dchp system services

JunosOSforEXSeriesEthernetSwitches

System Services on EX9200 Switches

Release

12.3

Published: 2013-04-01

Copyright 2013, Juniper Networks, Inc.

Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net

This product includes the Envoy SNMPEngine, developed by Epilogue Technology, an IntegratedSystemsCompany. Copyright 1986-1997,Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no partof them is in the public domain.

This product includes memory allocation software developed by Mark Moraes, copyright 1988, 1989, 1993, University of Toronto.

This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentationand software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.

GateD software copyright 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed throughrelease 3.0 by Cornell University and its collaborators. Gated is based on Kirtons EGP, UC Berkeleys routing daemon (routed), and DCNsHELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateDsoftware copyright 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright 1991, D.L. S. Associates.

This product includes software developed by Maker Communications, Inc., copyright 1996, 1997, Maker Communications, Inc.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that areowned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

JunosOS for EX Series Ethernet Switches System Services on EX9200 SwitchesRelease 12.3Copyright 2013, Juniper Networks, Inc.All rights reserved.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.

ENDUSER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (EULA) posted athttp://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditionsof that EULA.

Copyright 2013, Juniper Networks, Inc.ii

Table of ContentsAbout the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvSupported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvUsing the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviMerging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviiDocumentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xixRequesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . xixOpening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx

Part 1 OverviewChapter 1 DHCP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Extended DHCP Local Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Interaction Among the DHCP Client, Extended DHCP Local Server, and

Address-Assignment Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Providing DHCP Client Configuration Information . . . . . . . . . . . . . . . . . . . . . . . 5Minimal Configuration for Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6DHCP Local Server and Address-Assignment Pools . . . . . . . . . . . . . . . . . . . . . 6DHCP Liveness Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

DHCPv6 Local Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8DHCP Local Server Handling of Client Information Request Messages . . . . . . . . . 9DHCP Duplicate Client Differentiation Using Client Subinterface Overview . . . . . 10Group-Specific DHCP Local Server Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Understanding Dynamic Reconfiguration of Extended DHCP Local Server

Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Default Client/Server Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Dynamic Client/Server Interaction for DHCPv4 . . . . . . . . . . . . . . . . . . . . . . . . 12Dynamic Client/Server Interaction for DHCPv6 . . . . . . . . . . . . . . . . . . . . . . . . 13Dynamic Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

DHCP Snooping Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15DHCP Auto Logout Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Auto Logout Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17How DHCP Identifies and Releases Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Option 60 and Option 82 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Address-Assignment Pools Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Use of DHCP Option 50 and DHCPv6 IA_NA Option to Request a Specific IP

Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

iiiCopyright 2013, Juniper Networks, Inc.

Multiple Address Assignment for DHCPv6 Clients . . . . . . . . . . . . . . . . . . . . . . . . . 20Multiple Address Assignment Using Local Address Pools or RADIUS . . . . . . 20Junos OS Predefined Variable for Multiple DHCPv6 Address Assignment . . . 20

Centrally Configured Opaque DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Data Flow for RADIUS-Sourced DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . 23Multiple VSA 26-55 Instances Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 24DHCP Options That Cannot Be Centrally Configured . . . . . . . . . . . . . . . . . . . 24

Graceful Routing Engine Switchover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Port Number Requirements for DHCP Firewall Filters . . . . . . . . . . . . . . . . . . . . . . 26

Chapter 2 DHCP Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Extended DHCP Relay Agent Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Interaction Among the DHCP Relay Agent, DHCP Client, and DHCP

Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29DHCP Liveness Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

DHCP Relay Proxy Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Interaction Among DHCP Relay Proxy, DHCP Client, and DHCP Servers . . . . 31

DHCPv6 Relay Agent Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33DHCP Duplicate Client Differentiation Using Client Subinterface Overview . . . . . 34Group-Specific DHCP Relay Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34DHCP Snooping Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35DHCP Auto Logout Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Auto Logout Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37How DHCP Identifies and Releases Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Option 60 and Option 82 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Graceful Routing Engine Switchover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Port Number Requirements for DHCP Firewall Filters . . . . . . . . . . . . . . . . . . . . . . 39

Part 2 ConfigurationChapter 3 DHCP Local Server Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Example: Minimum Extended DHCP Local Server Configuration . . . . . . . . . . . . . 43Example: Extended DHCP Local Server Configuration with Optional Pool

Matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Example: Configuring Group Liveness Detection for DHCP Local Server

Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Chapter 4 DHCP Relay Agent Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Example: Minimum DHCP Relay Agent Configuration . . . . . . . . . . . . . . . . . . . . . . 49Example: Configuring DHCP Relay Agent Selective Traffic Processing Based on

DHCP Option Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Example: Configuring DHCP Snooping Support for DHCP Relay Agent . . . . . . . . 54

Chapter 5 Configuration Tasks for DHCP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Using External AAA Authentication Services with DHCP . . . . . . . . . . . . . . . . . . . . 58Guidelines for Configuring Support for DHCP Duplicate Clients . . . . . . . . . . . . . . 59Configuring DHCP Duplicate Client Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Grouping Interfaces with Common DHCP Configurations . . . . . . . . . . . . . . . . . . . 60Guidelines for Configuring Interface Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Overriding Default DHCP Local Server Configuration Settings . . . . . . . . . . . . . . . 63

Copyright 2013, Juniper Networks, Inc.iv


Specifying the Maximum Number of DHCP Clients Per Interface . . . . . . . . . . . . . 64Disabling ARP Table Population . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Automatically Logging Out DHCP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Enabling Processing of Client Information Requests . . . . . . . . . . . . . . . . . . . . . . . 67Specifying the Delegated Address Pool for IPv6 Prefix Assignment . . . . . . . . . . . 68Enabling DHCPv6 Rapid Commit Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Deleting DHCP Local Server and DHCP Relay Override Settings . . . . . . . . . . . . . . 70Configuring Extended DHCP Local Server Dynamic Client Reconfiguration . . . . . 70Configuring Dynamic Reconfiguration Attempts for DHCP Clients . . . . . . . . . . . . . 71Configuring Deletion of the Client When Dynamic Reconfiguration Fails . . . . . . . 72Configuring Reconfiguration of the Client on Receipt of RADIUS-Initiated

Disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Configuring a Token for DHCP Local Server Authentication . . . . . . . . . . . . . . . . . . 73Preventing Binding of Clients That Do Not Support Reconfigure Messages . . . . . 74Requesting DHCP Local Server to Initiate Reconfiguration of Client Bindings . . . . 75Configuring Detection of DHCP Local Server Client Connectivity . . . . . . . . . . . . . 76Attaching Dynamic Profiles to DHCP Subscriber Interfaces or DHCP Client

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Attaching a Dynamic Profile to All DHCP Subscriber or All DHCP Client

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Attaching a Dynamic Profile to a Group of DHCP Subscriber Interfaces or a

Group of DHCP Client Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Configuring DHCP Snooped Packets Forwarding Support for DHCP Local

Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Configuring Passwords for Usernames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Creating Unique Usernames for DHCP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Configuring How the Extended DHCP Local Server DeterminesWhich

Address-Assignment Pool to Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Chapter 6 Configuration Tasks for DHCP Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Using External AAA Authentication Services with DHCP . . . . . . . . . . . . . . . . . . . . 86Configuring DHCP Duplicate Client Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Grouping Interfaces with Common DHCP Configurations . . . . . . . . . . . . . . . . . . . 88Guidelines for Configuring Interface Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Overriding the Default DHCP Relay Configuration Settings . . . . . . . . . . . . . . . . . . 90Overwriting giaddr Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Replacing the DHCP Relay Request and Release Packet Source Address . . . . . . 92Overriding Option 82 Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Using Layer 2 Unicast Transmission for DHCP Packets . . . . . . . . . . . . . . . . . . . . . 93Trusting Option 82 Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Disabling ARP Table Population . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Specifying the Maximum Number of DHCP Clients Per Interface . . . . . . . . . . . . . 95Automatically Logging Out DHCP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96DHCP Relay Agent Option 82 Value for Auto Logout . . . . . . . . . . . . . . . . . . . . . . . 97Configuring DHCP Snooping for DHCP Relay Agent . . . . . . . . . . . . . . . . . . . . . . . 99Enabling and Disabling DHCP Snooped Packets Support for DHCP Relay

Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Configuring DHCP Snooped Packets Forwarding Support for DHCP Relay

Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

vCopyright 2013, Juniper Networks, Inc.

Table of Contents

Sending Release MessagesWhen Clients Are Deleted . . . . . . . . . . . . . . . . . . . . . 106Disabling Automatic Binding of Stray DHCP Requests . . . . . . . . . . . . . . . . . . . . . 107Enabling and Disabling Insertion of Option 82 Information . . . . . . . . . . . . . . . . . 108

Configuring Agent Circuit ID Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Configuring an Option 82 Prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Using a Textual Description in Option 82 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Configuring Server Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Configuring Active Server Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Enabling DHCP Relay Proxy Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Attaching Dynamic Profiles to DHCP Subscriber Interfaces or DHCP Client

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Attaching a Dynamic Profile to All DHCP Subscriber or All DHCP Client

Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Attaching a Dynamic Profile to a Group of DHCP Subscriber Interfaces or a

Group of DHCP Client Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114Inserting DHCPv6 Interface-ID Option (Option 18) In DHCPv6 Packets . . . . . . . . 114DHCP Liveness Detection Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Configuring Detection of DHCP Relay or DHCP Relay Proxy Client

Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Disabling DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Chapter 7 DHCP Local Server Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . 119

[edit system] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119attempts (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134authentication (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135bfd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136circuit-type (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137clear-on-abort (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138client-discover-match (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139client-id (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140delegated-pool (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141delimiter (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142detection-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143dhcp-local-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144dhcpv6 (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149domain-name (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152duplicate-clients-on-interface (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . 153dynamic-profile (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154external-authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155failure-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156forward-snooped-clients (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . 157group (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158holddown-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160interface (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161interface-client-limit (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163interface-delete (Subscriber Management or DHCP Client Management) . . . . . 164interface-name (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165ip-address-first . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166liveness-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Copyright 2013, Juniper Networks, Inc.vi


logical-system-name (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168mac-address (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170minimum-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171minimum-receive-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172multiplier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173no-adaptation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174no-arp (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175option-60 (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176option-82 (DHCP Local Server Authentication) . . . . . . . . . . . . . . . . . . . . . . . . . . 177option-82 (DHCP Local Server Pool Matching) . . . . . . . . . . . . . . . . . . . . . . . . . . 178overrides (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179password (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181pool (DHCP Local Server Overrides) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182pool-match-order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183process-inform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184radius-disconnect (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186rapid-commit (DHCPv6 Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187reconfigure (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188relay-agent-interface-id (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . 189relay-agent-remote-id (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190routing-instance-name (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191service-profile (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192session-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193strict (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194threshold (detection-time) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195threshold (transmit-interval) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196timeout (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197token (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198transmit-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199trigger (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200use-primary (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201user-prefix (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202username-include (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203version (BFD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Chapter 8 DHCP Relay Agent Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . 205

[edit forwarding-options dhcp-relay] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . 205access (Dynamic Access Routes) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209access-internal (Dynamic Access-Internal Routes) . . . . . . . . . . . . . . . . . . . . . . . 210active-server-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211allow-snooped-clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212always-write-giaddr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213always-write-option-82 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214authentication (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215bfd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216circuit-id (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217circuit-type (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218client-discover-match (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

viiCopyright 2013, Juniper Networks, Inc.

Table of Contents

client-id (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220delimiter (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221detection-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222dhcp-relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223dhcpv6 (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229disable-relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232domain-name (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233drop (DHCP Relay Agent Option) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234duplicate-clients-on-interface (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . 235dynamic-profile (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236failure-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237forward-snooped-clients (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . 238group (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239holddown-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242interface (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243interface-client-limit (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245interface-delete (Subscriber Management or DHCP Client Management) . . . . 246interface-name (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247layer2-unicast-replies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248liveness-detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249local-server-group (DHCP Relay Agent Option) . . . . . . . . . . . . . . . . . . . . . . . . . 250logical-system-name (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251mac-address (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253minimum-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254minimum-receive-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255multiplier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256next-hop (Dynamic Access-Internal Routes) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257no-adaptation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258no-allow-snooped-clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259no-bind-on-request (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260no-arp (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261option-60 (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262option-82 (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263option-number (DHCP Relay Agent Option) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264overrides (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265password (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267preference (Subscriber Management) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268prefix (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269proxy-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271relay-agent-interface-id (DHCPv6 Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . 272relay-agent-remote-id (DHCPv6 Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . 273relay-option (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274relay-option-82 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275relay-server-group (DHCP Relay Agent Option) . . . . . . . . . . . . . . . . . . . . . . . . . . 276replace-ip-source-with . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277routing-instance-name (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278send-release-on-delete (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . 279server-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

Copyright 2013, Juniper Networks, Inc.viii


service-profile (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281session-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282threshold (detection-time) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283threshold (transmit-interval) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284transmit-interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285trust-option-82 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286use-interface-description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287use-primary (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289user-prefix (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291username-include (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292version (BFD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

Part 3 AdministrationChapter 9 Verifying andManaging DHCP Local Server Configurations . . . . . . . . . . . . 297

Verifying and Managing DHCP Local Server Configuration . . . . . . . . . . . . . . . . . 297Verifying and Managing DHCPv6 Local Server Configuration . . . . . . . . . . . . . . . 297

Chapter 10 Verifying andManaging DHCP Relay Agent Configurations . . . . . . . . . . . . 299

Verifying and Managing DHCP Relay Configuration . . . . . . . . . . . . . . . . . . . . . . . 299Verifying and Managing DHCPv6 Relay Configuration . . . . . . . . . . . . . . . . . . . . . 299

Chapter 11 DHCP Local Server Monitoring Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 301

clear dhcp server binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302clear dhcp server statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305clear dhcpv6 server binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307clear dhcpv6 server statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309request dhcp server reconfigure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310request dhcpv6 server reconfigure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312request system reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314show dhcp server binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319show dhcp server statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324show dhcpv6 server binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327show dhcpv6 server statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Chapter 12 DHCP Relay Agent Monitoring Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 337

clear dhcp relay binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338clear dhcp relay statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340clear dhcpv6 relay binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343clear dhcpv6 relay statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347show dhcp relay binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349show dhcp relay statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354show dhcpv6 relay binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357show dhcpv6 relay statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363show route extensive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366show route protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

ixCopyright 2013, Juniper Networks, Inc.

Table of Contents

Part 4 TroubleshootingChapter 13 Acquiring Troubleshooting Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

Tracing Extended DHCP Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395Configuring the Extended DHCP Log Filename . . . . . . . . . . . . . . . . . . . . . . . 397Configuring the Number and Size of Extended DHCP Log Files . . . . . . . . . . 397Configuring Access to the Extended DHCP Log File . . . . . . . . . . . . . . . . . . . 398Configuring a Regular Expression for Extended DHCPMessages to Be

Logged . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398Configuring the Extended DHCP Tracing Flags . . . . . . . . . . . . . . . . . . . . . . . 399Configuring the Severity Level to Filter Which Extended DHCPMessages

Are Logged . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399Tracing Extended DHCP Operations for Specific Interfaces . . . . . . . . . . . . . 400

Tracing Extended DHCP Operations for Specific Interfaces . . . . . . . . . . . . . . . . . 401

Chapter 14 Troubleshooting Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . 403

interface-traceoptions (DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404trace (DHCP Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406trace (DHCP Relay Agent) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407traceoptions (DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Copyright 2013, Juniper Networks, Inc.x


List of Figures


Figure 1: DHCP Options Data Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

xiCopyright 2013, Juniper Networks, Inc.

List of TablesAbout the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviiTable 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii


Table 3: Information in Authentication Grant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Table 4: RADIUS Attributes and VSAs for DHCPv6 Local Server . . . . . . . . . . . . . . . 8Table 5: Action Taken for Events That Occur During a Reconfiguration . . . . . . . . . 15Table 6: Unsupported Opaque DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Part 2 ConfigurationChapter 5 Configuration Tasks for DHCP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Table 7: ARP Table in Trusted Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Table 8: ARP Table in Distrusted Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Table 9: Actions for DHCP Local Server Snooped Packets . . . . . . . . . . . . . . . . . . . 79

Chapter 6 Configuration Tasks for DHCP Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Table 10: ARP Table in Trusted Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Table 11: ARP Table in Distrusted Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Table 12: DHCP Relay Agent Option 82 Value for Auto Logout . . . . . . . . . . . . . . . 98Table 13:Actions forDHCPRelayAgentSnoopedPacketsWhenDHCPSnooping

Is Enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Table 14:Actions forDHCPRelayAgentSnoopedPacketsWhenDHCPSnooping

Is Disabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Table 15: Actions for Snooped BOOTREPLY Packets . . . . . . . . . . . . . . . . . . . . . . 105

Part 3 AdministrationChapter 11 DHCP Local Server Monitoring Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Table 16: show dhcp server binding Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 320Table 17: show dhcp server statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . 325Table 18: show dhcpv6 server binding Output Fields . . . . . . . . . . . . . . . . . . . . . . 328Table 19: show dhcpv6 server statistics Output Fields . . . . . . . . . . . . . . . . . . . . . 334

Chapter 12 DHCP Relay Agent Monitoring Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Table 20: clear dhcp relay statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 341Table 21: show dhcp relay binding Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 350Table 22: show dhcp relay statistics Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 355Table 23: show dhcpv6 relay binding Output Fields . . . . . . . . . . . . . . . . . . . . . . . 358

xiiiCopyright 2013, Juniper Networks, Inc.

Table 24: show dhcpv6 relay statistics Output Fields . . . . . . . . . . . . . . . . . . . . . 363Table 25: show route extensive Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

Copyright 2013, Juniper Networks, Inc.xiv


About the Documentation

Documentation and Release Notes on page xv

Supported Platforms on page xv

Using the Examples in This Manual on page xv

Documentation Conventions on page xvii

Documentation Feedback on page xix

Requesting Technical Support on page xix

Documentation and Release Notes

To obtain the most current version of all Juniper Networks technical documentation,see the product documentation page on the Juniper Networks website athttp://www.juniper.net/techpubs/.

If the information in the latest release notes differs from the information in thedocumentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subjectmatter experts. These books go beyond the technical documentation to explore thenuances of network architecture, deployment, and administration. The current list canbe viewed at http://www.juniper.net/books.

Supported Platforms

For the features described in this document, the following platforms are supported:

EX Series

Using the Examples in This Manual

If you want to use the examples in this manual, you can use the loadmerge or the loadmerge relative command. These commands cause the software to merge the incomingconfiguration into the current candidate configuration. The example does not becomeactive until you commit the candidate configuration.

If the example configuration contains the top level of the hierarchy (or multiplehierarchies), the example is a full example. In this case, use the loadmerge command.

xvCopyright 2013, Juniper Networks, Inc.

If the example configuration does not start at the top level of the hierarchy, the exampleis a snippet. In this case, use the loadmerge relative command. These procedures aredescribed in the following sections.

Merging a Full Example

Tomerge a full example, follow these steps:

1. From the HTML or PDF version of the manual, copy a configuration example into atext file, save the file with a name, and copy the file to a directory on your routingplatform.

For example, copy the following configuration toa file andname the file ex-script.conf.Copy the ex-script.conf file to the /var/tmp directory on your routing platform.

system {scripts {commit {file ex-script.xsl;

}}

}interfaces {fxp0 {disable;unit 0 {family inet {address 10.0.0.1/24;

}}

}}

2. Merge the contents of the file into your routing platform configuration by issuing theloadmerge configuration mode command:

[edit]user@host# loadmerge /var/tmp/ex-script.confload complete

Merging a Snippet

Tomerge a snippet, follow these steps:

1. From the HTML or PDF version of themanual, copy a configuration snippet into a textfile, save the file with a name, and copy the file to a directory on your routing platform.

For example, copy the following snippet to a file and name the fileex-script-snippet.conf. Copy the ex-script-snippet.conf file to the /var/tmp directoryon your routing platform.

commit {file ex-script-snippet.xsl; }

2. Move to the hierarchy level that is relevant for this snippet by issuing the followingconfiguration mode command:

Copyright 2013, Juniper Networks, Inc.xvi


[edit]user@host# edit system scripts[edit system scripts]

3. Merge the contents of the file into your routing platform configuration by issuing theloadmerge relative configuration mode command:

[edit system scripts]user@host# loadmerge relative /var/tmp/ex-script-snippet.confload complete

For more information about the load command, see the CLI User Guide.

Documentation Conventions

Table 1 on page xvii defines notice icons used in this guide.

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Table 2 on page xvii defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

ExamplesDescriptionConvention

To enter configuration mode, typetheconfigure command:

user@host> configure

Represents text that you type.Bold text like this

user@host> show chassis alarms

No alarms currently active

Represents output that appears on theterminal screen.

Fixed-width text like this

xviiCopyright 2013, Juniper Networks, Inc.


Table 2: Text and Syntax Conventions (continued)

ExamplesDescriptionConvention

A policy term is a named structurethat defines match conditions andactions.

JunosOSSystemBasicsConfigurationGuide

RFC 1997,BGPCommunities Attribute

Introduces or emphasizes importantnew terms.

Identifies book names.

Identifies RFC and Internet draft titles.

Italic text like this

Configure themachines domain name:

[edit]root@# set system domain-namedomain-name

Represents variables (options for whichyou substitute a value) in commands orconfiguration statements.

Italic text like this

To configure a stub area, include thestub statement at the[edit protocolsospf area area-id] hierarchy level.

Theconsoleport is labeledCONSOLE.

Represents names of configurationstatements, commands, files, anddirectories; configurationhierarchy levels;or labels on routing platformcomponents.

Text like this

stub ;Enclose optional keywords or variables.< > (angle brackets)

broadcast | multicast

(string1 | string2 | string3)

Indicates a choice between themutuallyexclusive keywords or variables on eitherside of the symbol. The set of choices isoften enclosed in parentheses for clarity.

| (pipe symbol)

rsvp { # Required for dynamicMPLS onlyIndicates a comment specified on thesame lineas theconfiguration statementto which it applies.

# (pound sign)

community namemembers [community-ids ]

Enclose a variable for which you cansubstitute one or more values.

[ ] (square brackets)

[edit]routing-options {static {route default {nexthop address;retain;

}}

}

Identify a level in the configurationhierarchy.

Indention and braces ( { } )

Identifies a leaf statement at aconfiguration hierarchy level.

; (semicolon)

J-Web GUI Conventions

In the Logical Interfaces box, selectAll Interfaces.

To cancel the configuration, clickCancel.

Represents J-Web graphical userinterface (GUI) items you click or select.

Bold text like this

In the configuration editor hierarchy,select Protocols>Ospf.

Separates levels in a hierarchy of J-Webselections.

> (bold right angle bracket)

Copyright 2013, Juniper Networks, Inc.xviii


Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we canimprove the documentation. You can send your comments [email protected], or fill out the documentation feedback form athttps://www.juniper.net/cgi-bin/docbugreport/ . If you are using e-mail, be sure to includethe following information with your comments:

Document or topic name

URL or page number

Software release version (if applicable)

Requesting Technical Support

Technical product support is available through the JuniperNetworksTechnicalAssistanceCenter (JTAC). If you are a customer with an active J-Care or JNASC support contract,or are covered under warranty, and need post-sales technical support, you can accessour tools and resources online or open a case with JTAC.

JTAC policiesFor a complete understanding of our JTAC procedures and policies,review the JTAC User Guide located athttp://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

Product warrantiesFor product warranty information, visithttp://www.juniper.net/support/warranty/.

JTAC hours of operationThe JTAC centers have resources available 24 hours a day,7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an onlineself-service portal called the Customer Support Center (CSC) that provides youwith thefollowing features:

Find CSC offerings: http://www.juniper.net/customers/support/

Search for known bugs: http://www2.juniper.net/kb/

Find product documentation: http://www.juniper.net/techpubs/

Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

Download the latest versions of software and review release notes:http://www.juniper.net/customers/csc/software/

Search technical bulletins for relevant hardware and software notifications:https://www.juniper.net/alerts/

xixCopyright 2013, Juniper Networks, Inc.


Join and participate in the Juniper Networks Community Forum:http://www.juniper.net/company/communities/

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Casewith JTAC

You can open a case with JTAC on theWeb or by telephone.

Use the Case Management tool in the CSC at http://www.juniper.net/cm/.

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, seehttp://www.juniper.net/support/requesting-support.html.

Copyright 2013, Juniper Networks, Inc.xx


PART 1

Overview DHCP Local Server on page 3

DHCP Relay Agent on page 27

1Copyright 2013, Juniper Networks, Inc.

CHAPTER 1

DHCP Local Server

Extended DHCP Local Server Overview on page 4

DHCPv6 Local Server Overview on page 8

DHCP Local Server Handling of Client Information Request Messages on page 9

DHCP Duplicate Client Differentiation Using Client Subinterface Overview on page 10

Group-Specific DHCP Local Server Options on page 11

Understanding Dynamic Reconfiguration of Extended DHCP Local ServerClients on page 12

DHCP Snooping Support on page 15

DHCP Auto Logout Overview on page 16

Address-Assignment Pools Overview on page 18

Use of DHCP Option 50 and DHCPv6 IA_NA Option to Request a Specific IPAddress on page 19

Multiple Address Assignment for DHCPv6 Clients on page 20

Centrally Configured Opaque DHCP Options on page 21

Graceful Routing Engine Switchover on page 25

Port Number Requirements for DHCP Firewall Filters on page 26


Extended DHCP Local Server Overview

You can enable the router or switch to function as an extended DHCP local server andconfigure theextendedDHCP local serveroptionson the router (or switch).TheextendedDHCP local serverprovidesan IPaddressandother configuration information in responseto a client request. The DHCP local server supports the attachment of dynamic profilesand also interactswith the local AAAService Framework to use back-end authenticationservers, such as RADIUS, to provide subscriber authentication or DHCP clientauthentication.Youcanconfiguredynamicprofileandauthenticationsupportonaglobalbasis or for a specific group of interfaces.

The extended DHCP local server enhances traditional DHCP server operation by utilizingcentralized address-assignment pools. The address-assignment pools are managedindependently of theDHCP local server andcanbesharedbydifferent client applications.

You can also configure the extended DHCP local server to support IPv6 clients. BothDHCP local server andDHCPv6 local server support the specific address request feature,which enables you to assign a particular address to a client. See DHCPv6 Local ServerOverview on page 8 for information about the DHCPv6 local server feature.

NOTE: You cannot configure the extended DHCP local server and extendedDHCP relay on the same interface.

To configure the extended DHCP local server on the router (or switch), you include thedhcp-local-server statement at the [edit system services] hierarchy level. See the [editsystem services dhcp-local-server] Hierarchy Level for the complete DHCP local serversyntax.

This overview covers:

Interaction Among the DHCP Client, Extended DHCP Local Server, andAddress-Assignment Pools on page 4

Providing DHCP Client Configuration Information on page 5

Minimal Configuration for Clients on page 6

DHCP Local Server and Address-Assignment Pools on page 6

DHCP Liveness Detection on page 7

Interaction Among the DHCP Client, Extended DHCP Local Server, and Address-AssignmentPools

The pattern of interaction between the DHCP local server, the DHCP client, andaddress-assignment pools is the same regardless of whether the software installationis on a router or a switch. Technically, the codes operates in the samemanner, regardlessof the hardware platform. However, there are some difference in the details of usage.

On routersIn a typical carrier edge network configuration, the DHCP client is on thesubscribers computer, and the DHCP local server is configured on the router.



OnswitchesIna typical network configuration, theDHCPclient is onanaccessdevice,such as a personal computer, and the DHCP local server is configured on the switch.

IThe following steps provide a high-level description of the interaction among the DHCPlocal server, DHCP client, and address-assignment pools:

1. The DHCP client sends a discover packet to one or more DHCP local servers in thenetwork to obtain configuration parameters and an IP address for the subscriber (orDHCP client).

2. Each DHCP local server that receives the discover packet then searches itsaddress-assignment pool for the client address and configuration options. Each localserver creates an entry in its internal client table to keep track of the client state, thensends a DHCP offer packet to the client.

3. On receipt of the offer packet, the DHCP client selects the DHCP local server fromwhich to obtain configuration information and sends a request packet indicating theDHCP local server selected to grant the address and configuration information.

4. The selected DHCP local server sends an acknowledgement packet to the client thatcontains theclientaddress leaseandconfigurationparameters. Theserver also installsthe host route and ARP entry, and thenmonitors the lease state.

Providing DHCP Client Configuration Information

WhentheextendedDHCPapplication receivesa response fromanexternalauthenticationserver, the responsemight include information in addition to the IP address and subnetmask. The extended DHCP application uses the information from the authenticationgrant for the response the DHCP application sends to the DHCP client. The DHCPapplication can either send the information in its original form or the application mightmerge the information with local configuration specifications. For example, if theauthentication grant includes an address pool name and a local configuration specifiesDHCPattributes for thatpool, theextendedDHCPapplicationmerges theauthenticationresults and the attributes in the reply that the server sends to the client.

A local configuration is optional a client can be fully configured by the externalauthentication service. However, if the external authentication service does not provideclient configuration, youmust configure the local address-assignment pool to providetheconfiguration for theclient.Whena local configuration specifiesoptions, theextendedDHCP application adds the local configuration options to the offer PDU the server sendsto the client. If the twosets of options overlap, theoptions in theauthentication responsefrom the external service take precedence.

When you use RADIUS to provide the authentication, the additional information mightbe in the form of RADIUS attributes and Juniper Networks VSAs. Table 3 on page 6 liststhe information that RADIUSmight include in the authentication grant. See RADIUSAttributes and Juniper Networks VSAs Supported by the AAA Service Framework for acomplete list of RADIUS attributes and Juniper Networks VSAs that the extended DHCPapplications supports for subscriber access management or DHCPmanagement.


Chapter 1: DHCP Local Server

Table 3: Information in Authentication Grant

DescriptionAttribute NameAttribute Number

Client IP addressFramed-IP-AddressRADIUS attribute 8

Subnetmask forclient IPaddress(DHCP option 1)

Framed-IP-NetmaskRADIUS attribute 9

Primary domain server (DHCPoption 6)

Primary-DNSJuniper Networks VSA 26-4

Secondarydomainserver (DHCPoption 6)

Secondary-DNSJuniper Networks VSA 26-5

PrimaryWINS server (DHCPoption 44)

Primary-WINSJuniper Networks VSA 26-6

SecondaryWINS server (DHCPoption 44)

Secondary-WINSJuniper Networks VSA 26-7

Lease timeSession-TimeoutRADIUS attribute 27

Address assignment pool nameFramed-PoolRADIUS attribute 88

DHCP relay serverDHCP-Guided-Relay-ServerJuniper Networks VSA 26-109

Minimal Configuration for Clients

The extended DHCP local server provides aminimal configuration to the DHCP client iftheclientdoesnothaveDHCPoption55configured.Theserverprovides thesubnetmaskof the address-assignment pool that is selected for the client. In addition to the subnetmask, the serverprovides the followingvalues to theclient if the information is configuredin the selected address-assignment pool:

routerA router (or switch) located on the clients subnet. This statement is theequivalent of DHCP option 3.

domainnameThe nameof the domain inwhich the client searches for aDHCP serverhost. This is the default domain name that is appended to hostnames that are not fullyqualified. This is equivalent to DHCP option 15.

domain name serverADomain Name System (DNS) name server that is available tothe client to resolve hostname-to-client mappings. This is equivalent to DHCP option6.

DHCP Local Server and Address-Assignment Pools

In the traditional DHCP server operation, the client address pool and client configurationinformation reside on the DHCP server. With the extended DHCP local server, the clientaddress and configuration information reside in centralized address-assignment pools,



which aremanaged independently of the DHCP local server andwhich can be shared bydifferent client applications.

The extended DHCP local server also supports advanced pool matching and the use ofnamed address ranges. You can also configure the local server to use DHCP option 82information in the client PDU to determine which named address range to use for aparticular client. The client configuration information, which is configured in theaddress-assignment pool, includes user-defined options, such as boot server, graceperiod, and lease time.

Configuring theDHCPenvironment that includes theextendedDHCP local server requirestwo independent configuration operations, which you can complete in any order. In oneoperation, you configure the extended DHCP local server on the router and specify howthe DHCP local server determines which address-assignment pool to use. In the otheroperation, you configure the address-assignment pools used by the DHCP local server.The address-assignment pools contain the IP addresses, named address ranges, andconfiguration information for DHCP clients. See Configuring Address-Assignment Poolsfor details about creating and using address-assignment pools.

NOTE: The extended DHCP local server and the address-assignment poolsusedby the servermust be configured in the same logical systemand routinginstance.

DHCP Liveness Detection

Liveness detection for DHCP subscriber IP (or DHCP client IP) sessions utilizes an activeliveness detection protocol to institute liveness detection checks for relevant clients.Clients are expected to respond to liveness detection requestswithin a specified amountof time. If the responses are not received within that time for a given number ofconsecutive attempts, then the liveness detection check fails and a failure action isimplemented. You can configure

NOTE: DHCP liveness detection either globally or per DHCP group.

RelatedDocumentation

Configuring Address-Assignment Pools

Configuring How the Extended DHCP Local Server DeterminesWhichAddress-Assignment Pool to Use on page 83

Dynamic Profile Attachment to DHCP Subscriber Interfaces Overview

Using External AAA Authentication Services with DHCP on page 58

Use of DHCP Option 50 and DHCPv6 IA_NA Option to Request a Specific IP Addresson page 19

Graceful Routing Engine Switchover on page 25

Subscriber Management Unified ISSU Support



Tracing Extended DHCP Operations on page 395

Verifying and Managing DHCP Local Server Configuration on page 297

Example: Minimum Extended DHCP Local Server Configuration on page 43

Example: Extended DHCP Local Server Configuration with Optional Pool Matching onpage 43

Example: Configuring a DHCP Firewall Filter to Protect the Routing Engine

DHCPv6 Local Server Overview

TheDHCPv6 local server enhances the extendedDHCP local server by providing supportfor IPv6. When a DHCPv6 client logs in, the DHCPv6 local server uses the AAA serviceframework to interact with the RADIUS server. The RADIUS server, which is configuredindependently of DHCP, authenticates the client and supplies the IPv6 prefix and clientconfiguration parameters.

You can configure DHCPv6 local server to communicate the following attributes to theAAA service framework and RADIUS at login time:

Client username

Client password

NOTE: Theclientusername,whichuniquely identifiesasubscriberoraDHCPclient, must be present in the configuration in order for DHCPv6 local serverto use RADIUS authentication.

Based on the attributes that the DHCPv6 local server provides, RADIUS returns theinformation listed in Table 4 on page 8 to configure the client:

Table 4: RADIUS Attributes and VSAs for DHCPv6 Local Server

DescriptionAttribute NameAttributeNumber

Lease time, in seconds. If not supplied, thelease does not expire

Session-Timeout27

Prefix that is delegated to the clientDelegated-IPv6-Prefix123

Maximum number of clients allowed perinterface

Max-Clients-Per-Interface26-143

The DHCPv6 local server is compatible with the extended DHCP local server and theextended DHCP relay agent, and can be enabled on the same interface as either theextended DHCP local server or DHCP relay agent.



The DHCPv6 local server provides many of the same features as the extended DHCPlocal server, including:

Configuration for a specific interface or for a group of interfaces

Site-specific usernames and passwords

Numbered Ethernet interfaces

Statically configured CoS and filters

AAA directed login

Use of the IA_NA option to assign a specific address to a client

To configure the extended DHCPv6 local server on the router (or switch), you includethe dhcpv6 statement at the [edit systemservices dhcp-local-server] hierarchy level. Seethe [edit system services dhcp-local-server] Hierarchy Level for the complete DHCPlocal server syntax, including the DHCPv6 syntax.

You can also include the dhcpv6 statement at the following hierarchy levels:

[edit logical-systems logical-system-name system services dhcp-local-server]

[edit logical-systems logical-system-name routing-instances routing-instance-namesystem services dhcp-local-server]

[edit routing-instances routing-instance-name system services dhcp-local-server]


Extended DHCP Local Server Overview on page 4

Using External AAA Authentication Services with DHCP on page 58

Grouping Interfaces with Common DHCP Configurations on page 60

Group-Specific DHCP Local Server Options on page 11

Overriding Default DHCP Local Server Configuration Settings on page 63

Configuring Passwords for Usernames on page 80

Creating Unique Usernames for DHCP Clients on page 81

Use of DHCP Option 50 and DHCPv6 IA_NA Option to Request a Specific IP Addresson page 19

Verifying and Managing DHCPv6 Local Server Configuration on page 297

Example: Extended DHCPv6 Local Server Configuration

DHCP Local Server Handling of Client Information Request Messages

DHCP clients that already have externally provided addresses may solicit furtherconfiguration information from a DHCP server by sending a DHCP information requestthat indicates what information is desired. By default, DHCP local server and DHCPv6local server ignore any DHCP information requests that they receive. You can overridethis default behavior to enableprocessingof thesemessages. Include theprocess-inform



statementat the [edit systemservicesdhcp-local-serveroverrides]or [edit systemservicesdhcp-local-server dhcpv6 overrides] hierarchy level.

By default, DHCP relay and DHCP relay proxy automatically forward DHCP informationrequest messages without modification if the messages are received on an interfaceconfigured for aDHCP server group. DHCP relay and relay proxy drop information requestmessages received on any other interfaces. You cannot disable this default DHCP relayand relay proxy behavior.

The information requested by these clients has typically been configured with thedhcp-attributes statement for an address pool defined by the address-assignment poolpool-name statement at the [edit access] hierarchy level.

When you enable processing of DHCP information requests, you can optionally specifythe name of the pool fromwhich the local server retrieves the requested configurationinformation for the client. If you do not do specify a local pool, then the local serverrequests that AAA selects and returns only the name of the relevant pool.

DHCP local server responds to the client with a DHCP acknowledgment message thatincludes the requested informationif it is available. DHCPv6 local server responds inthe samemanner but uses a DHCP reply message. No subscriber management orDHCP-management is applied as a result of the DHCP information request message.

NOTE: PPP interfaces are not supported on EX Series switches.

When DHCPv6 is configured over PPP interfaces, the PPP RADIUS authentication datacanbe used to select the pool fromwhich the response information is taken. AdditionallyotherRADIUSattributescanalsobe inserted into theDHCPv6 replymessage. If anoverlapexists between RADIUS attributes and local pool attributes, the RADIUS values are usedinstead of the local configuration data. If no RADIUS information is received from theunderlying PPP interface, then the behavior is the same as described previously fornon-PPP interfaces.


Overriding Default DHCP Local Server Configuration Settings on page 63

Enabling Processing of Client Information Requests on page 67

DHCPDuplicate Client Differentiation Using Client Subinterface Overview

In some network environments, client IDs and MAC addresses might not be unique,resulting in duplicate clients. For example, twonetwork adaptersmight bemanufacturedwith the same hardware address, resulting in a duplicateMAC address among the DHCPclients attached to the router (or switch). A duplicate DHCP client occurs when a clientattempts to get a lease, and that client has the same client ID or the sameMAC addressas an existing DHCP client.

When DHCP server receives a request from a new client that has a duplicate ID or MACaddress, DHCP server terminates the address lease for the existing client and returns the



address to its original address pool. DHCP server then assigns a new address and leaseto the new client.

By default, both DHCP local server and DHCP relay use the subnet information todifferentiatebetweenduplicateclients.However, in somecases, this levelofdifferentiationis not adequate. For example, whenmultiple subinterfaces share the same underlyingloopback interface with the same preferred source address, the interfaces appear to beon the samesubnet. In this situation, thedefault configurationprevents duplicate clients.

You can provide greater differentiation between duplicate clients by configuring DHCPto consider the client subinterface when duplicate clients occur. In this optionalconfiguration, DHCP uniquely identifies:

The subnet on which the client resides

The subinterface on which the client resides

The client within the subnet


Configuring DHCP Duplicate Client Support on page 60

Guidelines for Configuring Support for DHCP Duplicate Clients on page 59

Group-Specific DHCP Local Server Options

You can include the following statements at the [edit system services dhcp-local-servergroup group-name] hierarchy level to set group-specific DHCP local server configurationoptions, and at the [edit system services dhcp-local-server] hierarchy level to set globalDHCP local server configuration options. Statements configured at the [edit systemservices dhcp-local-server group group-name] hierarchy level apply only to the namedgroup of interfaces, and override any global DHCP local server settings configured withthe same statements at the [edit system services dhcp-local-server] hierarchy level.

DHCPv6 local server supports the same set of statements with the exception of thedynamic-profile statement.

authenticationConfigure the parameters the router sends to the external AAA server.

dynamic-profileSpecify the dynamic profile that is attached to a group of interfaces.

interfaceSpecify one or more interfaces, or a range of interfaces, that are within thespecified group.

overridesOverride the default configuration settings for the extended DHCP localserver. For information, see Overriding Default DHCP Local Server ConfigurationSettings on page 63.


Grouping Interfaces with Common DHCP Configurations on page 60



Understanding Dynamic Reconfiguration of Extended DHCP Local Server Clients

Dynamic reconfiguration of clients enables the extended DHCP local server to initiate aclient update without waiting for the client to initiate a request.

Default Client/Server Interaction

Typically the DHCP client initiates all of the basic DHCP client/server interactions. TheDHCP server sends information to a client only in response to a request from that client.This behavior does not enable a client to be quickly updated with its network addressand configuration in the event of server changes:

NOTE: Technically, the DHCP client/server interactions are the same onrouters and switches. However, the primary usage of this technology on therouters is forsubscribermanagement.Theswitchesarenotusedforsubscribermanagement. Therefore, this topic provides two sample scenarios. Theactions are the same, but the implementation details are different.

On routersSuppose a service provider restructures its addressing schemeor changesthe server IP addresses that it provided to clients. Without dynamic reconfiguration,the service provider typically clears the DHCP server binding table, but cannot informtheDHCP clients that their bindings have been cleared. Consequently, theDHCP clientoperates as though its IP address is still valid, but it is now unable to communicateover the access network, resulting in an outage. The DHCP local server needs to waitfor the client to send amessage to renew its lease or rebind to the server. In response,the server sends a NAKmessage to the client to force it to begin the DHCP connectionprocess again. Alternatively, the provider canwait for customers tomake a service callabout the network failures and then instruct them to power cycle their customerpremises equipment to reinitiate the connection. Neither of these actions is timely orconvenient for customers.

On switchesSuppose you restructure the addressing scheme or change the serverIPaddresses that theDHCPserverprovides toclients.Withoutdynamic reconfiguration,thenetwork typically clears theDHCPserver binding table, but cannot informtheDHCPclients that their bindings have been cleared. Consequently, the DHCP client operatesas though its IP address is still valid, but it is now unable to communicate over theaccess network, resulting in an outage. The DHCP local server needs to wait for theclient to send amessage to renew its lease or rebind to the server. In response, theserver sends a NAKmessage to the client to force it to begin the DHCP connectionprocess again. Alternatively, you canwait for users to notify you of the network failuresand then instruct them to power cycle their equipment to reinitiate the connection.Neither of these actions is timely or convenient for users.

Dynamic Client/Server Interaction for DHCPv4

Dynamic reconfiguration for DHCPv4 is available through a partial implementation ofRFC 3203, DHCP Reconfigure Extension for DHCPv4. It enables the DHCPv4 local serverto send amessage to the client to force reconfiguration.



The server sends a forcerenewmessage to a DHCPv4 client, initiating amessageexchange. In response, DHCPv4 clients that support the forcerenewmessage then senda lease renewal message to the server. The server rejects the lease renewal request andsends a NAK to the client, causing the client to reinitiate the DHCP connection. Asuccessful reconnection results in the reconfiguration of the DHCP client. Only theexchange of forcerenew, renew, and NAKmessages is supported from RFC 3202. DHCPrelay and DHCP relay proxy do not participate in the client reconfiguration or react toforcerenewmessages other than to forward them to the client.

When the local server statemachine starts the reconfigurationprocessonaboundclient,the client transitions to the reconfiguring state and the local server sends a forcerenewmessage to the client. Because the client was in the bound state before entering thereconfiguring state, all subscriber servicesorDHCP-managedservices, suchas forwardingandstatistics, continue towork.Client statisticsarenotmaintained in the intervalbetweenasuccessful reconfigurationand thesubsequent clientbinding.When theserver respondsto the client renewal request with a NAK, the client entry is removed from the bindingtable and final statistics are reported. New statistics are collectedwhen the client sendsa discover message to establish a new session.

Dynamic Client/Server Interaction for DHCPv6

Dynamic reconfiguration for DHCPv6 is available through a partial implementation ofRFC3315,DynamicHostConfigurationProtocol for IPv6 (DHCPv6). It enables theDHCPv6local server to send amessage to the client to force reconfiguration.

DHCPv6 servers send reconfigure messages to DHCPv6 clients, initiating amessageexchange. In response, DHCPv6 clients that support the reconfigure message transitionto the renewing state and send a renewmessage to the server. The server returns a replymessage with a lifetime of zero (0). The client transitions to the init state and sends asolicit message. The server sends an advertise message to indicate that it is availablefor service. The client sends a request for configuration parameters, which the serverthen includes in its reply. DHCP relay andDHCP relay proxy donot participate in the clientreconfigurationor react to reconfiguremessagesother than to forward themto theclient.

When a DHCPv6 server is triggered to initiate reconfiguration on a bound DHCPv6 client,the client transitions to the reconfigure state. All subscriber services, such as forwardingand statistics, continue to work. The server then sends the reconfigure message to theclient. If the DHCPv6 client is already in the reconfigure state, the DHCPv6 server ignoresthe reconfiguration trigger. For clients in any state other than bound or reconfigure, theserver clears thebinding stateof theclient, as if the cleardhcpv6serverbindingcommandhad been issued.

Dynamic Configuration Options

You can enable dynamic reconfiguration for all DHCP clients or only the DHCP clientsserviced by a specified group of interfaces, and you canmodify the behavior accordingly.

To enable dynamic reconfiguration with default reconfiguration values for all DHCPclients, include the reconfigure statementat the [edit systemservicesdhcp-local-server]hierarchy level for DHCPv4 clients, and at the [edit system services dhcp-local-serverdhcpv6] hierarchy level for DHCPv6 clients.



Alternatively, to enable dynamic reconfiguration for only the DHCP clients serviced bya specified group of interfaces, include the reconfigure statement at the [edit systemservices dhcp-local-server group group-name] hierarchy level for DHCPv4 clients, andat the [editsystemservicesdhcp-local-serverdhcpv6groupgroup-name]hierarchy levelfor DHCPv6 clients.

You can optionally modify the behavior of the reconfiguration process by including theappropriate statements at the [edit system services dhcp-local-server reconfigure]hierarchy level for all DHCPv4 clients, and at the [edit system services dhcp-local-serverdhcpv6 reconfigure] hierarchy level for all DHCPv6 clients. To override this globalconfiguration for only the DHCP clients serviced by a specified group of interfaces, youcan include the statements with different values at the [edit system servicesdhcp-local-server group group-name reconfigure] hierarchy level for DHCPv4 clients, andat the [edit system services dhcp-local-server dhcpv6 group group-name reconfigure]hierarchy level for DHCPv6 clients.

Include the attempts statement to specify howmany times the local server sends theforcerenew or reconfigure message to initiate client reconfiguration. Include the timeoutstatement to set the interval between the first andsecondattempts. The interval betweeneach subsequent attempt doubles the previous value. For example, if the first value is 2,the first retry is attempted 2 seconds after the first attempt fails. The second retry isattempted 4 seconds after the first retry fails. The third retry is attempted 8 secondsafter the second retry fails, and so on.

By default, the DHCP clients original configuration is restored if all of the reconfigurationattempts fail. Include the clear-on-abort statement to delete the client instead.

You can configure an authentication token by including the token statement. The DHCPlocal server then includes this token inside the authentication option when it sendsforcerenew or reconfigure messages. If the service provider has previously configuredtheDHCPclientwith this token, then the client cancompare that tokenagainst thenewlyreceived token, and reject the message if the tokens do not match. This functionalitycorresponds to RFC 3118, Authentication for DHCPMessages, section 4.

In the event of a RADIUS-initiated disconnect (RID), the client is deleted by default. Youcan configure the client to be reconfigured instead of deleted by including theradius-disconnect statement. The client is deleted if all attempts to reconfigure the clientfail.

For the DHCPv6 server only, you can include the strict statement. By default, the serveraccepts solicitmessages fromclients thatdonot support server-initiated reconfiguration.Including this statementcauses theserver todiscardsolicitmessages fromnonsupportingclients; consequently the server does not bind these clients.

You can force the local server to initiate the reconfiguration process for clients by issuingthe requestdhcpserver reconfigurecommand forDHCPv4clients, and the requestdhcpv6server reconfigure command for DHCPv6 clients. Command options determine whetherreconfiguration is then attempted for all clients or specified clients.



Events that take place while a reconfiguration is in process take precedence over thereconfiguration. Table 5 on page 15 lists the actions taken in response to several differentevents.

Table 5: Action Taken for Events That Occur During a Reconfiguration

ActionEvent

Server drops packet and deletes client.Server receives a discover (DHCPv4) or solicit(DHCPv6) message from the client.

DHCPv4Server sends NAKmessage anddeletes client.

DHCPv6Server drops packet and deletesclient. Server replies to renewmessagewithlease time of zero (0).

Server receives a request, renew, rebind, orinit-reboot message from the client.

Server deletes client.Server receives a release or decline message fromthe client.

Server deletes client.The client lease times out.

Server deletes client.The clear dhcp server binding command is issued.

Command is ignored.The request dhcp server reconfigure (DHCPv4) orrequest dhcpv6 server reconfigure (DHCPv6)command is issued.

Reconfiguration process is halted.GRES or DHCP restart occurs.


Configuring Extended DHCP Local Server Dynamic Client Reconfiguration on page 70

DHCP Snooping Support

DHCP snooping provides DHCP security on the router or switch by filtering incomingmessages.WhenDHCPsnooping is enabled, the router (or switch)differentiatesbetweentrusted and untrusted interfaces, and forwards messages from trusted sources whilerejecting the untrustedmessages.

In Junos OS, DHCP snooping is enabled in a routing instance when you configure eitherthe dhcp-relay statement at the [edit forwarding-options] hierarchy level, or thedhcp-local-server statement at the [edit system services] hierarchy level in that routinginstance.However, dependingon the JunosOS release, the router processes the snoopedpackets differently, as described in the following list:

In Junos OS Release 10.0 and earlier, the router processes snooped packets normally.

In Junos OS Release 10.1 and later (and in Junos OS Release 12.3R2 on EX Seriesswitches), the router (or switch) discards snooped packets by default. To enablenormal processing of snoopedpackets in JunosOSRelease 10.1 and later (and in JunosOS Release 12.3R2 on EX Series switches), youmust explicitly configure the



allow-snooped-clients statement at the [edit forwarding-optionsdhcp-relay] hierarchylevel.

You can configure DHCP snooping support for the following:

DHCPv4 relayagentOverride the routers (or switchs)default snoopingconfigurationand specify that DHCP snooping is enabled or disabled globally, for a named group ofinterfaces, or for a specific interface within a named group.

In a separate procedure, you can set a global configuration to specify whether theDHCPv4 relay agent forwards or drops snooped packets for all interfaces, onlyconfigured interfaces, or only nonconfigured interfaces. The router (or switch) alsouses the global DHCP relay agent snooping configuration to determine whether toforward or drop snooped BOOTREPLY packets.

DHCPv6 relay agentAs you can with snooping support for the DHCPv4 relay agent,you can override the default DHCPv6 relay agent snooping configuration on the router(or switch) to explicitly enable or disable snooping support globally, for a namedgroupof interfaces, or for a specific interface with a named group of interfaces.

In multi-relay topologies where more than one DHCPv6 relay agent is between theDHCPv6 client and the DHCPv6 server, snooping enables intervening DHCPv6 relayagents between the client and the server to correctly receive and process the unicasttraffic from the client and forward it to the server. The DHCPv6 relay agent snoopsincomingunicastDHCPv6packetsby settingupa filterwithUDPport 547 (theDHCPv6UDP server port) on a per-forwarding table basis. The DHCPv6 relay agent thenprocesses thepackets interceptedby the filter and forwards thepackets to theDHCPv6server.

Unlike the DHCPv4 relay agent, the DHCPv6 relay agent does not support globalconfiguration of forwarding support for DHCPv6 snooped packets.

DHCP local

dchp system services

Documents

juniper networks logo

gated software copyright

university of california

gatedsoftware copyright

software products

freebsd software

documentationand software

cornell university