remote-id-mismatch (DHCP Local Server and DHCP Relay Agent)
Syntax
remote-id-mismatch disconnect;
Hierarchy Level
[edit forwarding-options dhcp-relay], [edit forwarding-options dhcp-relay dhcpv6], [edit forwarding-options dhcp-relay group group-name], [edit forwarding-options dhcp-relay dhcpv6 group group-name], [edit logical-systems logical-system-name ...], [edit logical-systems logical-system-name routing-instances routing-instance-name...], [edit routing-instances routing-instance-name ...], [edit system services dhcp-local-server], [edit system services dhcp-local-server dhcpv6], [edit system services dhcp-local-server group group-name], [edit system services dhcp-local-server dhcpv6 group group-name]
Description
Configure the DHCP local server or DHCP relay agent
to detect a mismatch in the Agent Remote ID value to trigger a new
connection request. Information about a subscriber’s service
plan is encoded in the Agent Remote ID, which is conveyed in option
82, suboption 2, for DHCPv4 clients and in option 37 for DHCPv6 clients.
When a subscriber session is activated, the Agent Remote ID value
for the authorized service plan is stored in the session database.
When you configure remote-id-mismatch, the DHCP local server
and relay agent inspect incoming renew and rebind messages and compare
the Agent Remote ID in the message against the initial value that
DHCP stored in the database. When DHCP local server discovers a mismatch
between the stored value and the value in the message, DHCP local
server sends a NAK to the client and tears down the client binding.
If the client is a DHCPv6 client, because DHCPv6 does not support
an explicit NAK message, the local server sends a reply packet with
lifetime set to 0 to signify a logical NAK.
When DHCP relay agent discovers the mismatch, it sends a NAK
or logical NAK (for DHCPv6) to the DHCP client. The relay agent cannot
tear down the binding itself, so it sends a release message to the
local server, causing the local server to tear down the binding. For
this to happen, you must configure the send-release-on-delete statement on the DHCP relay agent; otherwise it will not send
the release message to the local server. In that case, the local server
retains the client entry in the database until it times out or the
IP address is used for a different binding.
remote-id-mismatch functionality overrides
the default DHCP relay agent bind-on-request behavior. By default,
when a stray DHCP request is received, that is, one for which there
is an entry in the local server database but not in the relay agent
database, a complete binding is automatically made with the relay
agent and the local server.
The DHCP client initiates renegotiation when it receives the NAK. The changed Agent Remote ID value is conveyed as part of the request, enabling the new service plan to be submitted for authorization.
The remote-id-mismatch statement is typically used
in an environment that uses local authorization instead of RADIUS
authorization.
You cannot configure both the remote-id-mismatch statement and the reauthenticate statement at the
global level, [edit system services dhcp-local-server].
However, DHCP precedence rules do permit you to configure both statements
when they are at different levels. For example, you can configure reauthenticate at the global level and remote-id-mismatch for
DHCPv6 at the [edit system services dhcp-local-server dhcpv6] hierarchy level or for a specific group at the [edit system
services dhcp-local-server group name] hierarchy
level, and so on.
Required Privilege Level
system—To view this statement in the configuration.
system-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 16.1.