Configuring DHCP with CLI

This section provides information to configure DHCP using the command line interface.

Common Configuration Tasks

Topics in this section are:

Enabling DHCP Snooping

DHCP snooping is the process of copying DHCP packets and using the contained information for internal purposes.The BSA and BSR can use the snooped DHCP information to build anti-spoofing filters, populate the ARP table, send ARP replies, etc.

For VPLS, DHCP snooping must be explicitly enabled (using the snoop command) on the SAP or SDP where DHCP messages ingress the VPLS instance. It is recommended to enable snooping on both the interface to the DHCP server (to snoop ACK messages) and the interface to the subscriber (to snoop RELEASE messages).

For IES and VPRN IP interfaces (VPRN is supported on the 7750 SR only), lease-populate enables DHCP snooping for the subnets defined under the IP interface. The number of allowed simultaneous DHCP sessions on a SAP or interface can be limited using the lease-populate command with the parameter number-of-entries specified. Enabling lease-populate and snoop commands is effectively enabling “standard subscriber management” as described in Standard and Enhanced Subscriber Management.

The following output displays an example of a partial BSA configuration with DHCP snooping enabled in a service:

*A:ALA-48>config>service# info
----------------------------------------------
...
vpls 600 customer 701 create
sap 1/1/4:100 split-horizon-group "DSL-group2" create
description "SAP towards subscriber"
dhcp
lease-populate 1
option
action replace
circuit-id
no remote-id
exit
no shutdown
exit
exit
mesh-sdp 2:800 create
dhcp
snoop
exit
exit
no shutdown
exit
...
----------------------------------------------
*A:ALA-48>config>service#

Configuring Option 82 Handling

Option 82, or “Relay Information Option” is a field in DHCP messages used to identify the subscriber. The Option 82 field can already be filled in when a DHCP message is received at the router, or it can be empty. If the field is empty, the router should add identifying information (circuit ID, remote ID or both). If the field is not empty, the router can decide to replace it.

The following example displays an example of a partial BSA configuration with Option 82 adding on a VPLS service. Snooping must be enabled explicitly on a SAP.

A:ALA-1>config>service>vpls#
----------------------------------------------
no shutdown
description "Default tls description for service id 1"
sap 1/1/11 split-horizon-group "2dslam" create
dhcp
no description
snoop
no lease-populate
option
action replace
circuit-id ascii-tuple
no remote-id
exit
no shutdown
exit
exit
----------------------------------------------
A:ALA-1>config>service>vpls#

Enabling DHCP Relay

Lease populate and DHCP relay are different features in which are not both required to be enabled at the same time. DHCP relay can be performed without populating lease tables.

The following example displays DHCP relay configured on an IES interface:

A:ALA-48>config>service>ies>if# info
----------------------------------------------
address 10.10.42.41/24
local-proxy-arp
proxy-arp
policy-statement "ProxyARP"
exit
sap 1/1/7:0 create
anti-spoof ip
exit
arp-populate
dhcp
description "relay_ISP1"
server 10.200.10.10 10.200.10.20
lease-populate 1
no shutdown
exit
----------------------------------------------
A:ALA-48>config>service>ies>if#

Configuring Local User Database Parameters

A local user data base defines a collection of host entries. There are two types of hosts: PPP and IPoE. A local user database can be used to:

  1. Authenticate PPP clients. For this only the host entries configured in the ppp CLI are matched.
  2. Authenticate IPoE hosts (DHCPv4, DHCPv6 IA-NA/IA-PD, SLAAC). The host entries configured in the ipoe CLI context are matched.
  3. Perform authentication and address management for the local DHCPv4 server. For this, both PPP and IPoE sections can be used depending on the client type indicated by a vendor-specific suboption inside Option 82 of the DHCPv4 message.

Each host can be identified by a set of values. However, at any point in time only four of these values are taken into account for IPoE as defined by the ipoe match-list option and only three are considered for PPP as defined in the ppp match-list option.

When trying to find a matching host entry, attempts are made to match as many items as possible. If several hosts match an incoming IPoE packet, the one with most match criteria is taken.

One host entry can map on several physical clients. For instance, when using a circuit ID, by masking when the interface-id is used, the host-entry is used for all the clients on that same interface.

IPoE host identification includes:

  1. Circuit ID; this field also matches the DHCPv6 interface-id field
  2. MAC address
  3. Remote ID — Matches on the remote-id sub-option in option 82 for DHCPv4 clients and on the remote-id option (including enterprise-id field) for DHCPv6 clients
  4. Option 60 from DHCPv4 message; only first 32 bytes are looked at
  5. SAP ID
  6. Service ID
  7. String from vendor-specific suboption of Option 82
  8. System ID
  9. derived-id — A string provided via a DHCP Python script
  10. dual-stack-remote-id — Matches on the remote-id sub-option in option 82 for DHCPv4 clients and on the remote-id field in the remote-id option (without enterprise-id) for DHCPv6 clients
  11. encap-tag-range — Matches on VLAN tag ranges
  12. IP — Matches on the source IPv4/IPv6 address of a data-trigger packet

PPP host identification includes:

  1. Circuit ID
  2. MAC address
  3. Remote id
  4. User name, either complete user name, domain part only, or host part only
  5. Derived ID — A string provided by Python script

When a host cannot be inserted in the lookup database, it will be placed in an unmatched-hosts list. This can occur due to:

  1. Another host with the same host-identification exists. Only the host-identification that is specified in the match-list is taken into account for this.
  2. A host has no host-identification specified in the match-list.

When used for PPPoE-authentication, the fields are used as follows:

  1. password — Verifies the PPPoE user password. This is mandatory. If no password is required then it must be explicitly set to ignore.
  2. address:
    1. no address — No address information. The address must be obtained by other means, either RADIUS or DHCP server.
    2. gi-address — No meaning in this context. The address must be obtained by other means, either RADIUS or DHCP server.
    3. use-pool-from-client — No meaning in this context, address must be obtained by other means, either RADIUS or DHCP server.
    4. pool-name — The address must be obtained by other means, either RADIUS or a DHCP-server. When a DHCP server is used, this pool-name will be included in Option 82 vendor-specific suboption.
    5. ip-address — This ip-address will be offered to the client.
  3. Identification-strings — Returns the strings used for enhanced subscriber management (ESM).
  4. Options — Only DNS servers and NBNS server are used, others are ignored.

When used from the DHCP server, the following applies:

  1. password — Not used.
  2. address — Defines how the address should be allocated for this host.
    1. no address — The host is not allowed. The clients mapping to this host will not get an IP address.
    2. gi-address — Finds the matching subnet and an IP address is taken from that subnet.
    3. pool-name — A free IP address is taken from that pool.
    4. ip-address — This ip-address will be offered to the client.
    5. use-pool-from-client — Use the poolname in the Option 82 vendor-specific suboption. If no poolname is provided there, falls back to the DHCP server default (none or use-gi-address).
  3. identification-strings — The operator can specify subscriber management strings and in which option the strings are sent back in dhcp-offer and dhcp-ack messages.
  4. options — The operator defines which options specific to this host should be sent back in the dhcp-offer and dhcp-ack messages. The options defined here override options defined on the pool-level and subnet-level inside the local DHCP server.

The circuit ID from PPPoE or from Option 82 in IPoE messages can be masked in following ways:

  1. prefix-length — Drop a fixed number of bytes at the beginning of the circuit-id.
  2. suffix-length— Drop a fixed number of bytes at the end of the circuit-id.
  3. prefix-string — The matching string will be dropped from the beginning of the circuit-id. The matching string can contain wildcards (*). For example: incoming circuit-id "mybox|3|my_interface|1/1/1:22" masked with "*|*|" will leave "my_interface|1/1/1:22".
  4. suffix-string — The matching string will be dropped at the end of the circuit-id. For example: incoming circuit-id "mybox|3|my_interface|1/1/1:22" masked with "|*" will result in "mybox|3|my_interface".

The following is an example of a local user database used for PPPoE authentication:

*A:ALA-48>config>subscr-mgmt# info
----------------------------------------------
...
local-user-db "pppoe user db"
description "pppoe authentication data base"
ppp
match-list username circuit-id
mask prefix-string "*|*|" suffix-string "|*"
host "john" create
host-identification
username "john" no-domain
exit
password pap "23T8yPoe0w1R.BPGHB98i0qhJf7ZlZGCtXBKGnjrIrA" hash2
no shutdown
exit
host "test.com" create
host-identification
username "test.com" domain-only
exit
password ignore
no shutdown
exit
host "john@test.com" create
host-identification
username "john@test.com"
exit
password pap "23T8yPoe0w0Tlf1yCb4hskknvTYLqA2avvBB567g3eQ" hash2
identification-strings 122 create
subscriber-id "john@test.com"
sla-profile-string "sla prof1"
sub-profile-string "subscr profile 1"
ancp-string "ancp string"
inter-dest-id "inter dest"
exit
no shutdown
exit
host "john@test.com on interface group-if"
host-identification
circuit-id string "group-if"
username "john@test.com"
exit
password pap "23T8yPoe0w1R.BPGHB98i0qhJf7ZlZGCtXBKGnjrIrA" hash2
address 10.1.2.3
no shutdown
exit
exit
no shutdown
exit
...
----------------------------------------------
*A:ALA-48>config>subscr-mgmt#

The following are some examples when a user tries to set up PPPoE:

  1. john@test.com tries to setup PPPoE with circuit-id "pe_23|3|group-if|1/1/1": host "john@test.com on interface group-if" will match, the PAP password is checked and the IP address 10.1.2.3 is given to PPPoE to use for this host.
  2. john@test.com (on another interface): host "john@test.com" will match, the PAP password is checked, and identification strings are returned to PPPoE.
  3. alcatel@test.com: host "test.com" will match, no password check, the user is allowed.
  4. john@alcatel.com: host "john" will match and the password will be checked.
  5. anybody@anydomain: will not match and will not be allowed.

The following is an example of a local user database used for DHCP server for IPoE clients:

*A:ALA-50>config>subscr-mgmt# info
----------------------------------------------
...
local-user-db "dhcp server user db"
description "dhcp server user data base"
ipoe
match-list circuit-id mac
mask prefix-string "*|*|" suffix-string "|*"
host "mac 3 on interface" create
host-identification
circuit-id string "group-if"
mac 00:00:00:00:00:03
exit
address 10.0.0.1
no shutdown
exit
host "maskedCircId" create
host-identification
circuit-id string "group-if"
exit
address pool "pool 1"
identification-strings 122 create
subscriber-id "subscriber 1234"
sla-profile-string "sla prof 1"
sub-profile-string "sub prof 1"
ancp-string "ancpstring"
inter-dest-id "inter dest id 123"
exit
options
netbios-name-server 1.2.3.4
lease-time min 2
exit
no shutdown
exit
exit
no shutdown
exit
...
----------------------------------------------
*A:ALA-50>config>subscr-mgmt#

The following is an access example:

  1. MAC 00:00:00:00:00:03 on circuit-id "pe5|3|group-if|1/1/1": host "mac 3 on interface" is matched and address 10.0.0.1 is offered to the IPoE client.
  2. Another MAC on circuit-id "pe5|3|group-if|2/2/2": host "maskedCircId" is matched and an address is taken from "pool1" (defined in the DHCP server). The identification-strings will be copied to Option 122 in the dhcp-offer and dhcp-ack messages. The options defined here will also be copied into dhcp-offer and dhcp-ack messages.
  3. The circuit-id "pe5|3|other_group_if|1/1/3”: no host is matched. The client will only get an IP address if on DHCP server level you defined the use-gi-address parameter and the gi-address matches a subnet.

The following is an example of a local user database used for a DHCP server, only for PPPoE clients:

If PPPoE does not get an IP address from RADIUS or the local-user-db used for authentication, the internal dhcp-client will be used to access a DHCP server which can be in the same node or in another node. These request are identified by inserting Option 82 suboption client-id in the dhcp-discover and dhcp-request messages. When the DHCP server receives this request and has a user-db connected to it, then the PPPoE section of that user-db is accessed.

*A:ALA-60>config>subscr-mgmt# info
----------------------------------------------
...
local-user-db "pppoe user db"
description "pppoe authentication data base"
ppp
match-list username
host "internet.be" create
host-identification
username "internet.com" domain-only
exit
address "pool_1"
no shutdown
exit
host "john@internet.com" create
host-identification
username "john@internet.com"
exit
identification-strings 122 create
subscriber-id "john@test.com"
sla-profile-string "sla prof1"
sub-profile-string "subscr profile 1"
ancp-string "ancp string"
inter-dest-id "inter dest"
exit
address use-gi
no shutdown
exit
host "malicious@internet.com"
host-identification
circuit-id string "group-if"
username "internet@test.com"
exit
no shutdown
exit
exit
no shutdown
exit
...
----------------------------------------------
*A:ALA-60>config>subscr-mgmt#

The following is an access example:

  1. john@internet.com: GI is used to find a subnet and a free address will be allocated form that subnet. Identification strings are returned in Option 122.
  2. anybody@internet.com: pool_1 will be used to find a free IP address.
  3. malicious@internet.com: no address is defined. This user will not get an IP address.

The following is an example of associating a local user database to PPPoE for authentication for the 7750 SR.

A:pe5>config>service>vprn#
----------------------------------------------
subscriber-interface "tomylinux" create
address 10.2.2.2/16
group-interface "grp_pppoe3" create
pppoe
e "pppoe"
exit
exit
----------------------------------------------
A:pe5>config>service>vprn#

The following is an example of associating a local user database to a local DHCP server.

A:pe7>config>router>dhcp#
----------------------------------------------
local-dhcp-server my_server
description "my dhcp server"
user-db "data base 1"
...
exit
----------------------------------------------
A:pe7>config>router>dhcp#

In PPPoE access scenarios without access node or with access nodes that do not insert PPPoE vendor specific tags "Circuit-ID" and/or "Remote-ID", it may be required to configure this information in the local user database so that they can be picked up in pre-authentication phase and used for RADIUS authentication and reporting in RADIUS accounting messages. For example:

config>subscr-mgmt
local-user-db "ludb-1" create
ppp
match-list username
host "host-1" create
access-loop-information
circuit-id string "LUDB inserted circuit-id"
remote-id string "LUDB inserted remote-id"
exit
host-identification
username "cpe-1@domain1.com"
exit
auth-policy "auth-policy-1"
password ignore
no shutdown
exit
exit

In the case of PPPoE, when the system accesses a LUDB during a discovery phase, a matched host could return a second LUDB via a “user-db” configuration under the LUDB host context. This second database will be accessed again during the PAP/CHAP phase. The following is an example:

 local-user-db "padi-db" create
            ppp
                match-list derived-id 
                host "testuser" create
                    host-identification
                        derived-id "testuser"
                    exit
                    msap-defaults
                        group-interface "g1"
                        service 500
                    exit
                    user-db "chap-db"
                    no shutdown
                exit
            exit
            no shutdown
        exit
        local-user-db "chap-db" create
            ppp
                match-list derived-id username 
                host "testuser" create
                    host-identification
                        derived-id "testuser"
                        username "testuser"
                    exit
                    password chap "cYhRmQYWOkLW3s0LrtEnBjWlAwFa/1Kx" hash2
                    identification-strings 254 create
                        sla-profile-string "sla-2"
                    exit
                    no shutdown
                exit
            exit
            no shutdown
        exit