Multiple client IPs in dynamic stacked VLANs+RADIUS+DHCPD environment

‎09-12-2013 01:25 PM

I am having an issue that I think may be "as designed", but I am hoping to confirm.  I thought I would check here first and then engage J-TAC if need be.


Having followed the Day One book for Subscriber Management, I have arrived at a config that works well.  I'm using ISC DHCPD and FreeRADIUS with the daloRADIUS front end.  I am using the Option 82 agent.remote-id from our Calix system as the username our MX480 sends to RADIUS.  There are tagged VSAs involved for setting shaping and ingress policing.  Everything is working nicely, including using CoAs to set new shaping/policing parameters.  The idea is that I want to empower our CSRs to assign new bandwidth packages to subscribers without having to have our techs rebuild VLAN-IFs on our Calix gear.


Here is where I run into trouble.  While I do not plan to assign more than one IP to each subscriber, I've noticed that even without any limit set on the number of leases per client, a second client on an ONT cannot get an IP.  The RADIUS auth is successful and the external DHCP server offers an IP (which the MX480 happily passes to the client), but when dhclient requests that IP, it gets a NACK from the MX480.


The one thing that stands out when this happens is that jdhcpd logs the following:


Sep 12 12:30:02.128865 [ERROR][default:default][RLY][INET][ge-0/0/4.1073866931][SID=3453717] proflib_cb_handler: Profile Addition NACK (FAILED) - res 7, Errored daemon "cosd", msg "Invalid configuration", retry "FALSE"


In this case, ge-0/0/4.1073866931 is the subinterface created for the first client, while 3453717 is the session-id for the client who gets the NACK. (first client has a different session ID)


My suspicion is that this is part and parcel of dynamic VLANs on the platform.  i.e., that I cannot have two DHCP clients associated with the same dynamic VLAN client interface.  Can anyone confirm?


Re: Multiple client IPs in dynamic stacked VLANs+RADIUS+DHCPD environment

[ Edited ]
‎09-18-2013 09:38 AM

It sounds to me like your request is being rejected because the examples in all the Juniper guides use the IP address as the demux source, so when the new request comes in it's not on the same demux interface as it's trying to use a different IP.


The first part of the Day One guide, "The Customer VLAN Model" appears to do what you're looking for (identify subscribers by vlan instead of IP address), but of course it doesn't use external authentication, so you'd have to hack that in yourself.


You also might try identifying subscribers based on agent-circuit-id:

As long as all the DHCP requests from a "customer" come in with the same agent-circuit-id, the box hopefully would consider them as being on the same demux interface.  I'm not certain about that so check with your SE or JTac, but that's my best guess.


Also with IPv6, there is a different demux option; you can use $junos-subscriber-ipv6-multi-address:

Unfortunately this is only supported for DHCPv6 subscriber management.


Hope that helps.  Let us know how it turns out...


Re: Multiple client IPs in dynamic stacked VLANs+RADIUS+DHCPD environment

‎09-18-2013 03:11 PM

The customer VLAN model actually identities subscribers by stacked VLANs and IP address.  There is a dynamic profile for autoconfiguration of the VLANs and another for IP assignment and shaping/policing.  So, the same interface will actually appear twice per subscriber:


ge-0/0/4.1073911292 0x8100.401 0x8100.1001 default:default
ge-0/0/4.1073911292 nnn.nnn.nnn.nnn Ont:N42-1-1-4-3-OntEth1-1 default:default


ACI-based dynamic VLANs sound promising.  I will look into how to work that into my configuration.


Thank you.