WAN and LAN Addressing Using DHCPv6 IA_NA and DHCPv6 Prefix Delegation
Using DHCPv6 IA_NA with DHCPv6 Prefix Delegation Overview
You can use DHCPv6 IA_NA to assign a global IPv6 address to the CPE WAN link and DHCPv6 prefix delegation to provide prefixes for use on the subscriber LAN. DHCPv6 IA_NA and DHCPv6 prefix delegation are done in a single DHCPv6 session. If the CPE sends both the IA_NA and IA_PD options in the same DHCPv6 Solicit message, the BNG returns both a single IPv6/128 address and an IPv6 prefix.
When at least one address is successfully allocated, the router creates a subscriber entry and binds the entry to the assigned address. If both addresses are successfully allocated, the router creates a single subscriber entry and binds both addresses to that entry.
- Lease Times and Session Timeouts for DHCPv6 IA_NA and DHCPv6 Prefix Delegation
- Behavior When CPE Sends Separate Renew Requests for IA_NA and IA_PD Address Types
Lease Times and Session Timeouts for DHCPv6 IA_NA and DHCPv6 Prefix Delegation
When you use DHCPv6 IA_NA together with DHCPv6 prefix delegation, note the following about session timeouts and lease times:
A session timeout from AAA has the highest precedence and overrides local pool lease times.
For DHCPv6 local server, the minimum lease time associated with an address pool takes precedence over pools with longer lease times. For example, if a CPE obtains an IA_NA address from a pool with a lease time of 3600, and a prefix from a pool with a lease time of 7200, the lease time returned in the Reply message from the BNG is 3600.
If AAA does not return a session timeout and the address pool does not have a configured lease time, the default setting of 86,400 (one day) is used.
Behavior When CPE Sends Separate Renew Requests for IA_NA and IA_PD Address Types
In some networks, the DHCPv6 client CPE device does both of the following:
Initiates negotiation for both the IA_NA and IA_PD address types in a single solicit message.
Sends separate lease renew requests for the IA_NA and the IA_PD and the renew requests are received back-to-back.
Starting in Junos OS Release 17.2R3, 17.4R2, 18.1R3, 18.2R2, and 18.3R1, the jdhcpd process extends the lease for both address types in this situation.
When the reply is received for the first renew request, if a renew request is pending for the second address type, the client stays in the renewing state, the lease is extended for the first IA, and the client entry is updated.
When the reply is received for the second renew request, the lease is extended for the second IA and the client entry is updated again.
In earlier releases, the behavior is different for this situation:
The client transitions to the bound state instead of staying in the renewing state. The lease is extended for the first IA and the client entry is updated.
When the reply is received for the second renew request, the lease is not renewed for the second address type and the reply is forwarded to the client. Consequently, when that lease ages out, the binding for that address type is cleared, the access route is removed, and subsequent traffic is dropped for that address or address prefix.
For dual-stacked clients over the same session (PPP over L2TP LNS, DHCP, or IPoE), enhanced subscriber management does not support configurations where both of the following are true:
The CPE sends separate DHCPv6 solicit messages for the IA_NA and the IA_PD.
The solicit messages specify a type 2 or type 3 DUID (link-layer address).
As a workaround, you must configure the CPE to send a single solicit message for both IA_NA and IA_PD when the other configuration elements are present.
See Also
DHCPv6 Options in a DHCPv6 Multiple Address Environment
In a DHCPv6 environment, DHCPv6 clients can use a single DHCPv6 Solicit message to request multiple addresses (for example, IA_NA address, IA_PD address, or both), as well as the DNS server address (DHCPv6 attribute 23). When a client requests multiple addresses, DHCPv6 uses the following guidelines to determine how options are returned to the client.
DNS server address—Whenever a client requests an IA_PD address (either alone or with an IA_NA address) and also requests a DNS server address, DHCPv6 returns a DNS address only when one is specified in the IA_PD pool. If the IA_PD pool does not include a DNS address, DHCPv6 ignores any DNS address configured in the IA_NA pool.
If the client requests an IA_NA address (but not an IA_PD address) and also a DNS server address, DHCPv6 returns a DNS address if one is configured in the IA_NA pool.
Lease time—DHCPv6 returns the shortest value of the lease times configured in the IA_NA pool, the IA_PD pool, and
authd. DHCPv6 uses this value to set the lifetimes and the Renew and Rebind timers.
By default, DHCPv6 local server returns the DNS server address as a global DHCPv6 option. You can override the current default behavior if you want DHCPv6 to return the DNS server address at the suboption level.
See Also
Methods for Obtaining Addresses for Both DHCPv6 Prefix Delegation and DHCPv6 IA_NA
You can set up the BNG to select global IPv6 addresses to be delegated to the requesting router in one the following ways:
An external source such as a AAA RADIUS server or a DHCP server using the DHCPv6 relay agent.
Dynamic assignment from a local pool of prefixes or global IPv6 addresses that is configured on the BNG
Address assignment for prefix delegation and IA_NA are independent. For example, you can use AAA RADIUS for DHCPv6 IA_NA, and use a local pool for prefix delegation.
- Address Pools for DHCPv6 Prefix Delegation and DHCPv6 IA_NA
- Using a AAA RADIUS Server to Obtain IPv6 Addresses and Prefixes
- Junos OS Predefined Variable for Multiple DHCPv6 Address Assignment
Address Pools for DHCPv6 Prefix Delegation and DHCPv6 IA_NA
You need two separate address pools for prefix delegation and IA_NA. The pool used for IA_NA contains /128 addresses, and the pool for prefix delegation contains /56 or /48 addresses.
You can specify the name of a delegated pool to use for prefix delegation, which means that you do not need to use AAA to obtain the pool name. In this configuration, if you have also specified a pool match order, the specified delegated pool takes precedence.
You can configure pool attributes so that the IA_NA pool and the prefix delegation pool can specify different SIP servers for DNS addresses. DHCPv6 options that the BNG returns to the CPE are based on the pool from which the addresses were allocated. These options that are returned are based on the DHCPv6 Option Request option (ORO), which can be configured globally or within the IA_NA and IA_PD request.
Using a AAA RADIUS Server to Obtain IPv6 Addresses and Prefixes
When the BNG needs to obtain a global IPv6 address for the CPE WAN link and a DHCPv6 prefix, it uses the values in one of the following RADIUS attributes:
Framed-IPv6-Prefix—The attribute contains a global IPv6 address and a prefix. A prefix length of 128 is associated with the global IPv6 address. Prefix lengths less than 128 are associated with prefixes.
Framed-IPv6-Pool—The attribute contains the name of an address-assignment pool configured on the BNG, from which the BNG can select a global IPv6 address or an IPv6 prefix to send to the CPE.
Both attributes are sent from the RADIUS server to the BNG in RADIUS Access-Accept messages.
Junos OS Predefined Variable for Multiple DHCPv6 Address Assignment
To configure dynamic DHCPv6 address assignment for both DHCPv6
IA_NA and DHCPv6 prefix delegation, use the $junos-subscriber-ipv6-multi-address predefined variable In your dynamic profile. You use this variable
in place of the $junos-subscriber-ipv6-address variable,
which supports a single IPv6 address or prefix. The $junos-subscriber-ipv6-multi-address variable is applied as a demultiplexing source address, and is expanded
to include both the host and prefix addresses.
You include the $junos-subscriber-ipv6-multi-address variable at the [edit dynamic-profile profile-name interfaces interface-name unit logical-unit-number family inet6 demux-source] hierarchy level.
See Also
Multiple DHCPv6 IA_NA and IA_PD Requests per Client Interface
DHCPv6 relay agent supports multiple IA_NA and IA_PD requests
within a single DHCPv6 Solicit message. The requests can be any combination
of IA_NA and IA_PD addresses, up to a maximum of eight requests. As
part of the multiple IA request support, each address lease is assigned
its own lease time expiration, independent of the other leases. The
use of independent lease timers ensures that when one lease is torn
down, the other active leases are maintained. You can use the show dhcpv6 relay binding and show dhcpv6 relay binding
detail commands to display the status of the individual lease
times.
The DHCPv6 support for multiple IA requests enables you to use prefix delegation to designate blocks of addresses, as described in RFC 3633, IPv6 Prefix Options for DHCPv6. For example, you might want to delegate multiple address blocks to a customer premises equipment (CPE) router as a means to simplify flow classification and service monetization in your IPv6 environment.
Example: Configuring a Dual Stack That Uses DHCPv6 IA_NA and DHCPv6 Prefix Delegation over PPPoE
Requirements
This example uses the following hardware and software components:
MX Series 5G Universal Routing Platform
Junos OS Release 11.4 or later
Overview
This design uses DHCPv6 IA_NA and DHCPv6 prefix delegation in your subscriber access network as follows:
The access network is PPPoE.
DHCPv6 IA_NA is used to assign a global IPv6 address on the WAN link. The address comes from a local pool that is specified using AAA RADIUS.
DHCPv6 prefix delegation is used for subscriber LAN addressing. It used a delegated prefix from a local pool that is specified using AAA RADIUS.
DHCPv4 is used for subscriber LAN addressing.
DHCPv6 subscriber sessions are layered over an underlying PPPoE subscriber session.
Topology
Table 1 describes the configuration components used in this example.
Configuration Component |
Component Name |
Purpose |
|---|---|---|
Dynamic Profile |
pppoe-subscriber-profile |
Profile that creates a PPPoE logical interface when the subscriber logs in. |
Interfaces |
ge-0/2/5 |
Interface used for communication with the RADIUS server. |
ge-0/3/0 |
Underlying Ethernet interface. |
|
demux0 |
VLAN demux interface that runs over the underlying Ethernet interface. |
|
lo0 |
Loopback interface for use in the access network. The loopback interface is automatically used for unnumbered interfaces. |
|
Address-Assignment Pools |
pool v4-pool |
Pool that provides IPv4 addresses for the subscriber LAN. |
pool v6-ia-na-pool |
Pool that provides a global IPv6 address to the CPE WAN link. |
|
pool v6-pd-pool |
Pool that provides a pool of prefixes that are delegated to the CPE and used for assigning IPv6 global addresses on the subscriber LAN. |
Configuration
- CLI Quick Configuration
- Configuring a DHCPv6 Local Server for DHCPv6 over PPPoE
- Configuring a Dynamic Profile for the PPPoE Logical Interface
- Configuring a Loopback Interface
- Configuring a VLAN Demux Interface over an Ethernet Underlying Interface
- Configuring an Interface for Communication with RADIUS Server
- Specifying the BNG IP Address
- Configuring RADIUS Server Access
- Configuring RADIUS Server Access Profile
- Configuring Local Address-Assignment Pools
CLI Quick Configuration
The following is the complete configuration for this example:
dynamic-profiles {
pppoe-subscriber-profile {
routing-instances {
"$junos-routing-instance" {
interface "$junos-interface-name";
}
}
interfaces {
pp0 {
unit "$junos-interface-unit" {
ppp-options {
chap;
pap;
}
pppoe-options {
underlying-interface "$junos-underlying-interface";
server;
}
keepalives interval 30;
family inet {
unnumbered-address "$junos-loopback-interface";
}
family inet6 {
unnumbered-address "$junos-loopback-interface";
}
}
}
}
}
}
system {
services {
dhcp-local-server {
dhcpv6 {
group v6-ppp-subscriber {
interface pp0.0;
}
}
}
}
}
interfaces {
ge-0/2/5 {
gigether-options {
no-auto-negotiation;
}
unit 0 {
family inet {
address 203.0.113.99/32;
}
}
}
ge-0/3/0 {
hierarchical-scheduler maximum-hierarchy-levels 2;
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 1;
}
demux0 {
unit 1 {
proxy-arp;
vlan-tags outer 1 inner 1;
demux-options {
underlying-interface ge-0/3/0;
}
family pppoe {
duplicate-protection;
dynamic-profile pppoe-subscriber-profile;
}
}
}
lo0 {
unit 0 {
family inet {
address 203.0.113.1/32 {
primary;
preferred;
}
}
family inet6 {
address 2001:db8:0::1/128 {
primary;
preferred;
}
}
}
}
}
routing-options {
router-id 203.0.113.0;
}
access {
radius-server {
203.0.113.99 {
secret "$ABC123$ABC123$ABC123"; ## SECRET-DATA
timeout 45;
retry 4;
source-address 203.0.113.1;
}
}
profile Access-Profile {
authentication-order radius;
radius {
authentication-server 203.0.113.99;
accounting-server 203.0.113.99;
}
accounting {
order [ radius none ];
update-interval 120;
statistics volume-time;
}
}
address-assignment {
pool v4-pool {
family inet {
network 203.0.113.161/32;
range v4-range-0 {
low 203.0.113.161;
high 203.0.113.255;
}
dhcp-attributes {
maximum-lease-time 99999;
}
}
}
pool v6-ia-na-pool {
family inet6 {
prefix 2001:db8:1000:0000::/64;
range v6-range-0 {
low 2001:db8:1000::1/128;
high 2001:db8:1000::ffff:ffff/128;
}
}
}
pool v6-pd-pool {
family inet6 {
prefix 2001:db8:2012::/48;
range v6-pd prefix-length 64;
}
}
}
address-protection;
}
Configuring a DHCPv6 Local Server for DHCPv6 over PPPoE
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level.
edit system services dhcp-local-server dhcpv6 edit group v6-ppp-subscriber set interface pp0.0
Step-by-Step Procedure
To layer DHCPv6 above the PPPoE IPv6 family (inet6), associate DHCPv6 with the PPPoE interfaces by adding the PPPoE interfaces to the DHCPv6 local server configuration. Because this example uses a dynamic PPPoE interface, we are using the pp0.0 (PPPoE) logical interface as a wildcard to indicate that a DHCPv6 binding can be made on top of a PPPoE interface.
To configure a DHCPv6 local server:
Access the DHCPv6 local server configuration.
[edit] user@host# edit system services dhcp-local-server dhcpv6
Create a group for dynamic PPPoE interfaces and assign a name.
The group feature groups a set of interfaces and then applies a common DHCP configuration to the named interface group.
[edit system services dhcp-local-server dhcpv6] user@host# edit group v6-ppp-subscriber
Add an interface for dynamic PPPoE logical interfaces.
[edit system services dhcp-local-server dhcpv6 group v6-ppp-subscriber] user@host# set interface pp0.0
Results
From configuration mode, confirm your configuration
by entering the show command.
[edit]
user@host# show
system {
services {
dhcp-local-server {
dhcpv6 {
group v6-ppp-subscriber {
interface pp0.0;
}
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring a Dynamic Profile for the PPPoE Logical Interface
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level.
edit dynamic-profiles pppoe-subscriber-profile edit routing-instances $junos-routing-instance set interface $junos-interface-name exit edit interfaces pp0 unit $junos-interface-unit set family inet unnumbered-address "$junos-loopback-interface" set family inet6 unnumbered-address "$junos-loopback-interface" set pppoe-options underlying-interface "$junos-underlying-interface" set pppoe-options server set ppp-options pap set ppp-options chap set keepalives interval 30
Step-by-Step Procedure
Create a dynamic profile for the PPPoE logical interface. This dynamic profile supports both IPv4 and IPv6 sessions on the same logical interface.
To configure the dynamic profile:
Create and name the dynamic profile.
[edit] user@host# edit dynamic-profiles pppoe-subscriber-profile
Add a routing instance to the profile.
[edit dynamic-profiles pppoe-subscriber-profile] user@host# edit routing-instances $junos-routing-instance user@host# set interface $junos-interface-name
Configure a PPPoE logical interface (pp0) that is used to create logical PPPoE interfaces for the IPv4 and IPv6 subscribers.
[edit dynamic-profiles pppoe-subscriber-profile] user@host# edit interfaces pp0
Specify
$junos-interface-unitas the predefined variable to represent the logical unit number for thepp0interface. The variable is dynamically replaced with the actual unit number supplied by the network when the subscriber logs in.[edit dynamic-profiles pppoe-subscriber-profile interfaces pp0] user@host# edit unit $junos-interface-unit
Specify
$junos-underlying-interfaceas the predefined variable to represent the name of the underlying Ethernet interface on which the router creates the dynamic PPPoE logical interface. The variable is dynamically replaced with the actual name of the underlying interface supplied by the network when the subscriber logs in.[edit dynamic-profiles pppoe-subscriber-profile interfaces pp0 unit "$junos-interface-unit"] user@host# set pppoe-options underlying-interface $junos-underlying-interface
Configure the router to act as a PPPoE server when a PPPoE logical interface is dynamically created.
[edit dynamic-profiles pppoe-subscriber-profile interfaces pp0 unit "$junos-interface-unit"] user@host# set pppoe-options server
Configure the IPv4 family for the pp0 interface. Specify the unnumbered address to dynamically create loopback interfaces. Because the example uses routing instances, assign the predefined variable
$junos-loopback-interface.[edit dynamic-profiles pppoe-subscriber-profile interfaces pp0 unit "$junos-interface-unit"] user@host# set family inet unnumbered-address $junos-loopback-interface
Configure the IPv6 family for the pp0 interface. Specify the unnumbered address to dynamically create loopback interfaces. Because the example uses routing instances without router advertisement, assign the predefined variable
$junos-loopback-interface.[edit dynamic-profiles pppoe-subscriber-profile interfaces pp0 unit "$junos-interface-unit"] user@host# set family inet6 unnumbered-address $junos-loopback-interface
Configure one or more PPP authentication protocols for the pp0 interface.
[edit dynamic-profiles pppoe-subscriber-profile interfaces pp0 unit "$junos-interface-unit"] user@host# set ppp-options chap user@host# set ppp-options pap
Enable keepalives and set an interval for keepalives. We recommend an interval of 30 seconds.
[edit dynamic-profiles pppoe-subscriber-profile interfaces pp0 unit "$junos-interface-unit"] user@host# set keepalives interval 30
Results
From configuration mode, confirm your configuration
by entering the show command.
[edit dynamic-profiles pppoe-subscriber-profile]
user@host# show
routing-instances {
"$junos-routing-instance" {
interface "$junos-interface-name";
}
}
interfaces {
pp0 {
unit "$junos-interface-unit" {
ppp-options {
chap;
pap;
}
pppoe-options {
underlying-interface "$junos-underlying-interface";
server;
}
keepalives interval 30;
family inet {
unnumbered-address "$junos-loopback-interface";
}
family inet6 {
unnumbered-address "$junos-loopback-interface";
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring a Loopback Interface
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level.
edit interfaces lo0 set unit 0 family inet address 203.0.113.1/32 primary set unit 0 family inet address 203.0.113.1/32 preferred set unit 0 family inet6 address 2001:db8:0::1/128 primary set unit 0 family inet6 address 2001:db8:0::1/128 preferred
Step-by-Step Procedure
To configure a loopback interface:
Create the loopback interface and specify a unit number.
[edit] user@host# edit interfaces lo0 unit 0
Configure the interface for IPv4.
[edit interfaces lo0 unit 0] user@host# set family inet address 203.0.113.1/32 primary preferred
Configure the interface for IPv6.
[edit interfaces lo0 unit 0] user@host# set family inet6 address 2001:db8:0::1/128 primary preferred
Results
From configuration mode, confirm your configuration
by entering the show command.
[edit interfaces lo0]
user@host# show
unit 0 {
family inet {
address 203.0.113.1/32 {
primary;
preferred;
}
}
family inet6 {
address 2001:db8:0::1/128 {
primary;
preferred;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring a VLAN Demux Interface over an Ethernet Underlying Interface
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level.
edit interfaces set ge-0/3/0 hierarchical-scheduler maximum-hierarchy-levels 2 set ge-0/3/0 flexible-vlan-tagging set ge-0/3/0 encapsulation flexible-ethernet-services exit edit interfaces demux0 unit 1 set vlan-tags outer 1 set vlan-tags inner 1 set demux-options underlying-interface ge-0/3/0 set family pppoe dynamic-profile pppoe-subscriber-profile set family pppoe duplicate-protection set proxy-arp
Step-by-Step Procedure
To configure a VLAN demux interface over an Ethernet underlying interface:
Configure the underlying Ethernet interface.
[edit] user@host# edit interfaces ge-0/3/0 user@host# set flexible-vlan-tagging user@host# set encapsulation flexible-ethernet-services user@host# set hierarchical-scheduler maximum-hierarchy-levels 2
Create the VLAN demux interface, and specify a unit number.
[edit] user@host# edit interfaces demux0 unit 1
Configure the VLAN tags.
[edit interfaces demux0 unit 1] user@host# set vlan-tags outer 1 inner 1
Specify the underlying Ethernet interface.
[edit interfaces demux0 unit 1] user@host# set demux-options underlying-interface ge-0/3/0
Specify the dynamic profile.
[edit interfaces demux0 unit 1] user@host# set family pppoe dynamic-profile pppoe-subscriber-profile
Prevent multiple PPPoE sessions from being created for the same PPPoE subscriber on the same VLAN interface.
[edit interfaces demux0 unit 1] user@host# set family pppoe duplicate-protection
(Optional) Specify that you want the demux interface to use Proxy ARP.
[edit interfaces demux0 unit 1] user@host# set proxy-arp
Results
From configuration mode, confirm your configuration
by entering the show command.
[edit interfaces]
user@host# show
ge-0/3/0 {
hierarchical-scheduler maximum-hierarchy-levels 2;
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
}
demux0 {
unit 1 {
proxy-arp;
vlan-tags outer 1 inner 1;
demux-options {
underlying-interface ge-0/3/0;
}
family pppoe {
duplicate-protection;
dynamic-profile pppoe-subscriber-profile;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring an Interface for Communication with RADIUS Server
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level.
edit interfaces ge-0/2/5 set unit 0 family inet address 203.0.113.99 set gigether-options no-auto-negotiation
Step-by-Step Procedure
To configure the interface:
Create the interface, specify a unit number, and configure the address.
[edit] user@host# edit interfaces ge-0/2/5
Configure the interface for IPv4 and specify the address.
[edit interfaces ge-0/2/5] user@host# set unit 0 family inet address 203.0.113.99
Specify that Gigabit Ethernet options are not automatically negotiated.
[edit interfaces ge-0/2/5] user@host# set gigether-options no-auto-negotiation
Results
From configuration mode, confirm your configuration
by entering the show command.
[edit interfaces ge-0/2/5]
user@host# show
gigether-options {
no-auto-negotiation;
}
unit 0 {
family inet {
address 203.0.113.99/32;
}
}
If you are done configuring the device, enter commit from configuration mode.
Specifying the BNG IP Address
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level.
edit routing-options set router-id 203.0.113.0
We strongly recommend that you configure the BNG IP address, thereby avoiding unpredictable behavior if the interface address on a loopback interface changes.
Step-by-Step Procedure
To configure the IP address of the BNG:
Access the routing-options configuration.
[edit] user@host# edit routing-options
Specify the IP address or the BNG.
[edit routing-options] user@host# set router-id 203.0.113.0
Results
From configuration mode, confirm your configuration
by entering the show command.
[edit routing-options] user@host# show router-id 203.0.113.0;
If you are done configuring the device, enter commit from configuration mode.
Configuring RADIUS Server Access
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level.
edit access radius-server 203.0.113.99 set secret "$ABC123$ABC123$ABC123" set timeout 45 set retry 4 set source-address 203.0.113.1
Step-by-Step Procedure
To configure RADIUS servers:
Create a RADIUS server configuration, and specify the address of the server.
[edit] user@host# edit access radius-server 203.0.113.99
Configure the required secret (password) for the server. Secrets enclosed in quotation marks can contain spaces.
[edit access radius-server 203.0.113.99] user@host# set secret "$ABC123$ABC123$ABC123"
Configure the source address that the BNG uses when it sends RADIUS requests to the RADIUS server.
[edit access radius-server 203.0.113.99] user@host# set source address 203.0.113.1
(Optional) Configure the number of times that the router attempts to contact a RADIUS accounting server. You can configure the router to retry from 1 through 16 times. The default setting is 3 retry attempts.
[edit access radius-server 203.0.113.99] user@host# set retry 4
(Optional) Configure the length of time that the local router or switch waits to receive a response from a RADIUS server. By default, the router or switch waits 3 seconds. You can configure the timeout to be from 1 through 90 seconds.
[edit access radius-server 203.0.113.99] user@host# set timeout 45
Results
From configuration mode, confirm your configuration
by entering the show command.
[edit access]
user@host# show
radius-server {
203.0.113.99 {
secret "$ABC123$ABC123$ABC123"; ## SECRET-DATA
timeout 45;
retry 4;
source-address 203.0.113.1;
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring RADIUS Server Access Profile
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level.
edit access profile Access-Profile set authentication-order radius set radius authentication-server 203.0.113.99 set radius accounting-server 203.0.113.99 set accounting order radius set accounting order none set accounting update-interval 120 set accounting statistics volume-time
Step-by-Step Procedure
To configure a RADIUS server access profile:
Create a RADIUS server access profile.
[edit] user@host# edit access profile Access-Profile
Specify the order in which authentication methods are used.
[edit access profile Access-Profile] user@host# set authentication-order radius
Specify the address of the RADIUS server used for authentication and the server used for accounting.
[edit access profile Access-Profile] user@host# set radius authentication-server 203.0.113.99 user@host# set radius accounting-server 203.0.113.99
Configure RADIUS accounting values for the access profile.
[edit access profile Access-Profile] user@host# set accounting order [ radius none ] user@host# set accounting update-interval 120 user@host# set accounting statistics volume-time
Results
From configuration mode, confirm your configuration
by entering the show command.
[edit access]
user@host# show
profile Access-Profile {
authentication-order radius;
radius {
authentication-server 203.0.113.99;
accounting-server 203.0.113.99;
}
accounting {
order [ radius none ];
update-interval 120;
statistics volume-time;
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring Local Address-Assignment Pools
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level.
edit access address-assignment set pool v4-pool family inet network 203.0.113.161/32 set pool v4-pool family inet range v4-range-0 low 203.0.113.161 set pool v4-pool family inet range v4-range-0 high 203.0.113.255 set pool v4-pool family inet dhcp-attributes maximum-lease-time 99999 set pool v6-ia-na-pool family inet6 prefix 2001:db8:1000:0000::/64 set pool v6-ia-na-pool family inet6 range v6-range-0 low 2001:db8:1000::1/128 set pool v6-ia-na-pool family inet6 range v6-range-0 high 2001:db8:1000::ffff:ffff/128 set pool v6-pd-pool family inet6 prefix 2001:db8:2012::/48 set pool v6-pd-pool family inet6 range v6-pd prefix-length 64
Step-by-Step Procedure
Configure three address-assignment pools for DHCPv4, DHCPv6 IA_NA, and DHCPv6 prefix delegation.
To configure the address-assignment pools:
Configure the address-assignment pool for DHCPv4.
[edit] user@host# edit access address-assignment pool v4-pool user@host# edit family inet user@host# set network 203.0.113.161 user@host# set range v4-range-0 low 203.0.113.161 user@host# set range v4-range-0 high 203.0.113.255 user@host# set dhcp-attributes maximum-lease-time 99999
Configure the address-assignment pool for DHCPv6 IA_NA.
[edit] user@host# edit access address-assignment pool v6-ia-na-pool user@host# edit family inet6 user@host# set prefix 2001:db8:1000:0000::/64 user@host# set range v6-range-0 low 2001:db8:1000::1/128 user@host# set range v6-range-0 high 2001:db8:1000::ffff:ffff/128
Configure the address-assignment pool for DHCPv6 prefix delegation.
[edit] user@host# edit access address-assignment pool v6-pd-pool user@host# edit family inet6 user@host# set prefix 2001:db8:2012::/48 user@host# set range v6-pd prefix-length 64
(Optional) Enable duplicate prefix protection.
[edit access] user@host# set address-protection
Results
From configuration mode, confirm your configuration
by entering the show command.
[edit access]
user@host# show
address-assignment {
pool v4-pool {
family inet {
network 203.0.113.161/32;
range v4-range-0 {
low 203.0.113.161;
high 203.0.113.255;
}
dhcp-attributes {
maximum-lease-time 99999;
}
}
}
pool v6-ia-na-pool {
family inet6 {
prefix prefix 2001:db8:1000:0000::/64 ;
range v6-range-0 {
low 2001:db8:1000::1/128;
high 2001:db8:1000::ffff:ffff/128;
}
}
}
pool v6-pd-pool {
family inet6 {
prefix 2001:db8:2012::/48;
range v6-pd prefix-length 64;
}
}
}
address-protection;
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
- Verifying Active Subscriber Sessions
- Verifying Both IPv4 and IPv6 Address in Correct Routing Instance
- Verifying Dynamic Subscriber Sessions
- Verifying DHCPv6 Address Pools Used for DHCPv6 Prefix Delegation
- Verifying DHCPv6 Address Bindings
- Verifying PPP Options Negotiated with the Remote Peer
Verifying Active Subscriber Sessions
Purpose
Verify active subscriber sessions.
Action
From operational mode, enter the show subscribers
summary command.
user@host>show subscribers summary Subscribers by State Active: 2 Total: 2 Subscribers by Client Type DHCP: 1 PPPoE: 1 Total: 2
Meaning
The fields under Subscribers by State show
the number of active subscribers.
The fields under Subscribers by Client Type show
the number of active DHCP and PPPoE subscriber sessions.
Verifying Both IPv4 and IPv6 Address in Correct Routing Instance
Purpose
Verify that the subscriber has both an IPv4 and IPv6 address and is placed in the correct routing instance.
Action
From operational mode, enter the show subscribers command.
user@host>show subscribers Interface IP Address/VLAN ID User Name LS:RI pp0.1073741825 203.0.113.162 SBRSTATICUSER default:default pp0.1073741825 2001:db8:1000::1 default:default
Meaning
The Interface field shows that two subscriber
sessions are running on the same interface. The IP Address field shows that one session is assigned an IPv4 address, and the
second session is assigned an IPv6 address by DHCPv6 IA_NA.
The LS:RI field shows that the subscriber is placed
in the correct routing instance and that traffic can be sent and received.
Verifying Dynamic Subscriber Sessions
Purpose
Verify dynamic PPPoE and DHCPv6 subscriber sessions. In this example configuration the DHCPv6 subscriber session should be layered over the underlying PPPoE subscriber session.
Action
From operational mode, enter the show subscribers
detail command.
user@host>show subscribers detail Type: PPPoE User Name: SBRSTATICUSER IP Address: 203.0.113.162 IP Netmask: 255.0.0.0 Logical System: default Routing Instance: default Interface: pp0.1073741825 Interface type: Dynamic Dynamic Profile Name: pppoe-subscriber-profile MAC Address: 00:00:5E:00:53:01 State: Active Radius Accounting ID: 2 Session ID: 2 Login Time: 2011-12-08 09:11:41 PST Type: DHCP IPv6 Address: 2001:db8:1000::1 Logical System: default Routing Instance: default Interface: pp0.1073741825 Interface type: Static MAC Address: 00:00:5E:00:53:31 State: Active Radius Accounting ID: 3 Session ID: 3 Underlying Session ID: 2 Login Time: 2011-12-08 09:12:11 PST DHCP Options: len 42 00 08 00 02 0b b8 00 01 00 0a 00 03 00 01 00 01 02 00 00 01 00 06 00 02 00 03 00 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00
Meaning
When a subscriber has logged in and started both an IPv4 and an IPv6 session, the output shows the active underlying PPPoE session and the active DHCPv6 session.
The Session ID field for the PPPoE session is 2.
The Underlying Session ID for the DHCP session is 2, which
shows that the PPPoE session is the underlying session.
Verifying DHCPv6 Address Pools Used for DHCPv6 Prefix Delegation
Purpose
Verify the delegated address pool used for DHCPv6 prefix delegation and the length of the IPv6 prefix that was delegated to the CPE.
Action
From operational mode, enter the show subscribers
extensive command.
user@host>show subscribers extensive Type: PPPoE User Name: SBRSTATICUSER IP Address: 203.0.113.162 IP Netmask: 255.0.0.0 Logical System: default Routing Instance: default Interface: pp0.1073741825 Interface type: Dynamic Dynamic Profile Name: pppoe-subscriber-profile MAC Address: 00:00:5E:00:53:31 State: Active Radius Accounting ID: 2 Session ID: 2 Login Time: 2011-12-08 09:11:41 PST IPv6 Delegated Address Pool: v6-na-pool Type: DHCP IPv6 Address: 2001:db8:1000::1 Logical System: default Routing Instance: default Interface: pp0.1073741825 Interface type: Static MAC Address: 00:00:5E:00:53:31 State: Active Radius Accounting ID: 3 Session ID: 3 Underlying Session ID: 2 Login Time: 2011-12-08 09:12:11 PST DHCP Options: len 42 00 08 00 02 0b b8 00 01 00 0a 00 03 00 01 00 01 02 00 00 01 00 06 00 02 00 03 00 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 IPv6 Delegated Address Pool: v6-na-pool IPv6 Delegated Network Prefix Length: 64
Meaning
The IPv6 Delegated Address Pool field shows
the name of the pool that DHCPv6 used to assign the IPv6 address for
this subscriber session.
Verifying DHCPv6 Address Bindings
Purpose
Display the address bindings in the client table on the DHCPv6 local server.
Action
From operational mode, enter the show dhcpv6 server
binding detail command.
user@host>show dhcpv6 server binding detail
Session Id: 580547
Client IPv6 Address: 2001:db8:1000::4/128
Client DUID: LL0x1-00:01:02:00:00:01
State: BOUND(DHCPV6_LOCAL_SERVER_STATE_BOUN
D)
Lease Expires: 2012-01-05 07:06:04 PST
Lease Expires in: 82943 seconds
Lease Start: 2012-01-04 07:06:04 PST
Last Packet Received: 2012-01-04 07:06:04 PST
Incoming Client Interface: pp0.1073926645
Server Ip Address: 0.0.0.0
Client Pool Name: v6-na-pool-0
Client Id Length: 10
Client Id: /0x00030001/0x00010200/0x0001
Meaning
The Client IPv6 Address field shows the /128 address that was assigned to the CPE WAN link using DHCPv6 IA_NA.
The Client Pool Name field shows the name of the address pool that was used to assign the Client IPv6 Address.
Verifying PPP Options Negotiated with the Remote Peer
Purpose
Verify PPP options negotiated with the remote peer.
Action
From operational mode, enter the show ppp interface interface extensive command.
user@host>show ppp interface pp0.1073741825 extensive
Session pp0.1073926645, Type: PPP, Phase: Network
LCP
State: Opened
Last started: 2012-01-04 07:05:33 PST
Last completed: 2012-01-04 07:05:33 PST
Negotiated options:
Authentication protocol: pap, Magic number: 191301485, Local MRU: 1492,
Peer MRU: 65531
Authentication: PAP
State: Grant
Last started: 2012-01-04 07:05:33 PST
Last completed: 2012-01-04 07:05:33 PST
IPCP
State: Opened
Last started: 2012-01-04 07:05:34 PST
Last completed: 2012-01-04 07:05:34 PST
Negotiated options:
Local address: 203.0.113.1, Remote address: 203.0.113.162
IPV6CP
State: Opened
Last started: 2012-01-04 07:05:34 PST
Last completed: 2012-01-04 07:05:34 PST
Negotiated options:
Local interface identifier: 2a0:a50f:fc71:e049,
Remote interface identifier: 201:2ff:fe00:1
Meaning
The output shows the PPP options that were negotiated with the remote peer.
Under IPCP, the Negotiated options field shows the
IPv4 local and remote addresses that were negotiated by IPCP.
Under IPV6CP, the Negotiated options field shows
the IPv6 local and remote interface identifier that were negotiated
by IPv6CP.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.