Previous Topic

Next Topic

Book Contents

Configuring DHCP Relay Option 82 and LDRA

This topic covers the following information in regard to DHCP Relay Option 82 and LDRA:

  • Overview
  • Configuration process and guidelines
  • Pre-defined Circuit and Remote ID formats
  • Custom Circuit and Remote ID formats
  • Configuration procedures
    • To enable DHCP Option 82/LDRA at the system level
    • To configure Access Identifier Profiles
    • To enable DHCP Option 82/LDRA at the VLAN level

Option 82/LDRA: Overview

The DHCPv4 L2 Relay Agent (Option 82) and Lightweight DHCPv6 Relay Agent (LDRA) are used to add information to DHCP requests that are relayed to a DHCP server to authenticate the source of the requests. See RFC 3046, RFC 6221, and RFC 3315 for more information.

Note: The E7 OS system implementing LDRA performs a link-layer bridging (i.e., non-routing) function. LDRA resides on the same IPv6 link as the client and a DHCPv6 Relay Agent or server, and is functionally the equivalent of the Layer 2 DHCP Relay Agent for DHCPv4 operation. If configuration requirements are met, both IPv4 and IPv6 are supported for data services simultaneously.

The two sub-options of Option 82 are defined in RFC 3046:

  • Agent Circuit-ID (intended for circuits terminated by the system hosting the Relay agent)
  • Agent Remote-ID (intended to identify the remote host end of a circuit)

The two sub-options of LDRA are defined in RFC 3315:

  • Agent Interface-ID (equivalent to Option 82 Circuit-ID option in DHCPv4)
  • Agent Remote-ID (equivalent to Option 82 Remote-ID option in DHCPv4)

    The LDRA sub-options are derived from the DHCP Option 82 Circuit-ID and Remote-ID sub-options using the same format.

Trusted and untrusted interfaces

For the operation of Option 82/LDRA, there is a distinction between “Trusted” and “Untrusted” Ethernet interfaces:

  • Untrusted interfaces are snooped for client DHCP traffic.
  • Trusted interfaces are snooped for DHCP server traffic.

    Note: All E7 GPON ONT Ethernet ports are implicitly Untrusted and the “Trusted” attribute cannot be configured.

DHCP message handling upstream and downstream

When Option 82/LDRA is enabled, upstream (client-to-server) DHCP messages are captured at "Untrusted" interfaces, Relay Agent identification information is inserted, and the messages are sent to the DHCP server. For inserting identifying information, the following options and capabilities are provided by the E7 OS system:

  • Pre-defined Circuit and Remote ID formats (Calix-format, Calix-format-2, or TR-101-format)
  • Custom Circuit and Remote ID formats
  • Up to 20 pairs of Circuit and Remote ID formats may be saved as Access Identifier Profiles
  • Unique Access Identifier Profiles per VLAN for both GPON and Ethernet/xDSL

    Note: For complete details on the Circuit and Remote ID formats that may be used, see Pre-defined Circuit and Remote ID formats and Custom Circuit and Remote ID formats, below.

When Option 82/LDRA is enabled, downstream (server-to-client) DHCP packets are captured and examined on "Trusted" uplink interfaces:

  • If a session match is found for an interface, the Option 82/LDRA string is removed if Option 82/LDRA is enabled, and then the packet is delivered to the Ethernet, xDSL, or ONT Ethernet port interface where the lease request originated.
  • If a session match is not found, the DHCP packet will be forwarded unchanged on either the port for which the MAC is learned, or on all "Trusted" interfaces belonging to the VLAN (in case of broadcast DHCP packets).

All packets received on Untrusted interfaces that already have DHCP Relay Agent information will be dropped.

DHCP snooping

An important requirement for the operation of Option 82/LDRA is that DHCP Snoop or Proxy be enabled on the service VLAN. Both modes enable DHCP snooping functionality, which tracks all DHCP activity on a VLAN and maintains a table of DHCPv4 and DHCPv6 leases granted. You can retrieve the table of granted leases via any of the management interfaces containing the following attributes, which may be searched or filtered by VLAN ID, IP address, MAC address, and ONT port.

Neighbor Discovery Protocol (NDP) flood control is enabled automatically with LDRA when DHCP Option 82 insertion is enabled. NDP flood control prunes NDP messages so only IP hosts discover the access router. In order to enable visibility into the NDP flood control processing, the E-Series provides a number of counters such as all packets forwarded and discarded on a per packet type basis, and access to the NDP cached entries. This information can be accessed via CLI, EWI and CMS.

Option 82/LDRA: Configuration process

The following configuration process must be followed for Option 82/LDRA to operate:

  • Enable Option 82/LDRA at the system level
  • Configure the Ethernet uplink interface as trusted
  • If applicable, configure subscriber Ethernet interfaces as untrusted
  • Configure Access Identifier Profiles as required, doing any of the following:
    • Use the two system default profiles as-is
    • Edit one or both of the system default profiles
    • Create and save unique profiles (up to 18)

      Note: Circuit and Remote ID formats must be selected during the configuration of Access Identifier Profiles. For complete details, see Pre-defined Circuit and Remote ID formats and Custom Circuit and Remote ID formats, below.

  • On the S-VLAN
    • Enable Option 82

      Note: If Option 82 is disabled at the system level, enabling it at the VLAN level will not have any effect. The Option 82 enable/disable control at the VLAN level is only effective if Option 82 is enabled at the system level.

    • Enable DHCP Snoop/Proxy
    • Select Access Identifier Profiles for Ethernet/xDSL and GPON subscribers

      Note: A profile must be selected for both Ethernet/xDSL and GPON subscribers, even if only one type of subscriber is served by the VLAN. In this case, any profile may be used for the subscriber type that is not present, or a "null" profile (with Circuit ID and Remote ID = None) may be created and used for this purpose.

  • Use the following VLAN service model when adding data subscribers:
    • (For Option 82) Any VLAN service model
    • (For LDRA) Only the N:1 VLAN service model

      Note: IPv4 and IPv6 are supported simultaneously on the same VLAN using the N:1 VLAN service model.

Option 82/LDRA: Configuration guidelines

The following rules and guidelines apply to Option 82 and LDRA:

  • DHCP Snoop/Proxy and Option 82/LDRA are not supported on the Management VLAN.
  • Ethernet interfaces used for LAG or ERPS links cannot be set to "Untrusted."
  • Up to 32,000 DHCP leases can be stored in the system database.
  • For all E7 OS systems, the DHCP lease database persists during reboot and reset.
  • For E7 OS systems with line cards (E7-2 and E7-20), the DHCP lease database also persists during card replacements:
    • DHCP leases are stored on the local card and controller card, and the standby controller syncs databases with the active controller.
    • For leases to persist across card replacements, the cards must be of the exact same type. (For example, leases will be lost if going from VDSLr1 to VDSLr2 cards, or from GPON-4 to GPON-8 cards.)

The following rules guidelines apply to LDRA only:

  • LDRA cannot be enabled independently from Option 82.
  • LDRA is automatically enabled on any VLAN with DHCP Snoop/Proxy enabled.
  • LDRA is supported for data services on VLAN per Service models only.
  • IPv6 residential gateways (RGs) are required for the VLAN per Service data model.
  • Access interfaces support IPv6 transparency only (no LDRA or NDP flood control) for TLAN point-to-point, TLAN multi-point, and VLAN-per-port topologies.
  • E-Series access interfaces support LDRA, but are not expected to be subscriber-facing.
  • Edge interfaces do not support LDRA on received RELAY-FORWARD and RELAY-REPLY messages.
  • Tag actions can be applied to untagged or single-tagged subscriber traffic processed by LDRA, including:
    • GPON ONT / ETHERNET / VDSL subscriber untagged with tag action: Add Tag
    • GPON ONT / ETHERNET / VDSL subscriber single tagged with tag action: Change Tag
    • GPON ONT / ETHERNET / VDSL subscriber single tagged with VLAN membership
    • GPON ONT subscriber untagged with tag action: Add 2 Tags
  • Security features not supported for IPv6 traffic include: MAC FF, IP Source Verification, and static IPv6 host entries.

Option 82/LDRA: Pre-defined Circuit and Remote ID formats

When configuring Access Identifier Profiles, a number of options are available for specifying the format of the Circuit and Remote ID information inserted for Option 82. First of all, you can select the following pre-defined formats for content insertion:

  • Ethernet and xDSL ports:
    • Circuit-ID options:
      • Calix-format: <system-ID> eth <shelf>/<slot>/<port>:<Vlan-Id>[-<Vlan-Id>]
      • TR-101-format: <system-ID> <iftype> <shelf>/<slot>/<tr101port>:<cetag>[-<tag-Id>]
        • The TR-101 iftype should be either “eth” or “atm” (must be all lower case).
        • The TR-101 cetag should be one of 3 formats:
          :vpi.vci for DSL lines/groups that are trained in ATM mode (tagged or untagged)
          :ce-vlan-id for tagged subscribers that are either PTM DSL lines/groups or ONT
          Null for untagged subscribers that are either PTM DSL lines/groups or ONT
      • Calix-format-2: <system-ID>:<shelf>/<slot>/<port>

        Note: If the xDSL port is a member of a bonded link group, the port within the xDSL bonded link group with the lowest port value will be selected to fill the <port> field in the Circuit-ID string.

    • Remote-ID options:
      • Subscriber ID of the port on which the DHCP lease request is received. The first 64 characters of the Subscriber ID text field are inserted.
      • none (no content is inserted)
  • GPON ONT Ethernet ports:
    • Circuit ID options:
      • Calix-format: <system-ID> eth <shelf>/<slot>/<port>/<OntID>/<Ontport>:<Vlan-Id>[-<Vlan-Id>]
      • TR-101-format: <system-ID> eth <shelf>/<slot>/<port>/<OntID>/<Ontport>:<cetag>[-<tag-Id>]
      • Calix-format-2: <system-ID>:<shelf>/<slot>/<port>/<OntID>/<Ontport>/
    • Remote-ID options:
      • ONT MAC ID. For DOCSIS provisioning, so that the ONT MAC is presented to the DHCP server to validate that the subscriber CPE is connected to a valid ONT virtual Cable Modem (vCM). See the Calix Open Link Cable vCMTS Command-Line Interface (CLI) Reference Guide and Calix Open Link Cable vCMTS SNMP Management Guide for more information.
      • ONT FSAN serial number, which is the default, specified in the "gpon-system-default" profile.
      • Subscriber ID of the port on which the DHCP lease request is received. For ONT VoIP hosts, the subscriber ID of the ONT is used. In both cases, the first 64 characters of the Subscriber ID text field are inserted.
      • none (no content is inserted)

        Note: The default Calix format will have a defining letter for the port (x,g,v,etc) followed by the port number. The TR101 format will have a defining letter for the port followed by the port number, except for the VDSL ports which will be only the port number (no leading letter 'v').

Option 82/LDRA: Custom Circuit and Remote ID formats

You can also create custom formats for content insertion by selecting the “user” format option and using the tags in the following table. Per custom format created, these tags may be used in any order and combined with text strings/characters up to a maximum of 63 characters (for the entire custom format string).

Tag

Name

Description

%systemid

SystemID

String of maximum 20 characters defining the global unique ID of the system. It is provisioned by the administrator of the platform. The system default is an empty string "".

%iftype

IfType

Three characters automatically derived from the interface. Its value could be atm for ADSL(2+), eth for others.

%rack

Node/Rack

A number defined by the administrator identifying the Node/Rack number of the device. The default value is 1. (Always 1 for Calix systems.)

%chassis

Shelf

A number specified by the administrator identifying which shelf this is within a Node/Rack. The default value is 1.

%slot

Slot

Slot number where the interface is located. It is derived by the system.

%port

Port

Port number of this interface.

%ontid

ONT

(GPON only) Number of ONT. The number is locally defined

%ontport

PON

(GPON only) PON number on which the DHCP packet was received.

%cetag

For ATM legacy items, including ":VPI.VCI"

%vlan

VLAN ID

Valid VLAN number, and defines the VLAN sub-interface on which the DHCP packet was received.

%desc

DESC

31-character, free-format string associated with the interface on which the DHCP packet arrived.

%sn

SN

(GPON only) FSAN serial number of the adjacent device.

%mac

DMAC

(GPON only) MAC address of the device sending the DHCP request (most often a CPE)

%ontslot

ONTSlot

The default value is 1. (Always 1 for Calix systems.)

%calixport

Calix-format Port

This field is the port in Calix-defined format. It absorbs the different format per interface type.

  • For GPON, it is equivalent to "%port/%ontid/%ontport".
  • For VDSL and Ethernet, it is equivalent to "%port".
  • For ADSL, it is equivalent to "%port".

%tr101port

TR101-format Port

Port in the TR101-defined format. Since TR101 only defines the format for non-GPON interfaces, for GPON interfaces, the TR101-defined format falls back to Calix-defined format.

%%

%

For the '%' character

For reference, the following custom format strings correspond to the pre-defined formats that are currently available.

Pre-Defined Formats

Equivalent Tag Strings

calix-format

 

    Ethernet/xDSL

%systemid Eth %chassis/%slot/%port:%vlan

    GPON

%systemid Eth %chassis/%slot/%port/%ontid/%ontport:%vlan

    Either (using calixport)

%systemid Eth %chassis/%slot/%calixport:%vlan

tr101-format

 

    Ethernet/xDSL

%systemid %iftype %chassis/%slot/%tr101port%cetag

    GPON

%systemid %iftype %chassis/%slot/%tr101port%cetag

(Note: If used for GPON, falls back to calix-format.)

    Either (using calixport)

%systemid %iftype %chassis/%slot/%calixport%cetag

calix-format-2

 

    Ethernet/xDSL

%systemid:%chassis/%slot/%port

    GPON

%systemid:%chassis/%slot/%port/%ontid/%ontport

    Either (using calixport)

%systemid:%chassis/%slot/%calixport

subscriber-id format

%desc

fsan-serial-number format

%sn

mac-addr format

%mac

Option 82/LDRA: Configuration procedures

The following steps of the configuration process are described in detail below

  • To enable DHCP Option 82/LDRA at the system level
  • To configure Access Identifier Profiles
    • Configure system default profiles
    • Create custom profiles
  • To enable DHCP Option 82/LDRA at the VLAN level

To enable DHCP Option 82/LDRA at the system level

  1. On the Navigation Tree, select the node.
  2. In the work area, click DHCP > Provisioning to open the DHCP Configuration form.
  3. In the Option 82/LDRA Enabled checkbox, select the checkbox to enable this feature.
  4. In the Option 82 Policy list, select whether to drop or overwrite packets with Option 82 on ingress packets.
  5. In the toolbar, click Apply.
  6. To specify the Remote-ID or Circuit-ID attributes on the global option 82 profile for E-Series networks, use the procedure shown below.

Related CLI commands:

set dhcp-cfg option-82 [enabled|disabled]

set dhcp-cfg option-82-policy [drop|overwrite]

To configure system default Access Identifier Profiles

  1. On the Navigation Tree, select the node.
  2. In the work area, click Profiles > Access Identifier to view the table of Access Identifier Profiles.
  3. Double-click the name of the profile that you want to configure:
    • eth-system-default is used for xDSL and GE ports.
    • gpon-system-default is used for GPON ONT ports.
  4. Select the desired Circuit ID format. Recommended selections are:
    • calix-format
    • tr101-format
    • calix-format-2
    • user, and enter a custom tag string

      Note: For complete details, see Custom Circuit and Remote ID formats, above.

    • none
  5. Select the desired Remote ID format. Recommended selections are:
    • subscriber-id
    • fsan-serial-number (GPON only)
    • mac-addr (GPON only)
    • user, and enter a custom tag string

      Note: For complete details, see Custom Circuit and Remote ID formats, above.

    • none
  6. In the toolbar, click Apply.

For CLI:

set access-identifier-profile <gpon-system-default|gpon-system-default> circuit-id [<user defined format string>|calix-format|calix-format-2|fsan-serial-number|mac-addr|subscriber-id|tr101-format|none]

set access-identifier-profile <eth-system-default|gpon-system-default> remote-id [<user defined format string>|calix-format|calix-format-2|fsan-serial-number|mac-addr|subscriber-id|tr101-format|none]

To create custom Access Identifier Profiles

  1. On the Navigation Tree, select the node.
  2. In the work area, click Profiles > Access Identifier to view the table of Access Identifier Profiles.
  3. Click Create to open the Create Access Identifier Profile dialog box.
  4. Enter a profile name.
  5. Select the desired Circuit ID format. Recommended selections are:
    • calix-format
    • tr101-format
    • calix-format-2
    • user, and enter a custom tag string

      Note: For complete details, see Custom Circuit and Remote ID formats, above.

    • none
  6. Select the desired Remote ID format. Recommended selections are:
    • subscriber-id
    • fsan-serial-number (GPON only)
    • mac-addr (GPON only)
    • user, and enter a custom tag string

      Note: For complete details, see Custom Circuit and Remote ID formats, above.

    • none
  7. Click Create.

For CLI:

set access-identifier-profile name circuit-id [<user defined format string>|calix-format|calix-format-2|fsan-serial-number|mac-addr|subscriber-id|tr101-format|none]

set access-identifier-profile name remote-id [<user defined format string>|calix-format|calix-format-2|fsan-serial-number|mac-addr|subscriber-id|tr101-format|none]

To enable DHCP Option 82/LDRA at the VLAN level

  1. On the Navigation Tree, select the VLAN level.
  2. Click on the desired VLAN to view/edit its parameters.
  3. Ensure that the following parameter values are selected:
    • DHCP Mode = Snoop/Proxy
    • Option 82 = selected (checked)

      Note: If Option 82 is disabled at the system level, enabling it at the VLAN level will not have any effect. The Option 82 enable/disable control at the VLAN level is only effective if Option 82 is enabled at the system level.

    • Access Identifier Profile for Ethernet = <correct profile name for Ethernet/xDSL subscribers>
    • Access Identifier Profile for GPON = <correct profile name for GPON subscribers>

      Note: A profile must be selected for both Ethernet/xDSL and GPON subscribers, even if only one type of subscriber is served by the VLAN. In this case, any profile may be used for the subscriber type that is not present, or a "null" profile (with Circuit ID and Remote ID = None) may be created and used for this purpose.

  4. If any changes were made, click Apply.