Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Forward-only Action for DHCPv4 and DHCPv6 Relay Traffic with Unknown DHCP Server Address Overview

    DHCP Relay agent entry which can be created on DHCPv4 or DHCPv6 server is useful for authentication, authorization, accounting, applying filtering, quality of service (QoS) to client, and processing of options specified in the packet. Relay agent or client entry creation involves participation of the Junos dhcpd process memory resources, session database resources, authentication procedure, accounting, dynamic profile instantiation, dynamic interface creation, firewall, class-of-service (CoS)-association, and more. Customer networks can contain non-customer controlled bindings for which they might not want these relay agent entry functionalities. When a customer's network has such traffic, creation of relay agent entries—which is related to client entry creation—unnecessarily utilizes resources and can also result in wrong association of profiles. In the current network scenario, all the traffic received from a specific interface is forwarded, without processing any destination address.

    Starting in Junos OS Release 17.4R1, forward-only configuration can be enabled on the broadband network gateway (BNG) device for non-customer traffic along with unknown DHCP server address. configuration of forward-only statement along with the new DHCP options, option-54 for DHCPv4 and option-2 for DHCPv6 avoids creation of DHCP relay agent entry on the BNG and ensures that traffic is forwarded to the specified destination address.

    With these configurations, administrators are able to determine to which servers the clients are bound; which of the clients need to have a relay client entry created and dynamic profile and policies applied, and so on; and for whom (non-customer) the forward-only configuration is enabled.

    The two new configuration statements options-54 and options-2 are introduced for processing destination address.

    Processing of DHCPv4 and DHCPv6 Destination Addresses

    Administrators can configure the forward-only statement to avoid the creation of non-customer client entries. The Junos dhcpd process compares the server identifier (option-54 for DHCPv4 and option-2 for DHCPv6) with or without destination address in the incoming packet along with the configured server address. If the server identifier and configured server address match, the action is to only forward without creating client entry.

    On non-passive relay, configuration of server-match means implicit enabling of delay-authentication for the clients for which the server-match statement is processed. You can also configure options 60 and 77 (for DHCPv4) or options 15 and 16 (for DHCPv6) optionally together with associated processing. Configuration of these options also specify the order in which they are processed. If these options are not configured, the default order is 60, 77 for DHCPv4 and 15, 16 for DHCPv6.

    Note: DHCPv6 option-16 data as defined in RFC 3315, is comprised of a 4byte enterprise number and the variable length vendor-class-data. The enterprise number is a number registered by the vendor with IANA. As such, it is not anticipated that configuring an ASCII match in conjunction with option-16 relay-option match might work since the enterprise number will have to coincide with the value of a printable ASCII character.

    A similar restriction exists for DHCPv4 option-77 statement because the option-77 data may be subdivided to include sub-options and sub-lengths. Because of this, configuring an ASCII match with option-77 relay-option match might not work.

    On non-passive relay, if a request packet is received in rebind phase and the corresponding relay entry is not present, then you need to first configure the bind-on-request statement following which the relay entry is created and the packet is forwarded. After an acknowledgment is received, the Junos dhcpd process verifies the source address (with or without option 54 for DHCPv4 and option 2 for DHCPv6) within the server-match configuration. if the verification results in a stateless entry, then the relay entry is deleted.

    The administrator can specify the DHCP unique identifier (DUID) with or without the address of a server. During functionality processing, the Junos dhcpd process first processes address statements and then the DUID statements. If the same server address is specified in address statements and the DUID statement, then it is the administrator’s responsibility to specify the same action for both address and the DUID statements.

    On both passive and non-passive relays, if the received packet contains a relay forward header and the destination address is multicast or a link-local address, then the packet is forward without any further processing.

    Note: For both DHCPv4 and DHCPv6 subscribers, the relay-option and server-match statements are at the same hierarchy and have the same priority.

    Processing Order

    Relay options and server match processing are mutually exclusive. Although they are at the same hierarchy and have the same priority, for implementation purpose, you process relay options followed by server match.

    Following are the DHCPv4 relay option processing actions:

    • drop—Discard when a match is made.
    • forward-only—Forward without client services, when a match is made.
    • local-server-group—Name of DHCP local server group when match is made.
    • relay-server-group—Name of DHCP relay server group when match is made.

    Following are the DHCPv6 relay option processing actions:

    • drop—Discard when a match is made.
    • forward-only—Forward without client services, when a match is made.
    • relay-server-group—Name of DHCP relay server group when match is made.

    Note: The DHCPv6 server-match for IPv6 address is available in passive-relay only.

    Modified: 2017-11-30