DHCP server [my NoDeny Wiki]

Ця сторінка доступна тільки для перегляду. Ви можете продивитися вихідний текст, але не можете змінювати його. Якщо ви вважаєте, що це не вірно, зверніться до адміністратора.
{{tag>Juniper }}


===== DHCP server =====

Глобальні налаштування DHCP сервера
<code>
set system services dhcp-local-server pool-match-order external-authority
set system services dhcp-local-server pool-match-order ip-address-first
set system services dhcp-local-server no-stale-timer-refresh
set system services dhcp-local-server stale-timer 30
</code>

====  QinQ DHCP server ====
Наступний блок це власне налаштування DHCP сервера. Рекомендую зразу записувати різні кейси в окремі групи - так легше розуміти
<code>
set system services dhcp-local-server group IPOE_QINQ authentication password PROVIDER
set system services dhcp-local-server group IPOE_QINQ authentication username-include delimiter "|"
set system services dhcp-local-server group IPOE_QINQ authentication username-include user-prefix IPOE_QINQ
set system services dhcp-local-server group IPOE_QINQ authentication username-include mac-address
set system services dhcp-local-server group IPOE_QINQ authentication username-include vlan-tags
set system services dhcp-local-server group IPOE_QINQ reconfigure clear-on-abort
set system services dhcp-local-server group IPOE_QINQ reconfigure attempts 5
set system services dhcp-local-server group IPOE_QINQ reconfigure timeout 5
set system services dhcp-local-server group IPOE_QINQ reconfigure token mx960_0
set system services dhcp-local-server group IPOE_QINQ overrides client-discover-match incoming-interface
set system services dhcp-local-server group IPOE_QINQ dynamic-profile dhcp-profile
set system services dhcp-local-server group IPOE_QINQ access-profile IPOE_QINQ
set system services dhcp-local-server group IPOE_QINQ interface ae1.0
</code>
в даному блоці є 3 змінні без яких нічого не запрацює:
  * dynamic-profile dhcp-profile
  * access-profile IPOE_QINQ
  * interface ae1.0
їх треба описати

==== dynamic-profile dhcp-profile ====
<code>
set dynamic-profiles dhcp-profile routing-instances "$junos-routing-instance" interface "$junos-interface-name"
set dynamic-profiles dhcp-profile interfaces demux0 unit "$junos-interface-unit" actual-transit-statistics
set dynamic-profiles dhcp-profile interfaces demux0 unit "$junos-interface-unit" no-traps
set dynamic-profiles dhcp-profile interfaces demux0 unit "$junos-interface-unit" proxy-arp
set dynamic-profiles dhcp-profile interfaces demux0 unit "$junos-interface-unit" demux-options underlying-interface "$junos-underlying-interface"
set dynamic-profiles dhcp-profile interfaces demux0 unit "$junos-interface-unit" targeted-distribution
set dynamic-profiles dhcp-profile interfaces demux0 unit "$junos-interface-unit" family inet demux-source $junos-subscriber-ip-address
set dynamic-profiles dhcp-profile interfaces demux0 unit "$junos-interface-unit" family inet unnumbered-address "$junos-loopback-interface"
</code>

==== access-profile IPOE_QINQ ====
<code>
set access profile IPOE_QINQ accounting-order radius
set access profile IPOE_QINQ authentication-order radius
set access profile IPOE_QINQ domain-name-server 10.10.10.5
set access profile IPOE_QINQ domain-name-server 10.10.10.6
set access profile IPOE_QINQ radius authentication-server 10.10.10.7
set access profile IPOE_QINQ radius accounting-server 10.10.10.7
set access profile IPOE_QINQ radius options calling-station-id-delimiter *
set access profile IPOE_QINQ radius options calling-station-id-format mac-address
set access profile IPOE_QINQ radius options calling-station-id-format stacked-vlan
set access profile IPOE_QINQ radius options calling-station-id-format vlan
set access profile IPOE_QINQ radius options accounting-session-id-format decimal
set access profile IPOE_QINQ radius options client-authentication-algorithm round-robin
set access profile IPOE_QINQ radius options client-accounting-algorithm round-robin
set access profile IPOE_QINQ accounting order radius
set access profile IPOE_QINQ accounting immediate-update
set access profile IPOE_QINQ accounting coa-immediate-update
set access profile IPOE_QINQ accounting address-change-immediate-update
set access profile IPOE_QINQ accounting update-interval 10
set access profile IPOE_QINQ accounting statistics volume-time
set access profile IPOE_QINQ accounting wait-for-acct-on-ack
set access profile IPOE_QINQ accounting send-acct-status-on-config-change
</code>

<code>
set access radius-server 10.10.10.7 port 1812
set access radius-server 10.10.10.7 accounting-port 1813
set access radius-server 10.10.10.7 dynamic-request-port 3799
set access radius-server 10.10.10.7 secret "superhardpass:)"
set access radius-server 10.10.10.7 retry 3
set access radius-server 10.10.10.7 accounting-retry 3
set access radius-server 10.10.10.7 max-outstanding-requests 2000
set access radius-server 10.10.10.7 source-address **.**.***.2
</code>

Всі пули іп адрес, які можуть бути видані абоненту потрібно описати наступним чином
<code>
set access address-assignment pool cvlan10_128-17 family inet network 10.10.128.0/17
set access address-assignment pool cvlan10_128-17 family inet range ip low 10.10.128.11
set access address-assignment pool cvlan10_128-17 family inet range ip high 10.10.255.254
set access address-assignment pool cvlan10_128-17 family inet dhcp-attributes maximum-lease-time 10000
set access address-assignment pool cvlan10_128-17 family inet dhcp-attributes grace-period 100
set access address-assignment pool cvlan10_128-17 family inet dhcp-attributes router 10.10.128.2
### access address-assignment pool cvlan10_128-17 family inet dhcp-attributes option 43 hex-string 010400000002

set interfaces lo0 unit 0 family inet address 10.10.128.2/32
</code>
перші 10 іп з кожного пулу я резервую для майбутніх БРАСів. В мене використовується QinQ технологія, тому немає сенсу робити пули меншими - описую весь пул за раз.

<code>
set interfaces ae1 description ae1
set interfaces ae1 flexible-vlan-tagging
set interfaces ae1 auto-configure stacked-vlan-ranges dynamic-profile Auto-VLAN-Stacked-Demux accept dhcp-v4
### interfaces ae1 auto-configure stacked-vlan-ranges dynamic-profile Auto-VLAN-Stacked-Demux accept pppoe
set interfaces ae1 auto-configure stacked-vlan-ranges dynamic-profile Auto-VLAN-Stacked-Demux ranges 501-515,any
set interfaces ae1 auto-configure remove-when-no-subscribers
set interfaces ae1 mtu 9216
set interfaces ae1 encapsulation flexible-ethernet-services
set interfaces ae1 aggregated-ether-options lacp active
set interfaces ae1 aggregated-ether-options lacp periodic fast
</code>

<code>
set dynamic-profiles Auto-VLAN-Stacked-Demux routing-instances "$junos-routing-instance" interface "$junos-interface-name"
set dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" no-traps
set dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" proxy-arp
set dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" vlan-tags outer "$junos-stacked-vlan-id"
set dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" vlan-tags inner "$junos-vlan-id"
set dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" demux-options underlying-interface "$junos-interface-ifd-name"
set dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" family inet mac-validate strict
set dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" family inet unnumbered-address "$junos-loopback-interface"
### dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" family pppoe access-concentrator PPPoE-Server
### dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" family pppoe duplicate-protection
### dynamic-profiles Auto-VLAN-Stacked-Demux interfaces demux0 unit "$junos-interface-unit" family pppoe dynamic-profile PP0
</code>
### - не хороша ідея на одному влані тримати і pppoe і dhcp абонів - dual-access на роутерах вам почнуть снитись в страшних снах



===== DHCP_SVLAN =====

<code>
set access profile RADIUS_SVLAN accounting-order radius
set access profile RADIUS_SVLAN authentication-order radius
set access profile RADIUS_SVLAN radius authentication-server 172.20.20.1
set access profile RADIUS_SVLAN radius accounting-server 172.20.20.1
set access profile RADIUS_SVLAN radius options calling-station-id-delimiter *
set access profile RADIUS_SVLAN radius options calling-station-id-format mac-address
set access profile RADIUS_SVLAN radius options calling-station-id-format stacked-vlan
set access profile RADIUS_SVLAN radius options calling-station-id-format vlan
set access profile RADIUS_SVLAN radius options accounting-session-id-format decimal
set access profile RADIUS_SVLAN radius options client-authentication-algorithm round-robin
set access profile RADIUS_SVLAN radius options client-accounting-algorithm round-robin
set access profile RADIUS_SVLAN accounting order radius
set access profile RADIUS_SVLAN accounting immediate-update
set access profile RADIUS_SVLAN accounting coa-immediate-update
set access profile RADIUS_SVLAN accounting address-change-immediate-update
set access profile RADIUS_SVLAN accounting update-interval 10
set access profile RADIUS_SVLAN accounting statistics volume-time
set access profile RADIUS_SVLAN accounting wait-for-acct-on-ack
set access profile RADIUS_SVLAN accounting send-acct-status-on-config-change
</code>

<code>
set dynamic-profiles CLIENTS_SVLAN routing-instances "$junos-routing-instance" interface "$junos-interface-name"
set dynamic-profiles CLIENTS_SVLAN interfaces demux0 unit "$junos-interface-unit" actual-transit-statistics
set dynamic-profiles CLIENTS_SVLAN interfaces demux0 unit "$junos-interface-unit" no-traps
set dynamic-profiles CLIENTS_SVLAN interfaces demux0 unit "$junos-interface-unit" proxy-arp
set dynamic-profiles CLIENTS_SVLAN interfaces demux0 unit "$junos-interface-unit" demux-options underlying-interface "$junos-underlying-interface"
### dynamic-profiles CLIENTS_SVLAN interfaces demux0 unit "$junos-interface-unit" targeted-distribution
set dynamic-profiles CLIENTS_SVLAN interfaces demux0 unit "$junos-interface-unit" family inet demux-source $junos-subscriber-ip-address
set dynamic-profiles CLIENTS_SVLAN interfaces demux0 unit "$junos-interface-unit" family inet unnumbered-address "$junos-loopback-interface"
set dynamic-profiles CLIENTS_SVLAN interfaces demux0 unit "$junos-interface-unit" family inet unnumbered-address preferred-source-address $junos-preferred-source-address
</code>
<code>
set system services dhcp-local-server pool-match-order external-authority
set system services dhcp-local-server pool-match-order ip-address-first
set system services dhcp-local-server group DHCP_SVLAN authentication password IPoE-Pool
set system services dhcp-local-server group DHCP_SVLAN authentication username-include delimiter "|"
set system services dhcp-local-server group DHCP_SVLAN authentication username-include user-prefix IPOE_SVLAN
set system services dhcp-local-server group DHCP_SVLAN authentication username-include mac-address
set system services dhcp-local-server group DHCP_SVLAN authentication username-include vlan-tags
set system services dhcp-local-server group DHCP_SVLAN reconfigure clear-on-abort
set system services dhcp-local-server group DHCP_SVLAN reconfigure attempts 5
set system services dhcp-local-server group DHCP_SVLAN reconfigure timeout 5
set system services dhcp-local-server group DHCP_SVLAN reconfigure token mx104_0
### system services dhcp-local-server group DHCP_SVLAN overrides client-discover-match incoming-interface
set system services dhcp-local-server group DHCP_SVLAN dynamic-profile CLIENTS_SVLAN
set system services dhcp-local-server group DHCP_SVLAN access-profile RADIUS_SVLAN
set system services dhcp-local-server group DHCP_SVLAN interface demux0.802
set system services dhcp-local-server no-stale-timer-refresh
set system services dhcp-local-server stale-timer 30
</code>