When considering DHCP options Which of the following has the highest precedence?
Centrally Configure DHCP Options on a RADIUS ServerDHCP management on Junos OS devices support central configuration of DHCP options directly on the RADIUS server (RADIUS-sourced options) and traditional client-sourced options configuration. Read the following sections for information on central configuration of DHCP options on the RADIUS server. Show
RADIUS-Sourced OptionsSubscriber management (on the routers) or DHCP management (on the switches) enables you to centrally configure DHCP options on a RADIUS server and then distribute the options on a per-subscriber or per DHCP-client basis. This method results in RADIUS-sourced DHCP options—the DHCP options originate at the RADIUS server and are sent to the subscriber (or DHCP client). This differs from the traditional client-sourced method (also called DHCP-sourced) of configuring DHCP options, in which the options originate at the client and are sent to the RADIUS server. The subscriber management (DHCP management) RADIUS-sourced DHCP options are also considered to be opaque, because DHCP local server performs minimal processing and error checking for the DHCP options string before passing the options to the subscriber (DHCP client). Subscriber management (or DHCP management) uses Juniper Networks VSA 26-55 (DHCP-Options) to distribute the RADIUS-sourced DHCP options. The RADIUS server includes VSA 26-55 in the Access-Accept message that the server returns during subscriber authentication or DHCP client authentication. The RADIUS server sends the Access-Accept message to the RADIUS client, and then on to DHCP local server for return to the DHCP subscriber. The RADIUS server can include multiple instances of VSA 26-55 in a single Access-Accept message. The RADIUS client concatenates the multiple instances and uses the result as a single instance. There is no CLI configuration required to enable subscriber management (DHCP management) to use the centrally configured DHCP options—the procedure is triggered by the presence of VSA 26-55 in the RADIUS Access-Accept message. When building the offer packet for the DHCP client, DHCP local server uses the following sequence:
Client-Sourced Options ConfigurationIn addition to supporting central configuration of DHCP options directly on the RADIUS server (RADIUS-sourced options), subscriber management (DHCP management) also supports the traditional client-sourced options configuration, in which the router’s (switch’s) DHCP component sends the options to the RADIUS server. The client-sourced DHCP options method is supported for both DHCP local server and DHCP relay agent; however, the RADIUS-sourced central configuration method is supported on DHCP local server only. Both the RADIUS-sourced and client-sourced methods support DHCPv4 and DHCPv6 subscribers (clients). Note: You can use the RADIUS-sourced and client-sourced methods simultaneously on DHCP local server. However, you must ensure that the central configuration method does not include options that override client-sourced DHCP options, because this can create unpredictable results. Data Flow for RADIUS-Sourced DHCP OptionsFigure 1 shows the procedure subscriber management (DHCP management) uses when configuring DHCP options for subscribers (DHCP clients). Figure 1: DHCP Options Data Flow The following general sequence describes the data flow when subscriber management (DHCP management) uses RADIUS-sourced DHCP options and VSA 26-55 to configure a DHCP subscriber (client):
Multiple VSA 26-55 Instances ConfigurationVSA 26-55 supports a maximum size of 247 bytes. If your RADIUS-sourced DHCP options field is greater than 247 bytes, you must break the field up and manually configure multiple instances of VSA 26-55 for the RADIUS server to return. When using multiple instances for an options field, you must place the instances in the packet in the order in which the fragments are to by reassembled by the RADIUS client. The fragments can be of any size of 247 bytes or less. Best Practice: For ease of configuration and management of your DHCP options, you might want to have one DHCP option per VSA 26-55 instance, regardless of the size of the option field. When the RADIUS client returns a reassembled opaque options field in an accounting request to the RADIUS server, the client uses 247-byte fragments. If you had originally created instances of fewer than 247 bytes, the returned fragments might not be the same as you originally configured on the RADIUS server. Note: If you are configuring Steel-Belted Radius (SBR) to support multiple VSA 26-55 instances, ensure that you specify VSA 26-55 with the DHCP Options That Cannot Be Centrally ConfiguredTable 1 shows the DHCP options that you must not centrally configure on the RADIUS server. Table 1: Unsupported Opaque DHCP Options
Exchange of DHCPv4 and DHCPv6 Parameters with the RADIUS Server OverviewThe RADIUS server, which is configured independently of DHCPv4 and DHCPv6, authenticates clients and supplies the IPv4 or IPv6 prefix and client configuration parameters. To establish the client sessions on the network, the DHCPv4 and DHCPv6 parameters are sent from the client device through the DHCP (either DHCPv4 or DHCPv6) server to the RADIUS server and vice versa. Starting in Junos OS Release 17.4R1, the exchange of parameters is enhanced with the introduction of several new vendor-specific attributes (VSAs) and changes to the existing DHCP-Options VSA (26-55). An immediate interim accounting report is sent to the RADIUS server when configurable events occur, such as a change in family state. When these events occur, the RADIUS server has no direct way to determine the reason for the report. You can use the Acct-Request-Reason VSA (26-210) to send the reason in the start accounting report as well as in the immediate interim accounting report. The broadband network gateway (BNG) sends an interim accounting report to the RADIUS server whenever the second family (either IPv4 or IPv6) of a dual-stack session (DHCPv4, DHCPv6, or PPPoE) is
activated or the first family (either IPv4 or IPv6) of a dual-stack session (DHCPv4, DHCPv6, or PPPoE) is deactivated. For the immediate interim accounting report to be sent, configure the The following VSAs are used for exchanging the client parameters with the RADIUS server:
Differentiating Subscriber Classes with DHCPv6 Option 17 and VSA 26-207Starting in Junos OS Release 18.3R1, you can use the DHCPv6-Options VSA (26-207) to differentiate between different classes of subscribers during DHCPv6 relay authentication. For example, you may want to assign different IPv6 prefixes to different subscriber classes. You must configure your RADIUS server to include the following information in the VSA:
Note: To configure this information, refer to the documentation for your RADIUS server. You must encode the information in the DHCPv6 options format in RFC 3315, Dynamic Host Configuration Protocol for IPv6 (DHCPv6). You set a different value for suboption 5 for each class you want to differentiate. You develop your own scheme to determine the mapping between value and class. VSA 26-207 conveys the subscriber class information in the Access-Accept message returned by the RADIUS server during DHCPv6 subscriber authentication. The contents of the VSA are passed from the AAA process to the DHCP process in the session database attribute, SDB_SERVER_DHCPV6_OPTIONS. The DHCPv6 relay agent extracts the information from the SDB attribute and places it in DHCPv6 option 17. The relay agent subsequently passes option 17 to the DHCPv6 local server in the Relay-Forward header. The local server can then return the relay agent configuration and service information specific to the relevant subscriber classes. In releases earlier than Junos OS 18.3R1, only the DHCP local server supports VSA 26-207. Only suboption 1 (JDHCPD_VS_OPT_CODE_HOST_NAME) and suboption 4 (JDHCPD_VS_OPT_CODE_LOCATION_NAME) are supported. The DHCP relay agent also discards the SDB_SERVER_DHCPV6_OPTIONS attribute if it is received. Suboptions received from RADIUS have a higher precedence than the information configured locally. For
example, if the host name and the location are configured with the Excluding the VSAs from RADIUS MessagesYou can exclude any of these VSAs from being sent by using the [edit access profile profile-name radius attributes] user@host# set exclude acct-request-reason [accounting-start | accounting-stop] user@host# set exclude dhcp-header [access-request] user@host# set exclude dhcpv6-header [access-request] user@host# set exclude dhcpv6-options [access-request | accounting-start | accounting-stop] Dedicated Session Database and Vendor-Specific Attributes for DHCPv4 and DHCPv6 SubscribersThe Dynamic Host Configuration Protocol (DHCP) server can serve as a DHCP local server, a DHCP client, or a DHCP relay agent, for both DHCPv4 and DHCPv6 subscribers. Currently, some of the client parameters—for example, the DHCPv4 and DHCPv6 packet header—cannot be passed to and from the RADIUS server. From Junos OS Release 17.4 onward, enhancements are made to facilitate better communication between the DHCP servers (both DHCPv4 and DHCPv6) and the RADIUS server. The client parameters are saved in a session database and sent to the RADIUS server; and the RADIUS server, in turn, authenticates the client and also responds with the options to be sent back to that client.
Client OptionsThe client options can be configured in multiple locations such as DHCPv4 or DHCPv6 servers, or in the RADIUS server. If the client configuration is available in multiple locations, a conflict can arise regarding the source of the configuration details. In case of such conflicts, the following order of preference is considered:
As an example of the aforementioned preference, consider the case of DHCPv4 lease time. If the Similarly, for DHCPv6 lease time, the first preference is given to the Exchange of DHCPv4 Client, DHCPv4 Server, and RADIUS-Sourced OptionsThe following steps illustrate the process of exchange of configuration options between a DHCPv4 client, a DHCPv4 server, and the RADIUS server:
Exchange of DHCPv6 Client, DHCPv6 Server, and RADIUS-Sourced OptionsThe following steps illustrate the process of exchange of configuration options between a DHCPv6 client, a DHCPv6 server, and the RADIUS server:
Monitoring DHCP Options Configured on RADIUS Servers
PurposeView information for DHCP options that are centrally configured on a RADIUS server and that are distributed using Juniper Networks VSA 26-55 (DHCP-Options). ActionTo display information for opaque DHCP options: user@host> show subscribers detailType: DHCP IP Address: 192.168.9.7 IP Netmask: 255.255.0.0 Logical System: default Routing Instance: default Interface: demux0.1073744127 Interface type: Dynamic Dynamic Profile Name: dhcp-prof-23 MAC Address: 00:00:5E:00:53:98 State: Active Radius Accounting ID: jnpr :2304 Session Timeout (seconds): 3600 Idle Timeout (seconds): 600 Login Time: 2011-08-25 14:43:52 PDT DHCP Options: len 52 35 01 01 39 02 02 40 3d 07 01 00 10 94 00 00 08 33 04 00 00 00 3c 0c 15 63 6c 69 65 6e 74 5f 50 6f 72 74 20 2f 2f 36 2f 33 2d 37 2d 30 37 05 01 06 0f 21 2c MeaningDHCP Options: len 52 35 01 01 39 02 02 40 3d 07 01 00 10 94 00 00 08 33 04 00 00 00 3c 0c 15 63 6c 69 65 6e 74 5f 50 6f 72 74 20 2f 2f 36 2f 33 2d 37 2d 30 37 05 01 06 0f 21 2c The DHCP options output provides the following information:
The number of hex values that make up a particular DHCP option varies, depending on the length of the option. For example, the first DHCP option specified in the output includes three sets of hex values ( In the second DHCP option specification ( The third DHCP option is specified by the hex values Table 2 describes the first two options in more detail. Table 2: DHCP Options Description
Release History Table 18.3R1 Starting in Junos OS Release 18.3R1, you can use the DHCPv6-Options VSA (26-207) to differentiate between different classes of subscribers during DHCPv6 relay authentication. 17.4R1 Starting in Junos OS Release 17.4R1, the exchange of parameters is enhanced with the introduction of several new vendor-specific attributes (VSAs) and changes to the existing DHCP-Options VSA (26-55). What is the correct order for the DHCP process?DHCP operations fall into four phases: server discovery, IP lease offer, IP lease request, and IP lease acknowledgement. These stages are often abbreviated as DORA for discovery, offer, request, and acknowledgement.
What are the 4 types of DHCP packets?The complete DHCP exchange involves four types of packets: Discover, for your computer to locate the DHCP server; Offer, for the server to offer an IP address; Request, for your computer to ask for an of- fered address; and Ack, for the server to grant the address lease.
What are the options for DHCP?Common Options. DHCP option 1: subnet mask to be applied on the interface asking for an IP address.. DHCP option 3: default router or last resort gateway for this interface.. DHCP option 6: which DNS (Domain Name Server) to include in the IP configuration for name resolution.. DHCP option 51: lease time for this IP address.. What is best practice for DHCP lease time?Generally, the recommended time to lease an IP address is 48 hours (172800 seconds) to renew the IP address once a day. After applying the specified parameters, clients will receive an IP address for 1 minute, after which they will send a request to the DHCP server for a new IP address every 30 seconds.
|