Application Note

JUNOS DHCP Implementation Guide

Contents
1. Introduction 2

2. Overview 2

3. Configuration 3

3.1. Licensing............................................................................................................................... 3

3.2. DHCP Local Server...............................................................................................................4

3.3. DHCP Relay.......................................................................................................................... 5

3.4. RADIUS Configuration...........................................................................................................6

3.5. Interface Configuration.......................................................................................................... 6

3.5.1. Static Subscriber Interfaces............................................................................................6

3.5.2. Dynamic Subscriber Interfaces.......................................................................................8

3.6. Dynamic Profiles & COS for DCHP Subscriber......................................................................9

3.7. DHCP Layer 3 Wholesale Network......................................................................................12

4. References 16

5. About Juniper Networks 17

© Juniper Networks, Inc. 1

 JUNOS DHCP Implementation Guide

1. Introduction
This implementation guide covers the configuration and use of Dynamic Host Configuration Protocol in a subscriber
access network on the MX series of Juniper Networks Edge Routers. Subscriber management is the process by which a
subscriber is identified by a network including the service levels, privileges are applied.

A subscriber access environment can include various components, including subscriber access technologies and
authentication protocols. The subscriber access technologies include Dynamic Host Configuration Protocol (DHCP) and
Point-to-Point Protocol (PPP). The subscriber authentication protocols include the RADIUS server.

A subscriber service is based on the combination of a defined dynamic profile and attributes configured through
authentication. Dynamic profiles can include dynamic firewall filters, class-of-service (CoS) settings and Internet Group
Management Protocol (IGMP) settings that define access limits for subscribers and the scope of a service granted to the
subscriber once access is obtained.

This document walks through how the MX Broadband Services Router is configured for subscriber management. It first
gives a brief technology and protocol overview. Then, it walks through the configuration steps including licenses, static
and dynamic interfaces, DHCP Local server, DHCP Relay, AAA and radius, address assignment and access profiles. It also
provides an implementation example with detailed topology and configurations.

2. Overview
Configuring DHCP Subscriber Access on the MX is a lengthy topic with many variations and options. This document
highlights the major steps required and presents a few scenarios.

Major steps:

1. Ensure Licensing
2. Configure DHCP Local server or DHCP Relay
3. Configure RADIUS and server options
4. Configure Interfaces – Static & Dynamic
5. Configure a Basic Dynamic Profile
6. Configure COS
7. Example: DHCP Layer 3 Wholesale Network

© Juniper Networks, Inc. 17

 JUNOS DHCP Implementation Guide

Figure 1: DHCP Subscriber Access Environment

3. Configuration

3.1. Licensing
To enable certain features for JUNOS Subscriber access, licenses must be purchased and applied to the router.
Below is an example of installing a 4k Subscriber Scaling license:

lab@MX480> request system license add terminal

[Type ^D at a new line to end input,
enter blank line between each license key]
E000185416 aeaqeb abcdef okd5wl ycwobu cde54f 3ww6zb xoarhs afg5jk oqkg7k tv5d6f
lzxr5r offxcs odrwip cs7i
E000185416: successfully added
add license complete (no errors)

lab@MX480> show system license

License usage:
Licenses Licenses Licenses
Expiry
Feature name used installed needed
subscriber-accounting 1 0 1
invalid
subscriber-address-assignment 1 0 1
invalid
scale-subscriber 0 4000 0
permanent
scale-l2tp 0 1000 0
permanent
scale-mobile-ip 0 1000 0
permanent

Licenses installed:

© Juniper Networks, Inc. 17

 JUNOS DHCP Implementation Guide

License identifier: E000185416

License version: 2
Features:
scale-subscriber-4k - Subscriber Tier 1K - 4K
permanent

MX subscriber access, scaling, service management and secure policy licenses can be found in KB13408:
http://kb.juniper.net/index?page=content&id=KB13408

3.2. DHCP Local Server

The MX router can be configured to function as an extended DHCP local server which provides an IP address and
other configuration information in response to a client request. The extended DHCP local server enhances traditional
DHCP server operation in which the client address pool and client configuration information reside on the DHCP
server. With the extended DHCP local server, the client address and configuration information reside in centralized
address-assignment pools, which are managed independently of the DHCP local server and which can be shared by
different client applications.

The following example creates a server group dhcp_group1, and enables the DHCP local server on interface ge-
0/0/1.0 within the group.

[edit system services]

dhcp-local-server {
group dhcp_group1 {
interface ge-0/0/1.0;
}
}
pool-match-order {
ip-address-first;
option-82;
}
}

[edit access]
address-assignment {
pool isp1 {
family inet {
network 192.168.0.0/16;
range southeast {
low 192.168.102.2;
high 192.168.102.254;
}
range northeast {
low 192.168.119.2;
high 192.168.119.250;
}
host svale6.boston.net {
hardware-address 90:00:00:01:00:01;
ip-address 192.168.44.12;
}
dhcp-attributes {

© Juniper Networks, Inc. 17

 JUNOS DHCP Implementation Guide

maximum-lease-time 18000;
domain-name test.com;
name-server {
8.8.8.8;
}
router 192.168.44.44 192.168.44.45;}
}
}
}
}

NOTE: Further details can be found here: http://www.juniper.net/techpubs/en_US/junos11.1/information-

products/pathway-pages/subscriber-access/dhcp/subscriber-management-dhcp-local.html#configuration

3.3. DHCP Relay

The router can be configured to function as a DHCP relay agent which forwards DHCP request and reply packets
between a DHCP client and a DHCP server.

An active server group allows configuration of a common set of parameters to a named group of DHCP server
addresses. Group specific options include:

 active-server-group
 authentication
 dynamic-profile
 interface
 overrides
 relay-option-60 (DHCP vendor class identifier)
 relay-option-82

By default the gateway IP address (giaddr) field in packets is forwarded between a DHCP client and DHCP server.
This field can be overwritten with the gateway of the DHCP relay agent before forwarding to the DHCP server.

[edit forwarding options]

dhcp-relay {
server-group {
isp1 {
192.168.2.1;
192.168.2.2;
}
}
active-server-group isp1;
overrides {
always-write-giaddr;
always-write-option-82;
layer2-unicast-replies;
group clients_a {
interface ge-0/0/1.0;
}

© Juniper Networks, Inc. 17

 JUNOS DHCP Implementation Guide

NOTE: Further details can be found here: http://www.juniper.net/techpubs/en_US/junos11.1/information-

products/pathway-pages/subscriber-access/dhcp/subscriber-management-dhcp-relay.html#configuration

3.4. RADIUS Configuration

One or more RADIUS authentication servers can be configured for subscriber access management and accounting

[edit access]
radius-server {
192.168.1.250 {
port 1812;
accounting-port 1813;
retry 3;
secret &tIUEI*7688+;
source-address 192.168.1.100;
timeout 45;
}
192.168.1.251 {
port 1812;
accounting-port 1813;
retry 3;
secret &Dyu*UY(877+;
source-address 192.168.1.100;
timeout 30;
}

profile isp-1 {
radius {
authentication-server 192.168.1.251;
accounting-server 192.168.1.250;
}
}

NOTE: Further details can be found here: http://www.juniper.net/techpubs/en_US/junos11.1/topics/example/aaa-

subscriber-access-radius-authentication-accounting.html

3.5. Interface Configuration

3.5.1. Static Subscriber Interfaces
Subscribers can be configured to be identified either statically or dynamically. To identify subscribers statically,
you can reference a static VLAN interface in a dynamic profile.

1. Configure the static VLAN interface and enable VLAN tagging.

[edit interfaces]
ge-5/0/0 {
vlan-tagging;

© Juniper Networks, Inc. 17

 JUNOS DHCP Implementation Guide

}
2. Configure the units and assign the VLAN IDs.
unit 1 {
proxy-arp;
vlan-id 1;
family inet {
unnumbered-address lo0.0 preferred-source-address 192.1.1.1;
}
}
unit 2 {
proxy-arp;
vlan-id 2;
family inet {
unnumbered-address lo0.0 preferred-source-address 192.1.1.1;
}
}

3. Associate the static subscriber interface in a dynamic profile.

Subscribers can also be configured by creating sets of IP demux interfaces that are not referenced in a dynamic
profile. IP demultiplexing (demux) interfaces are logical interfaces that share a common, underlying logical
interface. IP demux interfaces can be used to identify specific subscribers or to separate individual circuits.

To configure a group of static IP demux interfaces:

1. Configure the interface set.

interfaces {
interface-set demux-set {
interface demux0 {
unit 0;
unit 1;
}
}
}

2. Define the units of the interface set.

demux0 {
unit 0 {
demux-options {
underlying-interface ge-2/0/1.1;
}
family inet {
demux-source {
1.1.1.0/24;
}
address 1.1.1.1/24;
}
}
unit 1 {
demux-options {
underlying-interface ge-2/0/1.1;
}
family inet {
demux-source {

© Juniper Networks, Inc. 17

 JUNOS DHCP Implementation Guide

1.1.2.0/24;
}
address 1.1.2.1/24;
}
}
}

3.5.2. Dynamic Subscriber Interfaces

To identify subscribers dynamically, you create variables for demux interfaces that are dynamically created by
DHCP when subscribers log in.

A basic profile must contain a profile name and have both an interface variable name (such as $junos-interface-
ifd-name) included at the [edit dynamic-profiles profile-name interfaces hierarchy level and logical interface
variable name (such as $junos-underlying-interface-unit or $junos-interface-unit) at the [edit dynamic-
profiles profile-name interfaces variable-interface-name unit] hierarchy level.

To configure subscribers on dynamic IP demux interfaces:

1. Configure the static VLAN as the underlying interface.

interfaces {
ge-0/3/0 {
vlan-tagging;
unit 0 {
vlan-id 0;
demux-source inet;
family inet {
unnumbered-address lo0.0;
}
}
}
lo0 {
unit 0 {
family inet {
address 90.1.1.1/24;
}
}
}
}

2. Configure the creation of demux interfaces in the dynamic profile.

dynamic-profiles {
subscriber-profile {
interfaces {
demux0 {
"$junos-interface-ifd-name" {
unit "$junos-interface-unit" {
demux-options {
underlying-interface "$junos-underlying-interface";
}
family inet {

© Juniper Networks, Inc. 17

 JUNOS DHCP Implementation Guide

demux-source {
$junos-subscriber-ip-address;}
filter {
input ingressFilter;
output egressFilter;
}
mac-validate loose;
}
}
}
}
}
}
}

3.6. Dynamic Profiles & COS for DCHP Subscriber

Dynamic profiles consist of a set of parameters which are defined in a template manner to define dynamic access and
services for broadband subscribers. Subscribers can be identified statically or dynamically for use with dynamic
profiles. For identification of static subscribers, a static VLAN interface is referenced in a dynamic profile. For dynamic
subscribers, variables are created for demux interfaces that are dynamically created when subscribers log in.

The following example uses dynamic profiles to assign DHCP subscribers to tiered service levels:

http://www.juniper.net/techpubs/en_US/junos11.1/topics/example/subscriber-management-tiered-service.html

Excerpted from the above link:

The profile contains three services:

Gold—Subscribers that pay for this service are allocated 10M bandwidth for data, voice, and video services.

Silver—Subscribers that pay for this service are allocated 5M bandwidth for data, voice, and video services.

Bronze—Subscribers that pay for this service are allocated 1M bandwidth for the data service only.

Each subscriber is allocated a VLAN that is created statically. Subscribers log in using DHCP and authenticate using RADIUS. The
subscribers can migrate from one service to another when they change subscriptions.

To configure a profile for a tiered service:

1. Configure the VLAN interfaces associated with each subscriber. Enable hierarchical scheduling for the
interface.

interfaces {
ge-2/0/0 {
description subscribers;
hierarchical-scheduler;
stacked-vlan-tagging;
unit 1 {
vlan-tags outer 100 inner 100;
family inet {

© Juniper Networks, Inc. 17

 JUNOS DHCP Implementation Guide

unnumbered-address lo0.0 preferred-source-address 100.0.0.1;

}
}
unit 2 {
vlan-tags outer 101 inner 101;
family inet {
unnumbered-address lo0.0 preferred-source-address 100.0.0.1;
}
}
unit 3 {
vlan-tags outer 102 inner 102;
family inet {
unnumbered-address lo0.0 preferred-source-address 100.0.0.1;
}
}
}
}

2. Configure the static CoS parameters.

In this example, each offering (video, voice, and data) is assigned a queue, and each service (Gold, Silver, and
Bronze) is assigned a scheduler.

class-of-service {
forwarding-classes {
queue 0 data;
queue 1 voice;
queue 3 video;
}
scheduler-maps {
bronze_service_smap {
forwarding-class data scheduler data_sch;
}
silver_service_smap {
forwarding-class data scheduler data_sch;
forwarding-class voice scheduler silver_voice_sch;
forwarding-class video scheduler silver_video_sch;
}
gold_service_smap {
forwarding-class data scheduler data_sch;
forwarding-class voice scheduler gold_voice_sch;
forwarding-class video scheduler gold_video_sch;
}
}
schedulers {
data_sch {
transmit-rate percent 20;
buffer-size remainder;
priority low;
}
silver_voice_sch {
transmit-rate percent 30;
buffer-size remainder;
priority high;

© Juniper Networks, Inc. 17

 JUNOS DHCP Implementation Guide

}
silver_video_sch {
transmit-rate percent 30;
buffer-size remainder;
priority medium;
}
gold_voice_sch {
transmit-rate percent 40;
buffer-size remainder;
priority high;
}
gold_video_sch {
transmit-rate percent 40;
buffer-size remainder;
priority medium;
}
}
}

3. Configure the dynamic profile for the service.

The scheduler maps configured for each service are referenced in the dynamic profile.

dynamic-profiles {
subscriber_profile {
interfaces {
"$junos-interface-ifd-name" {
unit "$junos-underlying-interface-unit" {
family inet;
}
}
}
class-of-service {
traffic-control-profiles {
subscriber_tcp {
scheduler-map $smap;
shaping-rate $shaping-rate;
guaranteed-rate $guaranteed-rate;
delay-buffer-rate $delay-buffer-rate;
}
}
interfaces {
"$junos-interface-ifd-name" {
unit "$junos-underlying-interface-unit" {
output-traffic-control-profile subscriber_tcp;
}
}
}
}
}
}
4. Configure access for the subscribers.

© Juniper Networks, Inc. 17

 JUNOS DHCP Implementation Guide

The DHCP relay agent forwards DHCP request and reply packets between a DHCP client and a DHCP server.
You use DHCP relay to obtain configuration parameters, including an IP address, for subscribers. In this example,
one DHCP server, address 100.20.42.1, can be used by subscribers.

The DHCP relay configuration is attached to an active server group named service_provider_group.

The subscribers are grouped together within the subscriber_group, and identifies characteristics such as
authentication, username info, and the associated interfaces for the group members. In this example, it also
identifies the active server group and the dynamic interface that is used by the subscribers in the group.

forwarding-options {
dhcp-relay {
server-group {
service_provider_group {
100.20.42.1;
}
}
group subscriber_group {
active-server-group service_provider_group;
dynamic-profile subscriber_profile;
interface ge-2/0/0.1;
interface ge-2/0/0.2;
interface ge-2/0/0.3;
}
}
}

3.7. DHCP Layer 3 Wholesale Network

Layer 3 Wholesale refers to the partitioning of an access network from an access network provider (wholesaler) into separately
manageable and accountable subscriber segments for resale by retail network service providers.

NOTE: This section is excerpted from the JUNOS Broadband Subscriber Management Solutions Guide. Full details are provided
over multiple chapers here: http://www.juniper.net/techpubs/en_US/junos11.1/information-products/topic-collections/subscriber-
mgmt-solutions/broadband-subscriber-mgmt-solutions.pdf

dynamic-profiles {
Wholesaler_Profile {
interfaces {
demux0 {
unit "$junos-interface-unit" {
demux-options {
underlying-interface "$junos-underlying-interface";
}
family inet {
demux-source {
$junos-subscriber-ip-address;
}
filter {

© Juniper Networks, Inc. 17

 JUNOS DHCP Implementation Guide

input "$junos-input-filter";
}
unnumbered-address "$junos-loopback-interface" preferred-source-address $junos-
preferred-source-address;
}
}
}
}
}

dynamic-profiles {
Subscriber_Profile_Retailer1 {
routing-instances {
"$junos-routing-instance" {
interface "$junos-interface-name";
}
}
interfaces {
demux0 {
unit "$junos-interface-unit" {
demux-options {
underlying-interface "$junos-underlying-interface";
}
family inet {
demux-source {
"$junos-subscriber-ip-address";
}
unnumbered-address "$junos-loopback-interface" preferred-source-address
"$junos-preferred-source-address";
}
}
}
}
}

forwarding-options {
dhcp-relay {
traceoptions {
file size 1g;
inactive: flag all;
}
authentication {
password psswd;
username-include {
user-prefix WholesaleNetwork;
}
}
dynamic-profile Wholesaler_Profile;
overrides {
always-write-giaddr;
always-write-option-82;
layer2-unicast-replies;
trust-option-82;

© Juniper Networks, Inc. 17

 JUNOS DHCP Implementation Guide

client-discover-match;
}
server-group {
Wholesaler-Server-Group {
192.168.100.1;
}
}
active-server-group Wholesaler-Server Group;
group Wholesaler-Group {
authentication {
password psswd;
username-include {
user-prefix WholesaleNetwork;
}
}
interface ge-2/3/0.1;
}
group Retailer1-Group {
authentication {
password psswd1;
username-include {
user-prefix WholesaleNetwork_Retailer1;
}
}
interface ge-2/3/0.2;
}
group Retailer2-Group {
authentication {
password psswd2;
username-include {
user-prefix WholesaleNetwork_Retailer1;
}
}
interface ge-2/3/0.3;
}
}
}

routing-instances {
Retailer_Instance1 {
instance-type vrf;
access-profile Retailer_Access1;
interface ge-11/1/9.10;
interface ge-11/1/10.100;
interface lo0.1;
route-distinguisher 1:1;
forwarding-options {
dhcp-relay {
authentication {
password psswd1;
username-include {
user-prefix WholesaleNetwork_Retailer1;
}
}

© Juniper Networks, Inc. 17

 JUNOS DHCP Implementation Guide

dynamic-profile Subscriber_Profile_Retailer1;
overrides {
always-write-giaddr;
always-write-option-82;
layer2-unicast-replies;
trust-option-82;
client-discover-match;
}
server-group {
Retailer1-Server-Group {
10.10.100.1;
}
}
active-server-group Retailer1-Server-Group;
group Retailer1-Group {
authentication {
password psswd1;
username-include {
user-prefix WholesaleNetwork_Retailer1;
}
}
dynamic-profile Subscriber_Profile_Retailer1;
overrides {
always-write-giaddr;
trust-option-82;
client-discover-match;
}
interface ge-2/3/0.2;
}
}
}
}
Retailer_Instance2 {
instance-type vrf;
access-profile Retailer_Access2;
interface ge-7/1/9.10;
interface ge-7/1/9.100;
interface lo0.2;
route-distinguisher 2:2;
forwarding-options {
dhcp-relay {
authentication {
password psswd2;
username-include {
user-prefix WholesaleNetwork_Retailer2;
}
}
dynamic-profile Subscriber_Profile_Retailer2;
overrides {
always-write-giaddr;
trust-option-82;
client-discover-match;
}
server-group {
Retailer2-Group {
10.20.200.1;

© Juniper Networks, Inc. 17

 JUNOS DHCP Implementation Guide

}
}
active-server-group Retailer2-Group;
group Retailer2-Group {
authentication {
password psswd2;
username-include {
user-prefix psswd2;
}
}
dynamic-profile Subscriber_Profile_Retailer2;
overrides {
always-write-giaddr;
trust-option-82;
client-discover-match;
}
interface ge-2/3/0.3;
}
}
}
}
}

4. References
http://www.juniper.net/techpubs/en_US/junos11.1/information-products/topic-collections/subscriber-mgmt-
solutions/broadband-subscriber-mgmt-solutions.pdf

© Juniper Networks, Inc. 17

 JUNOS DHCP Implementation Guide

5. About Juniper Networks

Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network
infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and
applications over a single network. This fuels high-performance businesses. Additional information can be found at
www.juniper.net.

© Juniper Networks, Inc. 17

 Corporate and Sales Headquarters APAC Headquarters EMEA Headquarters
Juniper Networks, Inc. Juniper Networks (Hong Kong) Juniper Networks Ireland
1194 North Mathilda Avenue 26/F, Cityplaza One Airside Business Park
Sunnyvale, CA 94089 USA 1111 King’s Road Swords, County Dublin, Ireland
Phone: 888.JUNIPER (888.586.4737) Taikoo Shing, Hong Kong Phone: 35.31.8903.600
or 408.745.2000 Phone: 852.2332.3636 EMEA Sales: 00800.4586.4737
Fax: 408.745.2100 Fax: 852.2574.7803 Fax: 35.31.8903.601
and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective

© Juniper Networks, Inc. 18