Technical Documentation
New
Configuring DHCP Relay Settings
You can configure DHCP relay using the following set of tasks:
- Enabling DHCP Relay
- Removing Access Routes from Routing Tables and NVS
- Treating All Packets as Originating at Trusted Sources
- Assigning the Giaddr to Source IP Address
- Protecting Against Spoofed Giaddr and Relay Agent Option Values
- Using the Giaddr to Identify the Primary Interface for Dynamic Subscriber Interfaces
Enabling DHCP Relay
You use the set dhcp relay command to create and enable DHCP relay in the current virtual router.
- Include the IP address variable to enable DHCP relay and
BOOTP relay and to specify an IP address for the DHCP server. When
you include the IP address of a DHCP server, the router adds the IP
address to the list of DHCP servers (up to five) and forwards all
request packets to all configured servers.
Issuing this command also enables relay of BOOTP requests to the configured DHCP servers. If one of the DHCP servers is also a BOOTP server and responds, the router relays the response to the request originator.
host1(config)#set dhcp relay 192.168.29.10 - Use this command without an IP address to create the DHCP
relay independent of any DHCP servers. Use this version of the command
when configuring support for DHCP vendor-option strings (option 60).
For information about configuring option 60 support, see Using Option 60 Strings to Forward Client Traffic to Specific DHCP Servers. host1(config)#set dhcp relay
- Use the no version with an
IP address to remove the specified DHCP server:host1(config)#no set dhcp relay 192.168.29.25
Removing Access Routes from Routing Tables and NVS
You can remove existing access routes for an interface from routing tables and nonvolatile storage (NVS).
This command removes all installed host routes from IP and deletes host routes from mirrored storage and NVS for specified interfaces. In relay proxy mode, this command enforces consistent state of the route and client database and discards all client information for specified interfaces.
Because DHCP relay cannot distinguish between temporary dynamic interface deletions—where the interface is subsequently re-created—and permanent deletions, sometimes it retains routing information for dynamic interfaces that have already been deleted. You can use the unknown keyword with the dhcp relay discard access-routes command to remove the routing information for these interfaces.
- To remove access routes:host1(config)#set dhcp relay discard-access-routes
Note: When this feature is configured, the client bypasses the DHCP relay component and communicates directly with the DHCP server to request address renewal or to release the address. The DHCP relay component has no role in determining when or whether to remove the installed host route.
Treating All Packets as Originating at Trusted Sources
By default, the DHCP relay treats all packets destined for DHCP servers as if the packets originated at an untrusted source; if the packets have a gateway IP address (giaddr) of 0 and if option 82 information is present, these packets are dropped.
- To enable the trust-all method on the DHCP relay:host1(config)#set dhcp relay trust-all
In the trust-all method, the DHCP relay treats the packets as if they are from trusted sources and forwards the packets to the DHCP server. When you enable this command:
- If the DHCP packets contain option 82 and a giaddr field of 0, the DHCP relay inserts its giaddr into the packets and then forwards the packets.
- If the DHCP relay is configured to add option 82, it does not add an additional option 82 if one is already present in the DHCP packets.
Assigning the Giaddr to Source IP Address
As a security measure, DHCP servers typically use the giaddr included in DHCP packets to ensure that the packets come from a recognized DHCP gateway. The servers verify that the giaddr in the DHCP packet matches the source IP address in the IP packet header. You can use the set dhcp relay assign-giaddr-source-ip command to specify that the DHCP relay and DHCP relay proxy assign the giaddr to the source IP packet header of packets they send to DHCP servers—the DHCP servers can then compare the giaddr in the IP packet header to the giaddr in the DHCP packets.
- To assign the giaddr to the source IP packet header:host1(config)#set dhcp relay assign-giaddr-source-ip
Protecting Against Spoofed Giaddr and Relay Agent Option Values
DHCP relay includes an override feature that provides enhanced security to protect against spoofed giaddr and relay agent option (option 82) values in packets destined for DHCP servers.
DHCP relay can detect spoofed giaddrs when the giaddr value is equal to a local IP address on which the DHCP relay can be accessed; otherwise, DHCP relay does not detect spoofed giaddrs. Also, DHCP relay does not detect spoofed relay agent option values.
Spoofed giaddrs are a concern when the DHCP relay is used if the giaddr value in received DHCP packets is different from the local IP address on which the DHCP relay is accessed. In this situation, DHCP relay always honors the giaddr. To configure DHCP relay to override all giaddrs (including valid giaddrs) that are received from downstream network elements, use the set dhcp relay override command with the giaddr keyword. DHCP relay then takes control of the client, adding its own giaddr to the packets before forwarding the packets to the DHCP server.
Spoofed relay agent options are a concern if the giaddr is not null, or if it is null and the DHCP relay is operating in the trust-all method. In these two situations, DHCP relay always honors the relay agent option value in received DHCP packets.
- To protect against spoofed giaddrs and relay agent option
values:host1(config)#set dhcp relay override agent-option
DHCP relay then overrides all relay agent option values that are received from downstream network elements, performing one of the following actions:
- If the DHCP relay is configured to add relay agent option 82 to the packets, it clears the existing option 82 values and inserts the new values.
- If the DHCP relay is not configured to add relay agent option 82, it clears the existing option values but does not add any new values.
Using the Giaddr to Identify the Primary Interface for Dynamic Subscriber Interfaces
When creating dynamic subscriber interfaces, the router builds the dynamic interfaces on the associated primary interface. By default, the router identifies the primary interface based on the interface on which DHCP client discover packets are received. The router then builds all dynamic interfaces on that primary interface.
In some cases you might want more control over the determination of the primary interface and you might not want to use the primary interface that is determined by the default behavior. The JunosE Software enables you to configure DHCP relay to use information in the giaddr in DHCP ACK messages to specify which interface is to be used as the primary interface. This capability allows you to build dynamic interfaces on the primary interface of your choice.
- To use information in the giaddr to identify the primary
interface for dynamic subscriber interfaces:host1(config)#set dhcp relay giaddr-selects-interface
