ON THIS PAGE
Dual-Stack Access Models in a DHCP Network
IPv4 and IPv6 Dual Stack in a DHCP Access Network
Figure 1 shows a dual-stack interface stack in a DHCP access network. The IPv4 family (inet) and the IPv6 family (inet6) can reside on the same VLAN interface.
When you are using IPv4 and IPv6 dual stack on the same DHCP interface, you must configure one dynamic profile for both the IPv4 and IPv6 subscribers. You cannot run IPv4 and IPv6 subscriber sessions over the same interface if you configure separate dynamic profiles for IPv4 and IPv6.
Support for Demultiplexing Interfaces
IPv4 and IPv6 dual stack is supported on VLAN demultiplexing (demux) interfaces. Dual stack is not supported on IP demux interfaces.
AAA Service Framework in a Dual Stack over a DHCP Access Network
You can use the AAA Service Framework for all authentication, authorization, accounting, address assignment, and dynamic request services that the BNG uses for network access. The framework supports authentication and authorization through external RADIUS servers. It also supports accounting and dynamic-request change of authorization (CoA) and disconnect operations through external servers, and address assignment through a combination of local address-assignment pools and RADIUS servers.
The BNG interacts with external servers to determine how individual subscribers access the broadband network. The BNG can also obtain information from external servers for the following:
How subscribers are authenticated.
How accounting statistics are collected and used.
How dynamic requests, such as CoA, are handled.
As shown in Figure 2, an implementation of dual stack over a DHCP access network, there are separate AAA sessions for IPv4 and IPv6 authentication and accounting.
Collection of Accounting Statistics in a DHCP Access Network
AAA provides support for IPv4 and IPv6 statistics in separate accounting sessions.
The following RADIUS attributes are included by default (when available) in Acct-Start, Interim, and Acct-Stop messages:
You can configure the BNG to exclude these attributes in accounting Acct-Start and Acct-Stop messages.
Change of Authorization (CoA)
RADIUS servers can initiate dynamic requests to the BNG. Dynamic requests include CoA requests, which specify VSA modifications and service changes.
In your access profile configuration, you specify the IP addresses of RADIUS authentication servers that can initiate dynamic requests to the router. The list of authentication servers also provides RADIUS-based dynamic service activation and deactivation during subscriber login.
Dual-Stack Interface Stack in a DHCP Wholesale Network
Figure 3 shows a dual-stack interface stack in a DHCP wholesale network. In this scenario, the IPv4 and IPv6 demux interfaces are configured on the same VLAN interface. The demux interfaces are configured in a separate logical system:routing instance.
Single-Session DHCP Dual-Stack Overview
Junos OS supports a single-session DHCP dual-stack, which simplifies management of dual-stack subscribers, and improves performance and session requirements when compared to the traditional dual-stack support.
In a DHCP dual-stack environment, a DHCP server supports both DHCPv4 and DHCPv6 subscribers. The DHCP server provides services, such as authentication and accounting, for both the DHCPv4 and DHCPv6 legs of the dual-stack. In a traditional implementation, the two legs of the dual-stack legs are viewed as being independent. The presence of separate legs for DHCPv4 and DHCPv6 creates inefficiencies, since separate, and multiple, sessions can be required to provide similar support for each leg of the dual-stack. For example, to provide authentication for a traditional dual-stack over a dynamic VLAN requires three separate sessions, one for DHCPv4, one for DHCPv6, and one for the authenticated dynamic VLAN. Similarly, multiple sessions might be also required for dual-stack accounting operations.
In the dual-stack over a dynamic VLAN, the single-session dual-stack requires only a single session for authentication, as opposed to the three sessions required for the traditional dual-stack configuration. Accounting support for the dual-stack also uses a single session. In addition to reducing the number of sessions required, the single-session feature also simplifies router configuration, reduces RADIUS message load, and improves accounting session performance for households with dual-stack environments.
In the single-session dual-stack environment, the first DHCP session that negotiates will trigger the dynamic VLAN creation (if required) and is authorized at the DHCP application. The second leg of the dual-stack is held off until the authorization point is complete. When the second leg of the dual stack is established, the DHCP client inherits all common subscriber database values, such as circuit-id, remote-id, username, and interface name from the first leg.
In Figure 4, single subscriber session is established for dual-stack user.
You can configure single-session dual-stack subscriber settings for DHCP relay agent and DHCP local server. You use the dual-stack-group statement to create a named group that specifies the values for dual stack subscribers. Then, you use the dual-stack statement to specify the name of the dual stack group and assign the group to subscribers at the global, group, or interface level.
For DHCP relay agent, configure these statements at the [edit forwarding-options dhcp-relay] hierarchy level and the [edit forwarding-options dhcp-relay ... overrides] hierarchy level, respectively,
For DHCP local server, configure these statements at the [edit system services dhcp-local-server] hierarchy level and the [edit system services dhcp-local-server ... overrides] hierarchy level, respectively,
You can configure the following common DHCP settings for the single-session dual-stack model. In most cases, these settings are similar to those used for separate DHCPv4 and DHCPv6 legs in a traditional dual-stack configuration. When configured and referenced, the dual-stack configuration takes precedence over the same items configured under the respective family.
access-profile—Access profile that provides authentication and accounting parameters for the dual-stack group that take precedence over those configured in a global access profile or in a profile configured for the DHCP relay agent or DHCP local server.
authentication—Authentication-related parameters (such as password and username) the router sends to the external AAA server.
The dual-stack authentication stanza is similar to the stanza available separately for the v4 and v6 address families. When the username-include configuration syntax is used for the DHCPv4 leg of the dual-stack, the relay-agent-interface-id option is equivalent to the DHCPv4 relay-option-82 circuit-id statement, and the relay-agent-remote-id option is equivalent to the DHCPv4 relay-option-82 remote-id statement. You do not have to configure the two DHCPv4 options separately.
classification-key—Classification key defines mechanism to be used to identify a dual stack household.
dual-stack-interface-client-limit—Limits the number of dual stack subscribers login per interface.
For dual-stack subscribers, always use this statement instead of the interface-client-limit statement.
dynamic-profile—Dynamic profile that is attached to all interfaces, to a named group of interfaces, or to a specific interface.
liveness-detection—Configure an active liveness detection protocol that deletes the binding and releases the resources if the subscriber fails to respond to a configured number of consecutive liveness detection requests, the subscriber.
on-demand-address-allocation—(DHCP local server) Designates whether on-demand address allocation mode is forced for a dual-stack subscriber.
If this configuration is not present, all IP addresses and prefixes for IPv4 and IPv6 families of a dual stack subscriber will be preallocated when the first leg of a dual stack subscriber initially logs in.
If this configuration is present when the first leg of a dual-stack subscriber initially logs in, RADIUS authentication is performed (if configured) and the IP address and prefix of this first family only will be allocated. The IP address and prefix for the other family will not be allocated unless the other family leg subsequently initially logs in.
The IP address allocation for the second family is informed by the RADIUS authentication previously performed at the time of the first family login.
Starting in Junos OS Release 18.4R1, the method of address allocation is checked to determine subsequent behavior when authd notifies the DHCP process that an address pool is deleted or being drained. Table 1 describes the behavior.
Table 1: Behavior When Address Pool is Deleted or Drained
Address Allocation Method
Address Pool is Drained
Address Pool is Deleted
Family with address in pool is logged out gracefully when a DHCP renew or rebind message is received.
Family with address in pool is logged out immediately.
Addresses for both families are deleted gracefully when a DHCP renew or rebind message is received.
Addresses for both families are deleted immediately.
protocol-master—Protocol-master configuration designates either a IPv4 or IPv6 family for a dual stack subscriber. The secondary family client binding login-in will be rejected until a valid client binding is in place for the protocol-master family.
If the secondary family binding is logged out for any reason, then only the secondary family binding will be torn down.
If the protocol-master family binding is logged out for any reason, then the corresponding bindings for both the protocol-master and secondary families will be torn down.
reauthenticate—(DHCP local server) Configure reauthentication of the subscriber to initiate change characteristics such as service activations/deactivations and attribute modifications.
relay-agent-interface-id—(DHCP relay agent) Includes Relay Agent Interface-ID (option 18) in DHCPv6 packets destined for the DHCPv6 server. You can configure numerous options to specify what is included in the circuit ID value.
For the DHCPv4 leg of the dual-stack, this statement includes the DHCPv4 relay-option-82 circuit-id in packets destined for the DHCPv4 server.
relay-agent-remote-id—(DHCP relay agent) Includes Relay Agent Remote-ID (option 37) in DHCPv6 packets destined for a DHCPv6 server. You can configure numerous options to specify what is included in the remote ID value.
For the DHCPv4 leg of the dual-stack, this statement includes the DHCPv4 relay-option-82 remote-id in packets destined for the DHCPv4 server.
service-profile—Dynamic profile for the default subscriber service (or the default DHCP client management service), which is activated when the subscriber (or client) logs in.
short-cycle protection—Detect and lock out short-lived client sessions and clients that repeatedly fail session negotiation to reduce resource usage associated with connection and authentication processing in highly scaled networks.
Configuring Single-Session DHCP Dual-Stack Support
Configuring single-session dual-stack support is a two-step process. You first create the dual-stack group that specifies the configuration parameters that are shared between the DHCPv4 and DHCPv6 legs of the DHCP dual stack. Then, you attach the dual-stack group to DHCP subscriber interfaces by overriding the default DHCP configurations for the DHCPv4 and DHCPv6 subscribers. You must reference the dual-stack group for both legs of the dual stack. If you attach the group to one leg only, the router rejects the other leg. You can attach the dual-stack group globally, for a specified DHCP group of interfaces, or for a specific interface.
To configure single-session dual-stack group support.
- Specify that you want to configure DHCP relay agent.[edit forwarding-options]user@host# edit dhcp-relay
- Create and name the dual-stack group.[edit forwarding-options dhcp-relay]user@host# edit dual-stack-group dual-stack-group-name
- Attach an access profile to the dual-stack group to override
the corresponding authentication and accounting properties configured
in a global access profile or DHCP relay agent access profile.[edit forwarding-options dhcp-relay dual-stack-group dual-stack-group-nameuser@host# set access-profile profile-name
- Configure the authentication username values and password
for the dual-stack group.user@host# edit authentication
Configure the unique username.[edit forwarding-options dhcp-relay dual-stack-group dual-stack-group-name authentication]user@host# set username-include <username-include-configuration>
Configure the password that authenticates the username to the external authentication service.[edit forwarding-options dhcp-relay dual-stack-group dual-stack-group-name authentication]user@host# set password password-string
- Specify the dynamic profile associated with the dual-stack
group.user@host# set dynamic-profile <dynamic-profile configuration>
- Specify the service profile associated with the dual-stack
group.user@host# set service-profile dynamic-profile-name
- Specify the relay-agent-interface-id for the dual-stack
group.user@host# set relay-agent-interface-id <relay-agent-interface-id configuration>
For the DHCPv4 leg of the dual-stack, this step specifies the Option 82 Agent Circuit ID (suboption 1) for DHCPv4 clients. See Using DHCP Relay Agent Option 82 Information.
- Specify the relay-agent-remote-id for the dual-stack group.user@host# set relay-agent-remote-id <relay-agent-remote-id-configuration>
For the DHCPv4 leg of the dual-stack, this step specifies the Option 82 Agent Remote ID (suboption 2) for DHCPv4 clients. See Using DHCP Relay Agent Option 82 Information.
- Use the override feature to override the default DHCP
relay behavior and assign the dual-stack group to DHCPv4 and DHCPv6
clients. You must perform separate steps for each leg of the dual
To assign the dual-stack group to DHCPv4 clients:
To assign the dual-stack group to DHCPv6 clients:[edit forwarding-options dhcp-relay dhcpv6]
- (Optional) Verify your dual-stack group configuration for DHCPv4 and DHCPv6.
Verifying and Managing DHCP Dual-Stack Configuration
Display information related to the DHCP single-session dual-stack configuration.
To display DHCP relay agent binding information for dual-stack clients:user@host> show dhcp relay binding detail
To display DHCPv6 relay agent binding information for dual-stack clients:user@host> show dhcpv6 relay binding detail
To display assigned IP4 and IPv6 addresses for DHCP dual-stack clients:user@host>show subscribers
To show IPv4 and IPv6 addresses for a specific session:user@host>show network-access aaa subscribers session-id session-id session-id detail
To all clear DHCPv4 relay bindings and associated DHCPv6 bindings for the dual-stack in the default routing instance. This command does not effect DHCPv6-only stacks that are not associated with the dual-stack.user@host>clear dhcp relay binding dual-stack all
Alternatively, you can limit clearing to an address, VLAN interface, logical system, or routing instance.
To clear all DHCPv6 relay bindings and associated DHCPv4 bindings for the dual-stack in the default routing instance. This command does not effect DHCPv4-only stacks that are not associated with the dual-stack.user@host>clear dhcpv6 relay binding dual-stack all
Alternatively, you can limit clearing to an address, VLAN interface, logical system, or routing instance.