Re: [j-nsp] MX BNG with both local server and dhcp relay
I didn't have any v6-specific issues with DHCP relay in Junos 21.4. If you're going to rely on option-82, consider to turn on proxy mode. Without it Junos didn't update Circuit-ID in RENEW packets sent unicast from clients to DHCP server. Although it could be fixed in last releases, worth to check. Kind regards, Andrey Dave Bell писал(а) 2023-01-13 04:10: Thanks Andrey, Yes, I believe you are correct. You can't switch from using local DHCP server in the global routing table to DHCP relay once authenticated in a different VRF. I can split my services onto different interfaces coming into the BNG, though since you need to decapsulate them first, they end up on the same demux interface anyway. I analysed a lot of traceoptions and packet captures. My relay didn't receive a single packet, and the logs indicated that it was not looking for DHCP configuration in my VRF that has forwarding configured. I think my only option is to move everything over to DHCP forwarding in all cases, though this seems quite flaky for v6... Regards, Dave ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX BNG with both local server and dhcp relay
Thanks Andrey, Yes, I believe you are correct. You can't switch from using local DHCP server in the global routing table to DHCP relay once authenticated in a different VRF. I can split my services onto different interfaces coming into the BNG, though since you need to decapsulate them first, they end up on the same demux interface anyway. I analysed a lot of traceoptions and packet captures. My relay didn't receive a single packet, and the logs indicated that it was not looking for DHCP configuration in my VRF that has forwarding configured. I think my only option is to move everything over to DHCP forwarding in all cases, though this seems quite flaky for v6... Regards, Dave On Tue, 10 Jan 2023 at 15:13, Andrey Kostin wrote: > Hi Dave, > > Don't have experience with your specific case, just a common sense > speculation. When you configure local dhcp server it usually specifies a > template interface, like demux0.0, pp0.0, psX.0. Probably in your case a > conflict happens when junos tries to enable both server and relay on the > same subscriber interface. Maybe if you could dynamically enable dhcp > server or relay for a particular subscriber interface it could solve the > issue. Regarding interface separation, I'm not sure if it's possible to > have more than one demux or pp interface, I believe only demux0 is > supported. With ps interfaces you however can have many of them and if > you can aggregate subscribers to pseudowires by service, you could > enable dhcp server or relay depending on psX interface. However, > pseudowires might be not needed and excessive for your design. > Did you try to analyze DHCP and AAA traceoptions and capture DHCP > packets, BTW? > > Kind regards, > Andrey > > Dave Bell via juniper-nsp писал(а) 2023-01-05 08:50: > > Hi, > > > > I'm having issues with DHCP relay on a Juniper MX BNG, and was > > wondering if > > anyone had an insight on what may be the cause of my issue. > > > > I've got subscribers terminating on the MX, authenticated by RADIUS, > > and > > then placed into a VRF to get services. In the vast majority of cases > > the > > IP addressing information is passed back by RADIUS, and so I'm using > > the > > local DHCP server on the MX to deal with that side of things. > > > > In one instance I require the use of an external DHCP server. I've got > > the > > RADIUS server providing an Access-Accept for this subscriber, and also > > returning the correct VRF in which to terminate the subscriber. I've > > also > > tried passing back the external DHCP server via RADIUS. > > > > In the VRF, I've got the DHCP relay configured, and there is > > reachability > > to the appropriate server > > > > The MX however seems reluctant to actually forward DHCP requests to > > this > > server. From the logging, I can see that the appropriate attributes are > > received and correctly decoded. The session gets relocated into the > > correct > > routing instance, but then it tries to look for a local DHCP server. > > > > I have the feeling that my issues are due to trying to use both the > > local > > DHCP server and DHCP relay depending on the subscriber scenario. If I > > change the global configuration of DHCP from local server to DHCP > > relay, my > > configuration works as expected though with the detriment of the > > scenario > > where the attributes returned via RADIUS no longer work due to it not > > being > > able to find a DHCP relay. > > > > Since the MX decides how to authenticate the subscriber based on where > > the > > demux interface is configured, I think ideally I would need to create a > > different demux interface for these type of subscribers that I can then > > set > > to be DHCP forwarded, thought I don't seem to be able to convince the > > router to do that yet. > > > > Has anyone come across this, and found a workable solution? > > > > Regards, > > Dave > > ___ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX BNG with both local server and dhcp relay
Hi Dave, Don't have experience with your specific case, just a common sense speculation. When you configure local dhcp server it usually specifies a template interface, like demux0.0, pp0.0, psX.0. Probably in your case a conflict happens when junos tries to enable both server and relay on the same subscriber interface. Maybe if you could dynamically enable dhcp server or relay for a particular subscriber interface it could solve the issue. Regarding interface separation, I'm not sure if it's possible to have more than one demux or pp interface, I believe only demux0 is supported. With ps interfaces you however can have many of them and if you can aggregate subscribers to pseudowires by service, you could enable dhcp server or relay depending on psX interface. However, pseudowires might be not needed and excessive for your design. Did you try to analyze DHCP and AAA traceoptions and capture DHCP packets, BTW? Kind regards, Andrey Dave Bell via juniper-nsp писал(а) 2023-01-05 08:50: Hi, I'm having issues with DHCP relay on a Juniper MX BNG, and was wondering if anyone had an insight on what may be the cause of my issue. I've got subscribers terminating on the MX, authenticated by RADIUS, and then placed into a VRF to get services. In the vast majority of cases the IP addressing information is passed back by RADIUS, and so I'm using the local DHCP server on the MX to deal with that side of things. In one instance I require the use of an external DHCP server. I've got the RADIUS server providing an Access-Accept for this subscriber, and also returning the correct VRF in which to terminate the subscriber. I've also tried passing back the external DHCP server via RADIUS. In the VRF, I've got the DHCP relay configured, and there is reachability to the appropriate server The MX however seems reluctant to actually forward DHCP requests to this server. From the logging, I can see that the appropriate attributes are received and correctly decoded. The session gets relocated into the correct routing instance, but then it tries to look for a local DHCP server. I have the feeling that my issues are due to trying to use both the local DHCP server and DHCP relay depending on the subscriber scenario. If I change the global configuration of DHCP from local server to DHCP relay, my configuration works as expected though with the detriment of the scenario where the attributes returned via RADIUS no longer work due to it not being able to find a DHCP relay. Since the MX decides how to authenticate the subscriber based on where the demux interface is configured, I think ideally I would need to create a different demux interface for these type of subscribers that I can then set to be DHCP forwarded, thought I don't seem to be able to convince the router to do that yet. Has anyone come across this, and found a workable solution? Regards, Dave ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] MX BNG with both local server and dhcp relay
Hi, I'm having issues with DHCP relay on a Juniper MX BNG, and was wondering if anyone had an insight on what may be the cause of my issue. I've got subscribers terminating on the MX, authenticated by RADIUS, and then placed into a VRF to get services. In the vast majority of cases the IP addressing information is passed back by RADIUS, and so I'm using the local DHCP server on the MX to deal with that side of things. In one instance I require the use of an external DHCP server. I've got the RADIUS server providing an Access-Accept for this subscriber, and also returning the correct VRF in which to terminate the subscriber. I've also tried passing back the external DHCP server via RADIUS. In the VRF, I've got the DHCP relay configured, and there is reachability to the appropriate server The MX however seems reluctant to actually forward DHCP requests to this server. From the logging, I can see that the appropriate attributes are received and correctly decoded. The session gets relocated into the correct routing instance, but then it tries to look for a local DHCP server. I have the feeling that my issues are due to trying to use both the local DHCP server and DHCP relay depending on the subscriber scenario. If I change the global configuration of DHCP from local server to DHCP relay, my configuration works as expected though with the detriment of the scenario where the attributes returned via RADIUS no longer work due to it not being able to find a DHCP relay. Since the MX decides how to authenticate the subscriber based on where the demux interface is configured, I think ideally I would need to create a different demux interface for these type of subscribers that I can then set to be DHCP forwarded, thought I don't seem to be able to convince the router to do that yet. Has anyone come across this, and found a workable solution? Regards, Dave ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
