without any change.
>>>>
>>>> Has anyone run into such an issue before?

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

To close the loop on this, it turned out to be the global l2-learning
mode on the SRX1500.  It is set by default in transparent bridging mode.
Changing this to switching mode cleared up the DHCP broadcast response
that the VoIP phones were having..

https://kb.juniper.net/InfoCenter/index?page=content&id=KB31081


On 1/16/19 11:07 AM, Michael Davis wrote:
> Thanks. These are many different models of Cisco phones, as well
> as panasonic cordless voip phones.
>
> We are doing snooping on the access switches (ex3300s), but we've
> always done this and have tried turning it on/off both the EX's as well
> as the SRX.  The Cisco phones use voice-vlan lldp detection and are in
> the binding table on the correct vlan.  The panasonic are hardwired
> to the voice-vlan.
>
> My SRX dhcp relay config is the same and since it works for other
> devices on the voice-vlan (don't have the no-snoop option), I have
> to suspect that these older phones are expecting a unicast dhcp
> reply that the SRX appears unable to deliver.  I may try a jump up to
> JunOS 17 just as a last test, but I'm not optimistic..
>
> thanks
> mike
>
>
> On 1/16/19 10:16 AM, Anderson, Charles R wrote:
>> What make/model are your IP phones?  Are you doing dhcp-snooping on a
>> separate switch?  If so, I'd advise disabling dhcp-snooping on the
>> SRX.  Are you doing voip-vlan?
>>
>> We are using Avaya 96xx-series phones on EX4200, EX4300, and EX3400
>> switches.  The switches are doing voip-vlan and dhcp-snooping. The
>> EX3400 switches are behind MX150 routers using the new jdhcpd relay on
>> MX150 17.3R2. This is my config which works fine with our IP phones:
>>
>> set forwarding-options dhcp-relay overrides allow-snooped-clients
>> set forwarding-options dhcp-relay overrides trust-option-82
>> set forwarding-options dhcp-relay server-group DHCP-SERVERS a.b.c.d
>> set forwarding-options dhcp-relay server-group DHCP-SERVERS w.x.y.z
>> set forwarding-options dhcp-relay active-server-group DHCP-SERVERS
>> set forwarding-options dhcp-relay group DHCP-RELAYS interface ae0.50
>> set forwarding-options dhcp-relay no-snoop
>>
>>
>> On Wed, Jan 16, 2019 at 09:41:49AM -0500, Michael Davis wrote:
>>> Thanks.. Not valid for SRX1500 platform.
>>>
>>> On 1/16/19 9:37 AM, Anderson, Charles R wrote:
>>>> Maybe try layer2-unicast-replies?
>>>>
>>>> On Wed, Jan 16, 2019 at 08:38:34AM -0500, Michael Davis wrote:
>>>>> We use SRX's in pkt mode at some remote sites that don't need full
>>>>> blown
>>>>> VPN/FW
>>>>> security, mostly older SRX100s and SRX240s.  We've recently
>>>>> installed a
>>>>> SRX1500
>>>>> at a larger site and everything works as expected, except none of the
>>>>> VoIP phones
>>>>> are getting their addresses from the dhcp relay.  We have 6 VLANs on
>>>>> site and all
>>>>> of them get dhcp as expected, except the VoIP phones. Putting a
>>>>> laptop
>>>>> on the
>>>>> VoIP VLAN gets an IP correctly.  Monitoring and mirroring the VLAN
>>>>> shows
>>>>> the dhcp
>>>>> reply packets being broadcast to the IRB, but the phones just stay in
>>>>> the selecting
>>>>> state in the binding table.
>>>>>
>>>>> This is the first SRX running the JDHCP code levels so that's
>>>>> suspect,
>>>>> but can't for
>>>>> the life of me see why only the phones are having issues.
>>>>>
>>>>> We were running the recommended 15.1X49-D150.2 and I upgraded this
>>>>> morning
>>>>> to 15.1X49-D160.2 without any change.
>>>>>
>>>>> Has anyone run into such an issue before?
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp


--
Mike Davis
Systems Programmer V
NSS - University of Delaware - 302.831.8756
Newark, DE 19716 Email davis@udel.edu

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp