Most folks who run Juniper routers are familiar with the ability/requirement to have a PROTECT-RE filter in place to keep someone from whacking your routing engine with breakin attempts, ICMP flooding, etc.

DHCP Relay is a proxy agent that runs on the router and allows me to run a single centralized DHCP server for our datacenter setup, rather than requiring it to have an interface in every VLAN. On the Juniper at least, DHCP Relay is implemented as a daemon on our control plane CPU, which means that we need to poke holes in the PROTECT-RE filter in order to let it work.

I ran into some difficulties recently making the example that Juniper provides work. Not sure if it was because I was explicitly providing a source address or what, but the packets weren’t flowing. Things worked great when I disabled the PROTECT-RE filter, and continued working great after I accidentally committed the change, right up until we had high CPU alarms from someone infected machine on the other side of the world trying to brute force ssh, but that’s a story for another day…

After some mucking around, I came up with a nice little single stanza configuration fragment for my PROTECT-RE that seems to do the job. I stuck it at the end, just before the catch-all-deny stanza.

term DHCPRELAY {
from {                              
    destination-address {
	255.255.255.255/32;
    }
    protocol udp;
    destination-port [ 67 68 ];
}
then {
    policer SMALL-BW-POLICER;
    accept;
}
}