Conserving IP Addresses Using DHCP Auto Logout
DHCP Auto Logout Overview
This topic provides an introduction to the DHCP auto logout feature and includes the following sections:
Auto Logout Overview
Auto logout is supported for DHCP local server and DHCP relay agent. It improves the efficiency of DHCP IP address assignment by allowing IP addresses to be immediately released and returned to the address pool when DHCP clients are no longer using the addresses. DHCP can then assign the addresses to other clients. Without auto logout, an IP address is blocked for the entire lease period, and DHCP must wait until the address lease time expires before reusing the address.
Auto logout is particularly useful when DHCP uses long lease times for IP address assignments and to help avoid allocating duplicate IP addresses for a single client.
For example, you might have an environment that includes set-top boxes (STB) that are often upgraded or replaced. Each time a STB is changed, the new STB repeats the DHCP discover process to obtain client configuration information and an IP address. DHCP views the new STB as a completely new client and assigns a new IP address— the previous IP address assigned to the client (the old STB) remains blocked and unavailable until the lease expires. If auto logout is configured in this situation, DHCP recognizes that the new STB is actually the same client and then immediately releases the original IP address. DHCP relay agent acts as a proxy client for auto logout and sends a DHCP release message to the DHCP server.
How DHCP Identifies and Releases Clients
The auto logout feature requires that DHCP explicitly identify clients. By default, DHCP local server and DHCP relay agent identify clients based on MAC address or Client Identifier, and subnet. However, in some cases this type of identification might not be sufficient. For example, in the previous STB example, each STB has a different MAC address, so DHCP incorrectly assumes that an upgraded or replacement STB is a new client.
In order to explicitly identify clients, auto logout uses a secondary identification method when the primary identification method is unsuccessful— the primary method is considered unsuccessful if the MAC address or Client Identifier does not match that of an existing client. Subscriber management supports two secondary identification methods that you can configure.
Incoming interface method— DHCP views a new client connection on the interface as if it comes from the same client. DHCP deletes the existing client binding before creating a binding for the newly connected device. This method allows only one client device to connect on the interface.
Note:The incoming interface method differs from the
overrides interface-client-limit 1statement, which retains the existing binding and rejects the newly connected client.Option 60 and option 82 method— DHCP considers two clients as different if they have the same option 60 and option 82 information, but different subnets.
DHCP local server and DHCP relay agent perform the following operations when auto logout is enabled and the secondary identification method identifies a duplicate client (that is, the Discover packet is from an existing client).
DHCP local server immediately releases the existing address.
DHCP relay agent immediately releases the existing client and then sends a DHCP release packet to the DHCP server. Sending the release packet ensures that DHCP relay and the DHCP server are synchronized.
If the DHCP relay receives a Discover message from an existing client, the DHCP relay forwards the Discover message to the DHCP server. The DHCP relay preserves the binding if the client' s existing IP address is returned by the DHCP server. This behavior is not applicable if the proxy-mode override or client-discover-match functionality are enabled.
Note:If the DHCP relay agent is in snoop mode, DHCP relay releases the client but does not send a release packet to the DHCP server if the discover packet is for a passive client (a client added as a result of snooped packets) or if the discover packet is a snooped packet.
Option 60 and Option 82 Requirements
DHCP local server requires that the received discover packet include both DHCP option 60 and option 82. If either option is missing, the DHCP local server cannot perform the secondary identification method and auto logout is not used.
DHCP relay agent requires that the received discover packet contain DHCP option 60. DHCP relay determines the option 82 value based on the guidelines provided in DHCP Relay Agent Option 82 Value for Auto Logout.
Automatically Logging Out DHCP Clients
You can configure the extended DHCP local server and extended DHCP relay to automatically log out DHCP clients. Auto logout immediately releases an existing client when DHCP receives a discover packet from a client whose identity matches an existing client. DHCP then releases the existing client IP address without waiting for the normal lease expiration.
When the existing client is released, the new client undergoes the normal authentication process. The new client might not receive the same IP address as the original client.
To configure DHCP client auto logout:
If you change the auto logout configuration, existing clients continue to use the auto logout setting that was configured when they logged in. New clients use the new setting.
How DHCP Relay Agent Uses Option 82 for Auto Logout
Table 1 indicates how the DHCP relay agent determines the option 82 value used for the client auto logout feature. Depending on the configuration settings, DHCP relay agent takes the action indicated in the Action Taken column.
DHCP Relay Agent Configuration Settings |
|||||
|---|---|---|---|---|---|
DHCP Relay Configured with Option 82 |
Discover Packet Contains Option 82 |
Override “trust-option- 82” |
Override “always-write- option-82” |
giaddr in non-snooped packet |
Action Taken |
No |
No |
– |
– |
– |
No secondary search performed |
No |
Yes |
Yes |
– |
– |
Use option 82 from packet |
No |
Yes |
No |
– |
Zero |
Drop packet |
No |
Yes |
No |
– |
Non-zero |
Use option 82 from packet |
Yes |
No |
– |
– |
– |
Use configured option 82 |
Yes |
Yes |
No |
– |
Zero |
Drop packet |
Yes |
Yes |
No |
No |
Non-zero |
Use option 82 from packet |
Yes |
Yes |
No |
Yes |
Non-zero |
Overwrite the configured option 82 |
Yes |
Yes |
Yes |
No |
– |
Use option 82 from packet |
Yes |
Yes |
Yes |
Yes |
– |
Overwrite the configured option 82 |
DHCPv6 Match Criteria for Identifying DHCPv6 Subscribers
By default, the DHCPv6 local server and the DHCPv6 relay agent
identify clients on the basis of the client identifier. The DHCPv6
local server and the DHCPv6 relay agent can also identify a DHCPv6
client by the incoming interface. You use the incoming-interface option with the client-negotiation-match statement so
that only one client device connects on the interface. If the client
device changes, the router deletes the existing client binding and
creates a binding for the newly connected device.
For example, consider an environment that includes a set-top box (STB) or any other such customer premises equipment (CPE) device configured to get configuration information from the DHCPv6 server. In the network configuration, one CPE device is supported over an interface. The DHCPv6 server is configured to provide the CPE devices with long lease timers. If the CPE device is disconnected for repair or upgraded, the new CPE device goes through the DHCPv6 Solicit process to receive the configuration information from the DHCPv6 server. Because the client identifier is different from that of the previous device, the DHCPv6 local server or the DHCPv6 relay agent treats the DHCPv6 Solicit message as a new client and adds the new binding. Because the old device might not gracefully log out, the old IP address is not released until the lease expires.
If the client-negotiation-match incoming-interface statement is configured, on receiving a DHCPv6 Solicit message,
the DHCPv6 clients are searched on the basis of their client identifiers
and the incoming interface option. If an existing DHCPv6 client binding
is found based on the match criteria, the binding is removed and the
new client is processed. If the old CPE device is disconnected and
a DHCPv6 Solicit message is received for the new CPE device, the feature
uses the incoming interface to identify the client and remove the
binding of the old CPE device, which allows for the release of the
old IP address. The binding of the new CPE device replaces the old
binding.
Automatically Logging Out DHCPv6 Clients
You can configure the extended DHCPv6 local server and extended DHCPv6 relay agent to automatically log out DHCPv6 clients based on DHCPv6 subscriber-match criteria. The automatic logout feature immediately releases an existing client when DHCPv6 receives a Solicit packet from a client whose incoming interface matches that of an existing client. DHCPv6 then releases the existing client IP address without waiting for the normal lease expiration.
When the existing client is released, the new client undergoes the normal authentication process. The new client might not receive the same IP address as the original client.
To configure automatic logout of DHCPv6 clients:
If you change the automatic logout configuration, existing clients continue to use the automatic logout setting that was configured when they logged in. New clients use the new setting.