Extended DHCP Local Server
The extended DHCP local server provides an IP address and other configuration information in response to a client request. Extended DHCP local server enhances traditional DHCP server operation by providing additional address assignment and client configuration functionality and flexibility in a subscriber-aware environment. For information, read this topic.
Extended DHCP Local Server Overview
Junos OS includes an extended DHCP local server that enhances traditional DHCP server operation by providing additional address assignment and client configuration functionality and flexibility in a subscriber-aware environment. The extended DHCP local server enables service providers to take advantage of external address-assignment pools and integrated RADIUS-based configuration capabilities in addition to the continued support of traditional local address pools. The address-assignment pools are considered external because they are external to the DHCP local server. The pools are managed independently of the DHCP local server, and can be shared by different client applications, such as DHCP or PPPoE access. Table 1 provides a comparison of the extended DHCP local server and a traditional DHCP local server.
The extended DHCP local server provides an IP address and other configuration information in response to a client request. The server supports the attachment of dynamic profiles and also interacts with the local AAA Service Framework to use back-end authentication servers, such as RADIUS, to provide DHCP client authentication. You can configure the dynamic profile and authentication support on a global basis or for a specific group of interfaces.
Table 1: Comparing the Extended DHCP Local Server to the Traditional DHCP Local Server
Feature | Extended DHCP Local Server | Traditional DHCP Local Server |
|---|---|---|
Local address pools | X | X |
External, centrally-managed address pools | X | – |
Local configuration | X | X |
External configuration using information from address-assignment pools or RADIUS servers | X | – |
Dynamic-profile attachment | X | – |
RADIUS-based subscriber authentication, and configuration using RADIUS attributes and Juniper Networks VSAs | X | – |
IPv6 client support | X | – |
Default minimum client configuration | X | X |
You can also configure the extended DHCP local server to support IPv6 clients. Both DHCP local server and DHCPv6 local server support the specific address request feature, which enables you to assign a particular address to a client.
If you delete the DHCP server configuration, DHCP server bindings might still remain. To ensure that DHCP bindings are removed, issue the clear dhcp server binding command before you delete the DHCP server configuration.
This overview covers:
Interaction Among the DHCP Client, Extended DHCP Local Server, and Address-Assignment Pools
The pattern of interaction between the DHCP local server, the DHCP client, and address-assignment pools is the same regardless of whether you are using a router or a switch. However, there are some differences in the details of usage.
On routers—In a typical carrier edge network configuration, the DHCP client is on the subscriber’s computer or customer premises equipment (CPE), and the DHCP local server is configured on the router.
On switches—In a typical network configuration, the DHCP client is on an access device, such as a personal computer, and the DHCP local server is configured on the switch.
The following steps provide a high-level description of the interaction among the DHCP local server, DHCP client, and address-assignment pools:
- The DHCP client sends a discover packet to one or more DHCP local servers in the network to obtain configuration parameters and an IP address for the subscriber (or DHCP client).
- Each DHCP local server that receives the discover packet then searches its address-assignment pool for the client address and configuration options. Each local server creates an entry in its internal client table to keep track of the client state, then sends a DHCP offer packet to the client.
- On receipt of the offer packet, the DHCP client selects the DHCP local server from which to obtain configuration information and sends a request packet indicating the DHCP local server selected to grant the address and configuration information.
- The selected DHCP local server sends an acknowledgement packet to the client that contains the client address lease and configuration parameters. The server also installs the host route and ARP entry, and then monitors the lease state.
Providing DHCP Client Configuration Information
When the extended DHCP application receives a response from an external authentication server, the response might include information in addition to the IP address and subnet mask. The extended DHCP application uses the information from the authentication grant for the response the DHCP application sends to the DHCP client. The DHCP application can either send the information in its original form or the application might merge the information with local configuration specifications. For example, if the authentication grant includes an address pool name and a local configuration specifies DHCP attributes for that pool (such as, DNS server address), the extended DHCP application merges the authentication results and the attributes in the reply that the server sends to the client.
A local configuration is optional — a client can be fully configured by the external authentication service. However, if the external authentication service does not provide client configuration, you might need to configure the local address-assignment pool to provide the configuration information, such as DNS server, for the client. When a local configuration specifies options, the extended DHCP application adds the local configuration options to the offer PDU the server sends to the client. If the two sets of options overlap, the options in the authentication response from the external service take precedence.
When you use RADIUS to provide the authentication, the additional information might be in the form of RADIUS attributes and Juniper Networks VSAs. Table 2 lists the information that RADIUS might include in the authentication grant. See RADIUS Attributes and Juniper Networks VSAs Supported by the AAA Service Framework for a complete list of RADIUS attributes and Juniper Networks VSAs that the extended DHCP applications supports for subscriber access management or DHCP management.
Table 2: Information in Authentication Grant
Attribute Number | Attribute Name | Description |
|---|---|---|
RADIUS attribute 8 | Framed-IP-Address | Client IP address |
RADIUS attribute 9 | Framed-IP-Netmask | Subnet mask for client IP address (DHCP option 1) |
Juniper Networks VSA 26-4 | Primary-DNS | Primary domain server (DHCP option 6) |
Juniper Networks VSA 26-5 | Secondary-DNS | Secondary domain server (DHCP option 6) |
Juniper Networks VSA 26-6 | Primary-WINS | Primary WINS server (DHCP option 44) |
Juniper Networks VSA 26-7 | Secondary-WINS | Secondary WINS server (DHCP option 44) |
RADIUS attribute 27 | Session-Timeout | Lease time |
RADIUS attribute 88 | Framed-Pool | Address assignment pool name |
Juniper Networks VSA 26-109 | DHCP-Guided-Relay-Server | DHCP relay server |
Minimal Configuration for Clients
The extended DHCP local server provides a minimal configuration to the DHCP client if the client does not have DHCP option 55 configured. The server provides the subnet mask of the address-assignment pool that is selected for the client. In addition to the subnet mask, the server provides the following values to the client if the information is configured in the selected address-assignment pool:
router—A router located on the client’s subnet. This statement is the equivalent of DHCP option 3.
domain name—The name of the domain in which the client searches for a DHCP server host. This is the default domain name that is appended to hostnames that are not fully qualified. This is equivalent to DHCP option 15.
domain name server—A Domain Name System (DNS) name server that is available to the client to resolve hostname-to-client mappings. This is equivalent to DHCP option 6.
DHCP Local Server and Address-Assignment Pools
In the traditional DHCP server operation, the client address pool and client configuration information reside on the DHCP server. With the extended DHCP local server, the client address and configuration information reside in external address-assignment pools (external to the DHCP local server). The external address-assignment pools are managed by the authd process, independently of the DHCP local server, and can be shared by different client applications.
The extended DHCP local server also supports advanced pool matching and the use of named address ranges. You can also configure the local server to use DHCP option 82 information in the client PDU to determine which named address range to use for a particular client. The client configuration information, which is configured in the address-assignment pool, includes user-defined options, such as boot server, grace period, and lease time.
Configuring the DHCP environment that includes the extended DHCP local server requires two independent configuration operations, which you can complete in any order. In one operation, you configure the extended DHCP local server on the router and specify how the DHCP local server determines which address-assignment pool to use. In the other operation, you configure the address-assignment pools used by the DHCP local server. The address-assignment pools contain the IP addresses, named address ranges, and configuration information for DHCP clients.
The extended DHCP local server and the address-assignment pools used by the server must be configured in the same logical system and routing instance.
Example: Minimum Extended DHCP Local Server Configuration
This example shows the minimum configuration you need to use for the extended DHCP local server on the router or switch:
The interface type in this topic is just an example. The fe- interface type is not supported by EX Series switches.
This example creates the server group named group_one, and specifies that the DHCP local server is enabled on interface fe-0/0/2.0 within the group. The DHCP local server uses the default pool match configuration of ip-address-first.
If you delete the DHCP server configuration, DHCP server bindings might still remain. To ensure that DHCP bindings are removed, issue the clear dhcp server binding command before you delete the DHCP server configuration.
Disabling Automatic Binding of Stray DHCP Requests
DHCP requests that are received but have no entry in the database are known as stray requests. By default, DHCP relay, DHCP relay proxy, and DHCPv6 relay agent attempt to bind the requesting client by creating a database entry and forwarding the request to the DHCP server. If the server responds with an ACK, the client is bound and the ACK is forwarded to the client. If the server responds with a NAK, the database entry is deleted and the NAK is forwarded to the client. This behavior occurs regardless of whether authentication is configured.
You can override the default configuration at the global level, for a named group of interfaces, or for a specific interface within a named group. Overriding the default causes DHCP relay, DHCP relay proxy, and DHCPv6 relay agent to drop all stray requests instead of attempting to bind the clients.
Automatic binding of stray requests is enabled by default.
To disable automatic binding behavior, include the no-bind-on-request statement when you configure DHCP overrides at the global, group, or interface level.
[edit forwarding-options dhcp-relay overrides]user@host# set no-bind-on-requestTo override the default behavior for DHCPv6 relay agent, configure the override at the [edit forwarding-options dhcp-relay dhcpv6] hierarchy level.
[edit forwarding-options dhcp-relay dhcpv6 overrides]user@host# set no-bind-on-request
The following two examples show a configuration that disables automatic binding of stray requests for a group of interfaces and a configuration that disables automatic binding on a specific interface.
To disable automatic binding of stray requests on a group of interfaces:
- Specify the named group.[edit forwarding-options dhcp-relay]user@host# edit group boston
- Specify that you want to configure overrides.[edit forwarding-options dhcp-relay group boston]user@host# edit overrides
- Disable automatic binding for the group.[edit forwarding-options dhcp-relay group boston overrides]user@host# set no-bind-on-request
To disable automatic binding of stray requests on a specific interface:
- Specify the named group of which the interface is a member. [edit forwarding-options dhcp-relay]user@host# edit group boston
- Specify the interface on which you want to disable automatic
binding. [edit forwarding-options dhcp-relay group boston]user@host# edit interface fe-1/0/1.2
- Specify that you want to configure overrides.[edit forwarding-options dhcp-relay group boston interface fe-1/0/1.2]user@host# edit overrides
- Disable automatic binding on the interface.[edit forwarding-options dhcp-relay group boston interface fe-1/0/1.2 overrides]user@host# set no-bind-on-request
Configuring a Token for DHCP Local Server Authentication
You can configure an authentication token to provide rudimentary protection against inadvertently instantiated DHCP servers. You can configure the local server to include a constant, unencoded token in the DHCP forcerenew message as part of the authentication option it sends to clients. If the service provider has previously configured the DHCP client with a token, then the client can compare that token against the newly received token. If the tokens do not match, the DHCP client discards the forcerenew message. This functionality corresponds to RFC 3118, Authentication for DHCP Messages, section 4.
(Optional) To configure the DHCP local server to include a token in the forcerenew message sent to the client, for all clients:
Specify the token.
For DHCPv4:
[edit system services dhcp-local-server reconfigure]user@host# set token token-valueFor DHCPv6:
[edit system services dhcp-local-server dhcpv6 reconfigure]user@host# set token token-value
(Optional) For only a particular group of clients:
Specify the token.
For DHCPv4:
[edit system services dhcp-local-server group group-name reconfigure]user@host# set token token-valueFor DHCPv6:
[edit system services dhcp-local-server dhcpv6 group group-name reconfigure]user@host# set token token-value
Configuring an Extended DHCP Relay Server on EX Series Switches (CLI Procedure)
You can configure an EX Series switch to act as an extended DHCP relay agent. This means that a locally attached host can issue a DHCP request as a broadcast message and the switch configured for DHCP relay relays the message to a specified DHCP server. Configure a switch to be a DHCP relay agent if you have locally attached hosts and a remote DHCP server.
Before you begin:
Ensure that the switch can connect to the DHCP server.
To configure a switch to act as an extended DHCP relay agent server:
- Create at least one DHCP server group, which is a group
of 1 through 5 DHCP server IP addresses:[edit forwarding-options dhcp-relay]user@switch# set server-group server-group-name ip-address
- Set the global active DHCP server group. The DHCP relay
server relays DHCP client requests to the DHCP servers defined in
the active server group:[edit forwarding-options dhcp-relay]user@switch# set active-server-group server-group-name
- Create a DHCP relay group that includes at least one interface. DHCP relay runs on the interfaces defined in DHCP groups:
- (Optional) Configure overrides of default DHCP relay behaviors,
at the global level. See the override options in the overrides statement.[edit forwarding-options dhcp-relay]user@switch# set overrides
- (Optional) Configure DHCP relay to use the DHCP vendor
class identifier option (option 60) in DHCP client packets, at
the global level:[edit forwarding-options dhcp-relay]user@switch# set relay-option option-number 60
- (Optional) Configure settings for a DHCP relay group that
override the settings at the global level, using these statements:[edit forwarding-options dhcp-relay group group-name]user@switch# set active-server-group server-group-nameuser@switch# set overridesuser@switch# set relay-option option-number 60
- (Optional) Configure settings for a DHCP relay group interface that override the settings at the global and group levels, using these statements:
Verifying and Managing DHCP Local Server Configuration
Purpose
View or clear information about client address bindings and statistics for the extended DHCP local server.
If you delete the DHCP server configuration, DHCP server bindings might still remain. To ensure that DHCP bindings are removed, issue the clear dhcp server binding command before you delete the DHCP server configuration.
Action
To display the address bindings in the client table on the extended DHCP local server:
user@host> show dhcp server binding routing-instance customer routing instanceTo display extended DHCP local server statistics:
user@host> show dhcp server statistics routing-instance customer routing instanceTo clear the binding state of a DHCP client from the client table on the extended DHCP local server:
user@host> clear dhcp server binding routing-instance customer routing instanceTo clear all extended DHCP local server statistics:
user@host> clear dhcp server statistics routing-instance customer routing instance