3.5. Configuring DHCP with CLI

This section provides information to configure DHCP using the command line interface.

3.5.1. Enabling DHCP Snooping

DHCP snooping is the process of copying DHCP packets and using the contained information for internal purposes. The BSA and BSR can use the snooped DHCP information to build anti-spoofing filters, populate the ARP table, send ARP replies, and so on.

For VPLS, DHCP snooping must be explicitly enabled (using the snoop command) on the SAP or SDP where DHCP messages ingress the VPLS instance. It is recommended to enable snooping on both the interface to the DHCP server (to snoop ACK messages) and the interface to the subscriber (to snoop RELEASE messages).

For IES and VPRN IP interfaces (VPRN is supported on the 7750 SR only), lease populate enables DHCP snooping for the subnets defined under the IP interface. The number of allowed simultaneous DHCP sessions on a SAP or interface can be limited using the lease-populate command with the parameter number-of-entries specified. Enabling lease-populate and snoop commands is effectively enabling “standard subscriber management”.

The following output displays an example of a partial BSA configuration with DHCP snooping enabled in a service:

*A:ALA-48>config>service# info
----------------------------------------------
...
        vpls 600 customer 701 create
            sap 1/1/4:100 split-horizon-group "DSL-group2" create
                description "SAP towards subscriber"
                dhcp
                    lease-populate 1
                    option
                        action replace
                        circuit-id
                        no remote-id
                    exit
                    no shutdown
                exit
            exit
            mesh-sdp 2:800 create
                dhcp
                    snoop
                exit
            exit
            no shutdown
        exit
...
----------------------------------------------
*A:ALA-48>config>service#

3.5.2. Configuring Local User Database Parameters

A local user data base defines a collection of host entries. There are two types of hosts: PPP and IPoE. A local user database can be used to:

  1. Authenticate PPP clients. For this only the host entries configured in the ppp CLI are matched.
  2. Authenticate IPoE hosts (DHCPv4, DHCPv6 IA-NA/IA-PD, SLAAC). The host entries configured in the ipoe CLI context are matched.
  3. Perform authentication and address management for the local DHCPv4 server. For this, both PPP and IPoE sections can be used depending on the client type indicated by a vendor-specific sub-option inside Option 82 of the DHCPv4 message.

Each host can be identified by a set of values. However, at any point in time only four of these values are considered for IPoE as defined by the ipoe match-list option and only three are considered for PPP as defined in the ppp match-list option.

When trying to find a matching host entry, attempts are made to match as many items as possible. If several hosts match an incoming IPoE packet, the one with most match criteria is taken.

One host entry can map on several physical clients. For instance, when using a circuit ID, by masking when the interface ID is used, the host entry is used for all the clients on that same interface.

IPoE host identification includes:

  1. Circuit ID — this field also matches the DHCPv6 interface-id field
  2. MAC address
  3. Remote ID — matches on the remote-id sub-option in option 82 for DHCPv4 clients and on the remote-id option (including enterprise-id field) for DHCPv6 clients
  4. Option 60 from DHCPv4 message — only first 32 bytes are looked at
  5. SAP ID
  6. Service ID
  7. String from vendor-specific sub-option of Option 82
  8. System ID
  9. derived-id — a string provided via a DHCP Python script
  10. dual-stack-remote-id — matches on the remote-id sub-option in option 82 for DHCPv4 clients and on the remote-id field in the remote-id option (without enterprise-id) for DHCPv6 clients
  11. encap-tag-range — matches on VLAN tag ranges
  12. IP — matches on the source IPv4/IPv6 address of a data-trigger packet

PPP host identification includes:

  1. Circuit ID
  2. MAC address
  3. Remote id
  4. User name, either complete user name, domain part only, or host part only
  5. Derived ID — a string provided by Python script

When a host cannot be inserted in the lookup database, it is placed in an unmatched-hosts list. This can occur due to:

  1. Another host with the same host-identification exists. Only the host-identification that is specified in the match-list is considered.
  2. A host has no host-identification specified in the match-list.

When used for PPPoE-authentication, the fields are used as follows:

  1. password — Verifies the PPPoE user password. This is mandatory. If no password is required then it must be explicitly set to ignore.
  2. address:
    1. no address — No address information. The address must be obtained by other means, either RADIUS or DHCP server.
    2. gi-address — No meaning in this context. The address must be obtained by other means, either RADIUS or DHCP server.
    3. use-pool-from-client — No meaning in this context. The address must be obtained by other means, either RADIUS or DHCP server.
    4. pool-name — The address must be obtained by other means, either RADIUS or a DHCP server. When a DHCP server is used, this pool name is included in Option 82 vendor-specific sub-option.
    5. ip-address — This IP address is offered to the client.
  3. Identification-strings — Returns the strings used for enhanced subscriber management (ESM).
  4. Options — Only DNS servers and NBNS server are used, others are ignored.

When used from the DHCP server, the following applies:

  1. password — Not used.
  2. address — Defines how the address must be allocated for this host.
    1. no address — The host is not allowed. The clients mapping to this host do not get an IP address.
    2. gi-address — Finds the matching subnet and an IP address is taken from that subnet.
    3. pool-name — A free IP address is taken from that pool.
    4. ip-address — This address is offered to the client.
    5. use-pool-from-client — Use the poolname in the Option 82 vendor-specific sub-option. If no poolname is provided there, falls back to the DHCP server default (none or use-gi-address).
  3. identification-strings — The operator can specify subscriber management strings and in which option the strings are sent back in dhcp-offer and dhcp-ack messages.
  4. options — The operator defines which options specific to this host should be sent back in the dhcp-offer and dhcp-ack messages. The options defined here override options defined on the pool-level and subnet-level inside the local DHCP server.

The circuit ID from PPPoE or from Option 82 in IPoE messages can be masked in following ways:

  1. prefix-length — Drop a fixed number of bytes at the beginning of the circuit-id.
  2. suffix-length— Drop a fixed number of bytes at the end of the circuit-id.
  3. prefix-string — The matching string is dropped from the beginning of the circuit-id. The matching string can contain wildcards (*). For example: incoming circuit-id mybox|3|my_interface|1/1/1:22 masked with *|*| leaves my_interface|1/1/1:22.
  4. suffix-string — The matching string is dropped at the end of the circuit-id. For example: incoming circuit-id mybox|3|my_interface|1/1/1:22 masked with |* results in mybox|3|my_interface.

The following is an example of a local user database used for PPPoE authentication:

*A:ALA-48>config>subscr-mgmt# info
----------------------------------------------
...
        local-user-db "pppoe user db"
            description "pppoe authentication data base"
            ppp
                match-list username circuit-id
                mask prefix-string "*|*|" suffix-string "|*"
                host "john" create
                    host-identification
                        username "john" no-domain
                    exit
                    password pap "23T8yPoe0w1R.BPGHB98i0qhJf7ZlZGCtXBKGnjrIrA" hash2
                    no shutdown
                exit
                host "test.com" create
                    host-identification
                        username "test.com" domain-only
                    exit
                    password ignore
                    no shutdown       
                exit
                host "john@test.com" create
                    host-identification
                        username "john@test.com"
                    exit
                    password pap "23T8yPoe0w0Tlf1yCb4hskknvTYLqA2avvBB567g3eQ" hash2
                    identification-strings 122 create
                        subscriber-id "john@test.com"
                        sla-profile-string "sla prof1"
                        sub-profile-string "subscr profile 1"
                        ancp-string "ancp string"
                        inter-dest-id "inter dest"
                    exit
                    no shutdown
                exit
                host "john@test.com on interface group-if"
                    host-identification
                        circuit-id string "group-if"
                        username "john@test.com"
                    exit               
                    password pap "23T8yPoe0w1R.BPGHB98i0qhJf7ZlZGCtXBKGnjrIrA" hash2
                    address 10.1.2.3
                    no shutdown
                 exit
            exit        
            no shutdown
        exit
...
----------------------------------------------
*A:ALA-48>config>subscr-mgmt# 
 

The following are some examples when a user tries to set up PPPoE:

  1. john@test.com tries to setup PPPoE with circuit-id pe_23|3|group-if|1/1/1: host john@test.com on interface group-if match, the PAP password is checked and the IP address 10.1.2.3 is given to PPPoE to use for this host.
  2. john@test.com (on another interface): host john@test.com matches, the PAP password is checked, and identification strings are returned to PPPoE.
  3. nokie@test.com: host test.com matches, no password check, the user is allowed.
  4. john@nokie.com: host john matches and the password is checked.
  5. anybody@anydomain: does not match and is not allowed.

The following is an example of a local user database used for DHCP server for IPoE clients:

*A:ALA-50>config>subscr-mgmt# info
----------------------------------------------
...
        local-user-db "dhcp server user db"
            description "dhcp server user data base"
            ipoe
                match-list circuit-id mac 
                mask prefix-string "*|*|" suffix-string "|*"
                host "mac 3 on interface" create
                    host-identification
                        circuit-id string "group-if"
                        mac 00:00:00:00:00:03
                    exit
                    address 10.0.0.1
                    no shutdown
                exit
                host "maskedCircId" create
                    host-identification
                        circuit-id string "group-if"
                    exit
                    address pool "pool 1"
                    identification-strings 122 create
                        subscriber-id "subscriber 1234"
                        sla-profile-string "sla prof 1"
                        sub-profile-string "sub prof 1"
                        ancp-string "ancpstring"
                        inter-dest-id "inter dest id 123"
                    exit
                    options
                        netbios-name-server 1.2.3.4
                        lease-time min 2
                    exit
                    no shutdown
                exit
            exit
            no shutdown
        exit
...
----------------------------------------------
*A:ALA-50>config>subscr-mgmt# 
 

The following is an access example:

  1. MAC 00:00:00:00:00:03 on circuit-id pe5|3|group-if|1/1/1: host mac 3 on interface is matched and address 10.0.0.1 is offered to the IPoE client.
  2. Another MAC on circuit-id pe5|3|group-if|2/2/2: host maskedCircId is matched and an address is taken from pool1 (defined in the DHCP server). The identification-strings are copied to Option 122 in the dhcp-offer and dhcp-ack messages. The options defined here are also copied into dhcp-offer and dhcp-ack messages.
  3. The circuit-id pe5|3|other_group_if|1/1/3: no host is matched. The client only gets an IP address if on DHCP server level defined the use-gi-address parameter and the gi-address matches a subnet.

The following is an example of a local user database used for a DHCP server, only for PPPoE clients:

If PPPoE does not get an IP address from RADIUS or the local-user-db used for authentication, the internal dhcp-client is used to access a DHCP server which can be in the same node or in another node. These request are identified by inserting Option 82 sub-option client-id in the dhcp-discover and dhcp-request messages. When the DHCP server receives this request and has a user-db connected to it, then the PPPoE section of that user-db is accessed.

*A:ALA-60>config>subscr-mgmt# info
----------------------------------------------
...
        local-user-db "pppoe user db"
            description "pppoe authentication data base"
            ppp
                match-list username
                host "internet.be" create
                    host-identification
                        username "internet.com" domain-only
                    exit
                    address "pool_1"
                    no shutdown       
                exit
                host "john@internet.com" create
                    host-identification
                        username "john@internet.com"
                    exit
                    identification-strings 122 create
                        subscriber-id "john@test.com"
                        sla-profile-string "sla prof1"
                        sub-profile-string "subscr profile 1"
                        ancp-string "ancp string"
                        inter-dest-id "inter dest"
                    exit
                    address use-gi
                    no shutdown
                exit
                host "malicious@internet.com"
                    host-identification
                        circuit-id string "group-if"
                        username "internet@test.com"
                    exit
                    no shutdown
                 exit
            exit        
            no shutdown
        exit
...
----------------------------------------------
*A:ALA-60>config>subscr-mgmt# 
 

The following is an access example:

  1. john@internet.com: GI is used to find a subnet and a free address is allocated form that subnet. Identification strings are returned in Option 122.
  2. anybody@internet.com: pool_1 is used to find a free IP address.
  3. malicious@internet.com: no address is defined. This user does not get an IP address.

The following is an example of associating a local user database to PPPoE for authentication for the 7750 SR.

A:pe5>config>service>vprn#
----------------------------------------------
            subscriber-interface "tomylinux" create
               address 10.2.2.2/16
               group-interface "grp_pppoe3" create 
                   pppoe 
                       e "pppoe" 
                   exit 
               exit 
----------------------------------------------
A:pe5>config>service>vprn#
 

The following is an example of associating a local user database to a local DHCP server.

A:pe7>config>router>dhcp# 
----------------------------------------------
                local-dhcp-server my_server
                    description "my dhcp server"
                    user-db "data base 1"
                        ...     
                exit 
----------------------------------------------
A:pe7>config>router>dhcp# 

In PPPoE access scenarios without access node or with access nodes that do not insert PPPoE vendor specific tags Circuit-ID or Remote-ID, it may be required to configure this information in the local user database so that they can be picked up in pre-authentication phase and used for RADIUS authentication and reporting in RADIUS accounting messages. For example:

config>subscr-mgmt
 
        local-user-db "ludb-1" create
            ppp
                match-list username
                host "host-1" create
                    access-loop-information
                        circuit-id string "LUDB inserted circuit-id"
                        remote-id string "LUDB inserted remote-id"
                    exit
                    host-identification
                        username "cpe-1@domain1.com"
                    exit
                    auth-policy "auth-policy-1"
                    password ignore   
                    no shutdown
                exit
            exit

With PPPoE, when the system accesses a LUDB during a discovery phase, a matched host could return a second LUDB via a user-db configuration under the LUDB host context. This second database is accessed again during the PAP/CHAP phase. The following is an example:

 local-user-db "padi-db" create
            ppp
                match-list derived-id 
                host "testuser" create
                    host-identification
                        derived-id "testuser"
                    exit
                    msap-defaults
                        group-interface "g1"
                        service 500
                    exit
                    user-db "chap-db"
                    no shutdown
                exit
            exit
            no shutdown
        exit
        local-user-db "chap-db" create
            ppp
                match-list derived-id username 
                host "testuser" create
                    host-identification
                        derived-id "testuser"
                        username "testuser"
                    exit
                    password chap "cYhRmQYWOkLW3s0LrtEnBjWlAwFa/1Kx" hash2
                    identification-strings 254 create
                        sla-profile-string "sla-2"
                    exit
                    no shutdown
                exit
            exit
            no shutdown
        exit

3.5.3. Configuring Option 82 Handling

Option 82, or the Relay Information Option is a field in DHCP messages used to identify the subscriber. The Option 82 field can already be filled in when a DHCP message is received at the router, or it can be empty. If the field is empty, the router should add identifying information (circuit ID, remote ID or both). If the field is not empty, the router can decide to replace it.

The following output displays an example of a partial BSA configuration with Option 82 adding on a VPLS service. Snooping must be enabled explicitly on a SAP.

A:ALA-1>config>service>vpls#
----------------------------------------------
            no shutdown
            description "Default tls description for service id 1"
            sap 1/1/11 split-horizon-group "2dslam" create
                dhcp
                    no description
                    snoop
                    no lease-populate
                    option
                        action replace
                        circuit-id ascii-tuple
                        no remote-id
                    exit
                    no shutdown
                exit
            exit
----------------------------------------------
A:ALA-1>config>service>vpls#

3.5.4. Enabling DHCP Relay

Lease populate and DHCP relay are different features in which are not both required to be enabled at the same time. DHCP relay can be performed without populating lease tables.

The following example displays DHCP relay configured on an IES interface:

A:ALA-48>config>service>ies>if# info
----------------------------------------------
                address 10.10.42.41/24
                local-proxy-arp
                proxy-arp
                    policy-statement "ProxyARP"
                exit
                sap 1/1/7:0 create
                    anti-spoof ip
                exit
                arp-populate
                dhcp
                    description "relay_ISP1"
                    server 10.200.10.10 10.200.10.20
                    lease-populate 1
                    no shutdown
                exit
----------------------------------------------
A:ALA-48>config>service>ies>if#