Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Single-Session DHCP Local Server Dual-Stack Overview


Junos OS supports a single-session DHCP local server dual-stack, which simplifies management of dual-stack subscribers, and improves performance and session requirements when compared to the traditional dual-stack support.

In a DHCP dual-stack environment, a DHCP server supports both DHCPv4 and DHCPv6 subscribers. The DHCP server provides services, such as authentication and accounting, for both the DHCPv4 and DHCPv6 legs of the dual-stack. In a traditional implementation, the two legs of the dual-stack legs are viewed as being independent. The presence of separate legs for DHCPv4 and DHCPv6 creates inefficiencies, since separate, and multiple, sessions can be required to provide similar support for each leg of the dual-stack. For example, to provide authentication for a traditional dual-stack over a dynamic VLAN requires three separate sessions, one for DHCPv4, one for DHCPv6, and one for the authenticated dynamic VLAN. Similarly, multiple sessions might be required as well, for dual-stack accounting operations.

In the dual-stack over a dynamic VLAN, the single-session dual-stack requires only a single session for authentication, as opposed to the three sessions required for the traditional dual-stack configuration. Accounting support for the dual-stack also uses a single session. In addition to reducing the number of sessions required, the single-session feature also simplifies router configuration, reduces RADIUS message load, and improves accounting session performance for households with dual-stack environments.

In the single-session dual-stack environment, the first DHCP session that negotiates will trigger the dynamic VLAN creation (if required) and is authorized at the DHCP application. The second leg of the dual-stack is held off until the authorization point is complete. When the second leg of the dual stack is established, the DHCP client inherits all common subscriber database values, such as circuit-id, remote-id, username, and interface name from the first leg.

In Figure 1, single subscriber session is established for dual-stack user.

Figure 1: DHCP Dual Stack Single-Session Subscriber Deployment Model
Dual Stack Single-Session Subscriber Deployment Model

To configure single-session dual-stack subscriber settings, you use the dual-stack-group statement at the [edit system services dhcp-local-server] hierarchy level to create a named group that specifies the values for dual stack subscribers. Then, you use the dual-stack statement at the [edit system services dhcp-local-server ... overrides] hierarchy level to specify the name of the dual stack group and assign the group to subscribers at the global, group, or interface level.

You can configure the following common DHCP settings for the single-session dual-stack model. In most cases, these settings are similar to those used for separate DHCPv4 and DHCPv6 legs in a traditional dual-stack configuration.

  • access-profile—Access profile that provides authentication and accounting parameters for the dual-stack group that take precedence over those configured in a global access profile or in a profile configured for the DHCP local server.

  • authentication—Authentication-related parameters (such as password and username) the router sends to the external RADIUS server.

  • classification-key—Classification key defines mechanism to be used to identify a dual stack household.

  • dual-stack-interface-client-limit—Limits the number of dual stack subscribers login per interface.

  • dynamic-profile—Dynamic profile that is attached to all interfaces, to a named group of interfaces, or to a specific interface.

  • on-demand-address-allocation—Designates whether or not on-demand address allocation mode is forced for a dual-stack subscriber.

    If this configuration is not present, all IP addresses and prefixes for IPv4 and IPv6 families of a dual stack subscriber will be pre-allocated when the first leg of a dual stack subscriber initially logs in.

    If this configuration is present when the first leg of a dual-stack subscriber initially logs in, RADIUS authentication is performed (if configured) and the IP address and prefix of this first family only will be allocated. The IP address and prefix for the other family will not be allocated unless the other family leg subsequently initially logs in.


    The IP address allocation for the second family is informed by the RADIUS authentication previously performed at the time of the first family login.

  • protocol-master—Protocol-master configuration designates either a IPv4 or IPv6 family for a dual stack subscriber. The secondary family client binding login-in will be rejected until a valid client binding is in place for the protocol-master family.


    If the secondary family binding is logged out for any reason, then only the secondary family binding will be torn down.

    If the protocol-master family binding is logged out for any reason, then the corresponding bindings for both the protocol-master and secondary families will be torn down.

  • service-profile—Dynamic profile for the default subscriber service (or the default DHCP client management service), which is activated when the subscriber (or client) logs in.