Simple rule for DHCP Relay in Juniper PROTECT-RE filter

  • Sun 16 April 2017
  • misc

Most folks who run Juniper routers are familiar with the ability/requirement to have a PROTECT-RE filter in place to keep someone from whacking your routing engine with breakin attempts, ICMP flooding, etc.

DHCP Relay is a proxy agent that runs on the router and allows me to run a single centralized DHCP server for our datacenter setup, rather than requiring it to have an interface in every VLAN. On the Juniper at least, DHCP Relay is implemented as a daemon on our control plane CPU, which means that we need to poke holes in the PROTECT-RE filter in order to let it work.

I ran into some difficulties recently making the example that Juniper provides work. Not sure if it was because I was explicitly providing a source address or what, but the packets weren't flowing. Things worked great when I disabled the PROTECT-RE filter, and continued working great after I accidentally committed the change, right up until we had high CPU alarms from someone infected machine on the other side of the world trying to brute force ssh, but that's a story for another day...

After some mucking around, I came up with a nice little single stanza configuration fragment for my PROTECT-RE that seems to do the job. I stuck it at the end, just before the catch-all-deny stanza.

{% raw %} term DHCPRELAY { from {
destination-address {; } protocol udp; destination-port [ 67 68 ]; } then { policer SMALL-BW-POLICER; accept; } }