Local user database
A local user database (LUDB) is a data source that is used to lookup subscriber management and DHCP client data for a specific device or a set of devices.
A LUDB can be accessed for the following applications (see LUDB subscriber management applications, LUDB DHCP server application, and LUDB DHCPv6 relay application):
-
(1) subscriber session authentication – to provide full or partial Enhanced Subscriber Management (ESM) data needed to instantiate the subscriber session
-
(2) fallback for an unavailable RADIUS authentication or Diameter Gx server – provided during subscriber session authentication
-
(3) DHCP server – for example, to assign a fixed IPv4 address to an end-user device, or to insert client-specific DHCP options
-
(4) DHCPv6 relay on IES or VPRN interfaces – insert DHCP options upstream to the DHCPv6 server or downstream to the DHCPv6 client
LUDB configuration and operation
A LUDB lookup function matches input parameters provided by the application to host identification fields of LUDB entries, and returns a set of configured, output parameters. This process is common to all LUDB applications.
LUDB entries are called “hosts” and are organized in two sections:
-
IPOE – contains the host entries for IPoE subscriber sessions and DHCP clients
-
PPP – contains the host entries for PPPoE subscriber sessions
Per section, match criteria and masks determine which input parameters provided by the application are used for the lookup.
A LUDB host entry contains the host identification fields that match the entry and output parameters that are returned to the application upon a match. One LUDB host entry can map to one or multiple devices, for example, all devices connected to a specific VLAN or interface.
Supported match criteria and output parameters are a function of the LUDB application and are described in Subscriber session authentication in LUDB and LUDB lookup for DHCP server leases.
The following figure shows the LUDB lookup function with a simplified example for a subscriber session authentication.
Where:
-
(1) A LUDB lookup is requested for an IPoE subscriber session authentication with MAC address and SAP as input parameters.
-
(2) SAP is the only match criterion configured. The MAC address is ignored for the LUDB lookup.
-
(3) A mask is configured for the SAP match criterion that strips the VLAN-tag from the SAP.
-
(4) The LUDB lookup uses the masked SAP value as input and matches the corresponding identification field of entry 1. The LUDB returns an SLA-profile string, a SUB-profile string, and a Gi address as output parameters to the application.
The following figure shows the configuration structure of a LUDB.
MD-CLI
[ex:/configure subscriber-mgmt]
A:admin@node-2# info
local-user-db "ludb-1" {
admin-state enable
ipoe {
match-list [circuit-id]
mask type circuit-id {
suffix {
string "|*"
}
}
host "olt-1" {
admin-state enable
host-identification {
circuit-id {
ascii-string "pe1|1000|group-int-1-1"
}
}
authentication {
radius-auth-policy "radius-auth-1"
}
identification {
sla-profile-string "sla-profile-1"
sub-profile-string "sub-profile-1"
}
ipv4 {
address {
pool {
primary "pool-pe1-ipv4-1"
}
}
}
ipv6 {
address-pool "pool-pe1-ipv6_ia_na-1"
delegated-prefix-pool " pool-pe1-ipv6_ia_pd-1"
}
}
host "default" {
admin-state enable
authentication {
radius-auth-policy "radius-auth-1"
}
}
}
ppp {
match-list [user-name]
host "csp.com" {
admin-state enable
host-identification {
user-name {
name "csp.com"
format domain-only
}
}
authentication {
radius-auth-policy "radius-auth-1"
}
ppp-policy-parameters {
keepalive {
hold-up-multiplier 2
interval 15
}
}
}
host "default" {
admin-state enable
authentication {
radius-auth-policy "radius-auth-1"
}
}
}
}
classic CLI
A:node-2>config>subscr-mgmt# info
----------------------------------------------
local-user-db "ludb-1" create
ipoe
match-list circuit-id
mask type circuit-id suffix-string "|*"
host "olt-1" create
host-identification
circuit-id string "pe1|1000|group-int-1-1"
exit
address pool "pool-pe1-ipv4-1"
auth-policy "radius-auth-1"
identification-strings 254 create
sla-profile-string "sla-profile-1"
sub-profile-string "sub-profile-1"
exit
ipv6-wan-address-pool "pool-pe1-ipv6_ia_na-1"
ipv6-delegated-prefix-pool " pool-pe1-ipv6_ia_pd-1"
no shutdown
exit
host "default" create
auth-policy "radius-auth-1"
no shutdown
exit
exit
ppp
match-list username
host "csp.com" create
host-identification
username "csp.com" domain-only
exit
auth-policy "radius-auth-1"
ppp-policy-parameters
keepalive 15 hold-up-multiplier 2
exit
no shutdown
exit
host "default" create
auth-policy "radius-auth-1"
no shutdown
exit
exit
no shutdown
exit
----------------------------------------------
For detailed LUDB configuration steps, see DHCPv6 server leases.
Creating LUDBs
A LUDB is identified by a unique name, up to 32 characters. Multiple LUDBs can be created for different applications. The LUDB must be administratively enabled to be operational.
Configuring match criteria: match list and masks
The match criteria configured in a user-ordered match-list determine which of the input parameters provided by the application are considered for matching in the host identification fields of a LUDB host entry. Input parameters provided by the application that are not on the match list are ignored.
For some match criteria, an optional mask can be applied to the input parameter before searching for a matching LUDB host entry. Masking is prefix- or suffix-based, or a combination of both. A prefix or suffix string, or a prefix or suffix length, can be specified. The following tables summarizes masking examples. In the third example, a combination of both prefix and suffix string masks is used.
|
Match criterion |
Input parameter |
Masks |
Input parameter after masking |
|---|---|---|---|
|
remote-id |
87654321-BSAN-1 |
prefix length 9 |
BSAN-1 |
|
circuit-id |
BSAN-2|1|100|1/2/1 |
suffix length 12 |
BSAN-2 |
|
user-name |
all@domain-1.com |
prefix string “*@” suffix string “.com” |
domain-1 |
Different match criteria and masks for IPoE and PPP subscriber sessions can be configured simultaneously in a LUDB. At minimum, one criterion must be configured in the match list when LUDB host entries are created. The configuration of masks is optional.
For IPoE, from the available match criteria, up to four can be defined in the match-list: circuit-id, derived-id, dual-stack-remote-id, duid-en, duid-ll-llt, encap-tag-range, encap-tag-separate-range, ip, mac, option60, remote-id, sap-id, service-id, string, and system-id.
For PPP, from the available match criteria, up to three can be defined in the match-list: circuit-id, derived-id, encap-tag-range, encap-tag-separate-range, mac, remote-id, sap-id, service-name, and user-name.
The match criteria and masks that apply for a specific LUDB application are described in Subscriber session authentication in LUDB and LUDB lookup for DHCP server leases.
LUDB host entries
A host entry belongs to either the IPoE or the PPP section of a LUDB and is identified by a name of up to 32 characters that must be unique within the section.
A host entry contains two sets of parameters:
-
host-identification fields used for matching input parameters during a LUDB lookup
For IPoE, the host-identification fields are: circuit-id, derived-id, duid-en, duid-ll-llt, encap-tag-range, encap-tag-separate-range, ip-prefix, mac, option60, remote-id, sap-id, service-id, string, and system-id.
For PPP, the host-identification fields are: circuit-id, derived-id, encap-tag-range, encap-tag-separate-range, mac, remote-id, sap-id, service-name, and user-name.
-
output parameters returned to the application upon a successful lookup
The output parameters of the lookup process include identification strings for subscriber session instantiation, DHCP options, IP address information, MSAP parameters, and so on.
Optionally, a default host with the name default can be configured as a wildcard in case the lookup fails to find a matching entry. Host identification fields should not be configured for the default host, as it is a match-all entry. If host identification fields are configured, the default host entry becomes a regular non-default host entry.
Host identification fields and output parameters that apply for a specific LUDB application are described in Subscriber session authentication in LUDB and LUDB lookup for DHCP server leases.
LUDB host entry validation
When a LUDB host entry is administratively enabled, the system uses the following validation criteria, before adding the entry to the lookup database:
-
A non-default host entry must have at least one host-identification field defined.
-
A non-default host entry with none of its host identification fields in common with the match-list is added to the list of unmatched hosts with “no match” as the reason.
-
A non-default host entry is added to the lookup database when at least one of the defined host identification fields is in common with the match-list, even when some of the host identification fields are not on the match-list.
-
Two or more non-default host entries with the same host identification definitions are duplicates. Only one host entry is added to the lookup database. Duplicates are added to the list of unmatched hosts with “duplicate” as the reason.
Use the following commands can be used to display the list of unmatched hosts.
show subscriber-mgmt local-user-db ppp-unmatched-hosts
show subscriber-mgmt local-user-db ipoe-unmatched-hosts LUDB lookups
The following rules apply while scanning through a LUDB in search of a single matching entry:
-
Only criteria on the match-list are considered.
For example, assume a client for which a MAC address, a circuit-id, and a remote-id are provided as input parameters. If the match-list only contains the MAC address as criterion, the circuit-id and the remote-id input parameters are ignored. Only the MAC address is used to find a matching host entry.
-
The order of criteria on the match-list is important.
The match-list is a user-ordered list, and the criteria are processed left to right.
-
As many of the host-identification fields as possible must be matched, while still obeying the first item in this list.
Only the optionally masked parameters from the match list are verified.
-
The default host is excluded from the scan. It is used as a fallback when scanning through a LUDB yields no result.
The rules, as shown in the preceding figure, are described as follows:
-
(A) Matching is based on the MAC-address only – When client-a with mac-1 connects, host entry ipoe-x is matched.
-
(B) Matching is based on the MAC-address, circuit-id, and remote-id, in this sequence – As client-b enters with mac-1, cid-1, and rid-1, the match-list is scanned and matched left to right, so host ipoe-z is matched.
-
(C) Matching is based on the MAC-address only – Even though client-c connects with mac-1, cid-1, and rid-1, the system ignores the circuit-id and the remote-id, so the matching host is ipoe-x. Host ipoe-y is never matched using the defined match-list; because it is on the unmatched host list.
-
(D) Matching is based on the MAC-address and the circuit-id, in this sequence – Client-d connects with mac-1 and cid-2, but because the system scans the match-list left through right, the MAC address takes priority over the circuit-id. The matching host is ipoe-x.
The host-matching rules, as shown in the preceding figure, are described as follows:
-
(E) For the top part, matching is based on MAC address and the circuit-id, in this sequence – When client-e connects (mac-1, cid-1, and rid-1), the system scans ludb-5-1 and matches host ipoe-x.
-
(E) For the bottom part, matching is based on the circuit-id first, then the MAC address – When client-e connects (mac-1, cid-1, and rid-1), the system scans ludb-5-2 and matches host ipoe-y.
-
(F) Matching is based on MAC address and the circuit-id, in this sequence – When client-f-1 (mac-1) connects, the matching host is ipoe-x because only the MAC address is provided and checked. When client-f-2 (cid-1) connects, the matching host is ipoe-y because only the client-id is provided and checked. When client-f-3 (mac-1, cid-1) connects, the matching host is ipoe-z.
-
(G) Matching is based on the MAC address only – When client-g with mac-2 connects, host default is matched because there is no explicit entry matching mac-2.
As shown in the preceding examples, the system only checks parameters provided by the client in the sequence defined by the match-list. Other parameters are not checked.
Using the LUDB for specific applications
A LUDB, on its own, is not functional. The LUDB must be associated with the intended application. The following tables provide an overview of the LUDB applications and the configuration to associate an LUDB with the application..
|
Application |
LUDB association (MD-CLI) |
|---|---|
|
Subscriber management authentication IPoE session |
configure service vpls capture-sap ipoe-session user-db configure service ies subscriber-interface group-interface ipoe-session user-db configure service vprn subscriber-interface group-interface ipoe-session user-db |
|
Subscriber management authentication PPPoE session |
configure service vpls capture-sap pppoe user-db configure service ies subscriber-interface group-interface pppoe user-db configure service vprn subscriber-interface group-interface pppoe user-db |
|
Subscriber management authentication L2TP LNS PPPoE session |
configure router l2tp group lns ppp user-db configure router l2tp group tunnel lns ppp user-db configure service vprn l2tp group lns ppp user-db configure service vprn l2tp group tunnel lns ppp user-db |
|
Subscriber management authentication GTP session |
configure subscriber-mgmt gtp apn-policy apn user-db |
|
Subscriber management authentication DHCPv4 host |
configure service vpls capture-sap dhcp user-db configure service ies subscriber-interface group-interface ipv4 dhcp user-db configure service vprn subscriber-interface group-interface ipv4 dhcp user-db |
|
Subscriber management authentication DHCPv6 host |
configure service vpls capture-sap dhcp6 user-db configure service ies subscriber-interface group-interface ipv6 dhcp6 user-db configure service vprn subscriber-interface group-interface ipv6 dhcp6 user-db |
|
Subscriber management authentication Router-Solicit host |
configure service vpls capture-sap router-solicit user-db configure service ies subscriber-interface group-interface ipv6 router-solicit user-db configure service vprn subscriber-interface group-interface ipv6 router-solicit user-db |
|
DHCP server |
configure router dhcp-server dhcpv4 user-db configure service vprn dhcp-server dhcpv4 user-db configure router dhcp-server dhcpv6 user-db configure service vprn dhcp-server dhcpv6 user-db |
|
RADIUS server fallback |
configure subscriber-mgmt radius-authentication-policy fallback action user-db |
|
Web authentication protocol (WPP) |
configure service ies subscriber-interface group-interface wpp user-db configure service vprn subscriber-interface group-interface wpp user-db |
|
DHCPv6 relay on regular interfaces: DHCP option insertion |
configure service ies interface ipv6 dhcp6 relay user-db configure service vprn interface ipv6 dhcp6 relay user-db |
|
Application |
LUDB association (classic CLI) |
|---|---|
|
Subscriber management authentication IPoE session |
configure service vpls sap ipoe-session user-db configure service ies subscriber-interface group-interface ipoe-session user-db configure service vprn subscriber-interface group-interface ipoe-session user-db |
|
Subscriber management authentication PPPoE session |
configure service vpls sap pppoe-user-db configure service ies subscriber-interface group-interface pppoe user-db configure service vprn subscriber-interface group-interface pppoe user-db |
|
Subscriber management authentication L2TP LNS PPPoE session |
configure router l2tp group ppp user-db configure router l2tp group tunnel ppp user-db configure service vprn l2tp group ppp user-db configure service vprn l2tp group tunnel ppp user-db |
|
Subscriber management authentication GTP session |
configure subscriber-mgmt gtp apn-policy apn user-db |
|
Subscriber management authentication DHCPv4 host |
configure service vpls sap dhcp-user-db configure service ies subscriber-interface group-interface dhcp user-db configure service vprn subscriber-interface group-interface dhcp user-db |
|
Subscriber management authentication DHCPv6 host |
configure service vpls sap dhcp6-user-db configure service ies subscriber-interface group-interface ipv6 dhcp6 user-db configure service vprn subscriber-interface group-interface ipv6 dhcp6 user-db |
|
Subscriber management authentication Router-Solicit host |
configure service vpls sap rtr-solicit-user-db configure service ies subscriber-interface group-interface ipv6 router-solicit user-db configure service vprn subscriber-interface group-interface ipv6 router-solicit user-db |
|
DHCP server |
configure router dhcp local-dhcp-server user-db configure service vprn dhcp local-dhcp-server user-db configure router dhcp6 local-dhcp-server user-db configure service vprn dhcp6 local-dhcp-server user-db |
|
RADIUS server fallback |
configure subscriber-mgmt authentication-policy fallback-action user-db |
|
Web authentication protocol (WPP) |
configure service ies subscriber-interface group-interface wpp user-db configure service vprn subscriber-interface group-interface wpp user-db |
|
DHCPv6 relay on regular interfaces: DHCP option insertion |
configure service ies interface ipv6 dhcp6-relay user-db configure service vprn interface ipv6 dhcp6-relay user-db |
Configuration notes and LUDB troubleshooting
The following sections describe VLAN range matching and LUDB troubleshooting commands.
VLAN range matching
The following rules are used for VLAN range matching:
-
configure the encap-tag-range match criteria in the match-list. Configure the start and end tags for the VLAN range in the host-identification fields.
-
the start-tag must be lower than the end-tag
-
a match-all (asterisk) must be present in both the start-tag and the end-tag; for example:
-
*.10 - *.100 — the outer tag is ignored
-
201.* - 299.* — the inner tag is ignored
-
-
the encapsulation type for start-tag and end-tag must be the same
-
overlapping ranges (while on the same port) are not allowed
Operational and troubleshooting commands
The following tools command manually triggers a host lookup in a LUDB, which is useful to commission, troubleshoot, and verify the configured database without using an external client.
tools perform subscriber-mgmt local-user-db ipoe host-lookup
tools perform subscriber-mgmt local-user-db ppp host-lookupThe following command shows the available LUDBs in the system, including the administrative state and host count. The host count equals the total number of configured IPoE and PPP host entries, regardless of their administrative state. When specifying a LUDB name, the detailed output also includes the IPoE and PPP match and mask types.
show subscriber-mgmt local-user-dbTo display all host entries in a specific LUDB, use the following command.
show subscriber-mgmt local-user-db ipoe-all-hosts
show subscriber-mgmt local-user-db ppp-all-hostsTo include the details of a specific LUDB host entry, use the following command.
show subscriber-mgmt local-user-db ipoe-host
show subscriber-mgmt local-user-db ppp-hostTo list duplicates and host entries that are not matched in a LUDB, use the following commands.
show subscriber-mgmt local-user-db ipoe-unmatched-hosts
show subscriber-mgmt local-user-db ppp-unmatched-hostsTo find the places where a specific LUDB is applied, use the following command.
show subscriber-mgmt local-user-db associationTo enable debugging for all LUDB lookups or for failed LUDB lookups, use the following command.
debug subscriber-mgmt local-user-db detail {all | failed}Subscriber session authentication in LUDB
See "Local User Database for the Enhanced Subscriber Management" in 7450 ESS, 7750 SR, and 7950 XRS Advanced Configuration Guides Part III for more information about subscriber session authentication in LUDB..
PPPoE authentication configuration examples
In PPPoE access scenarios without access node or with access nodes that do not insert PPPoE vendor specific tags Circuit ID or Remote ID, the user may be required to configure this information in the LUDB so that the Circuit ID and Remote ID access loop information tags can be picked up in the pre-authentication phase and used for RADIUS authentication and reporting in RADIUS accounting messages.
The following is an example of a PPPoE access scenario.
MD-CLI
[ex:/configure subscriber-mgmt]
A:admin@node-2# info
local-user-db "ludb-1" {
ppp {
match-list [user-name]
host "host-1" {
admin-state enable
host-identification {
user-name {
name "cpe-1@domain1.com"
}
}
authentication {
radius-auth-policy "auth-policy-1"
}
access-loop-information {
circuit-id {
ascii-string "LUDB inserted circuit-id"
}
remote-id {
ascii-string "LUDB inserted remote-id"
}
}
password {
ignore
}
}
}
}
classic CLI
A:node-2>config>subscr-mgmt# info
----------------------------------------------
local-user-db "ludb-1" create
ppp
match-list username
host "host-1" create
access-loop-information
circuit-id string "LUDB inserted circuit-id"
remote-id string "LUDB inserted remote-id"
exit
host-identification
username "cpe-1@domain1.com"
exit
auth-policy "auth-policy-1"
password ignore
no shutdown
exit
exit
exit
----------------------------------------------
With PPPoE, when the system accesses a LUDB during a discovery phase, a matched host could return a second LUDB via a user database configuration under the LUDB host context. This second database is accessed again during the PAP or CHAP phase.
The following is an example of a PPPoE access scenario with second LUDB.
PPPoE access scenario with second LUDB (MD-CLI)
[ex:/configure subscriber-mgmt]
A:admin@node-2# info
local-user-db "chap-db" {
admin-state enable
ppp {
match-list [derived-id user-name]
host "testuser" {
admin-state enable
host-identification {
derived-id "testuser"
user-name {
name "testuser"
}
}
identification {
sla-profile-string "sla-2"
}
password {
chap "cYhRmQYW0kLW3s0LrtEnBjWlAwFa/1Kx" hash2
}
}
}
}
local-user-db "padi-db" {
admin-state enable
ppp {
match-list [derived-id]
host "testuser" {
admin-state enable
host-identification {
derived-id "testuser"
}
authentication {
user-db "chap-db"
}
msap-defaults {
service 500
group-interface {
name "g1"
}
}
}
}
}PPPoE access scenario with second LUDB (classic CLI)
A:node-2>config>subscr-mgmt# info
----------------------------------------------
local-user-db "chap-db" create
ppp
match-list derived-id username
host "testuser" create
host-identification
derived-id "testuser"
username "testuser"
exit
password chap "cYhRmQYW0kLW3s0LrtEnBjWlAwFa/1Kx" hash2
identification-strings 254 create
sla-profile-string "sla-2"
exit
no shutdown
exit
exit
no shutdown
exit
local-user-db "padi-db" create
ppp
match-list derived-id
host "testuser" create
host-identification
derived-id "testuser"
exit
msap-defaults
group-interface "g1"
service 500
exit
user-db "chap-db"
no shutdown
exit
exit
no shutdown
exit
----------------------------------------------
LUDB lookup for DHCP server leases
The following sections describe DHCPv4 and DHCPv6 server leases.
DHCPv4 server leases
See "Local User Database for DHCPv4 Server" in 7450 ESS, 7750 SR, and 7950 XRS Advanced Configuration Guides Part III for more information about LUDB lookup for DHCPv4 server leases.
DHCPv6 server leases
Assigning a LUDB to a DHCPv6 server allows the server to insert DHCPv6 options for a specific DHCPv6 client or a group of DHCPv6 clients identified by the match criteria in the LUDB.
A local DHCPv6 server can be used for IPoE users and for PPP users. The LUDB lookup for the DHCPv6 server application is always performed in the IPoE section. The DHCPv6 client messages are encapsulated as follows:
-
For IPoE clients, the DHCPv6 client messages received by the DHCPv6 server are encapsulated in Relay-Forward messages by an optional Lightweight DHCPv6 Relay Agent (LDRA) and a DHCPv6 relay agent.
-
For PPPoE clients, the DHCPv6 client messages received by the DHCPv6 server are encapsulated in Relay-Forward messages by a DHCPv6 relay agent after PPPoE de-encapsulation.
The DHCPv6 server can be in the same router as the DHCPv6 relay agent, but that is not a requirement.
LUDB input parameters and match criteria
The following IPoE input command options (host identification fields) and match criteria are supported when accessing an LUDB from a DHCPv6 server.
|
Match Criteria |
Input Parameter |
Host Identification |
|---|---|---|
|
circuit-id Support for prefix and suffix string and length mask |
interface ID field of DHCPv6 option INTERFACE_ID (18) in the inner Relay-Forward message |
circuit-id as ASCII string or hexadecimal string |
|
remote-id Support for prefix and suffix string and length mask |
Concatenation of enterprise number and remote ID fields of DHCPv6 option REMOTE_ID (37) in the inner Relay-Forward message |
remote-id as ASCII string or hexadecimal string |
|
dual-stack-remote-id Support for prefix and suffix string and length mask |
remote ID field of DHCPv6 option REMOTE_ID (37) in the inner Relay-Forward message. The enterprise number field is ignored. |
remote-id as ASCII string or hexadecimal string |
|
duid-en Support for prefix and suffix length mask |
Concatenation of enterprise number and identifier fields of DHCPv6 option CLIENTID (1) with DUID type = 2 (assigned by vendor based on enterprise number) in the DHCPv6 client message |
duid-en as hexadecimal string |
|
duid-ll-llt Support for prefix and suffix length mask (number of MAC address bits to exclude from the match) |
link layer address field of DHCPv6 option CLIENTID (1) with DUID type = 3 (based on link-layer address) or DUID type = 1 (based on link-layer address plus time) and hardware type = 1 (Ethernet) in the DHCPv6 client message. For DUID type = 1, the time field is ignored |
duid-ll-llt as non-zero unicast MAC address |
The LUDB lookup process can match up to four IPoE match-criteria, as defined by the IPoE match-list. Match criteria not listed in the previous table are ignored for a LUDB host lookup for a DHCPv6 server application.
The default host is matched when no host is found based on configured host-identification parameters.
LUDB output parameters
The LUDB associated with the DHCPv6 server can provide the options listed in the following table and these options are then inserted in the DHCPv6 server message sent to the client.
|
DHCPv6 option |
Format |
|
|---|---|---|
|
boot-file-url |
boot-file-url field of DHCPv6 option BOOTFILE_URL (59) |
ASCII string (maximum length 127 characters) |
|
boot-file-param |
concatenation of param-len n and parameter n fields of DHCPv6 option BOOTFILE_PARAM (60) |
Hexadecimal string (maximum length 127 bytes) |
|
dns-server |
DNS recursive name server fields of DHCPv6 option DNS_SERVERS (23) |
Up to four IPv6 addresses or hex-string of exact 16, 32, 48, or 64 bytes in length |
When the same DHCPv6 option is configured in both the LUDB associated with a DHCPv6 server and in the DHCPv6 server, the option obtained from an LUDB host lookup has precedence over the same option configured in the DHCPv6 server.
Parameters and options configured in the host entry definition and not listed in the previous table are silently ignored for a LUDB host lookup for a DHCPv6 server application.
Configuration example
This section provides LUDB configuration examples.
Associate a LUDB with a DHCPv6 server (MD-CLI)
[ex:/configure router "Base" dhcp-server]
A:admin@node-2# info
dhcpv6 "dhcpv6-s1" {
user-db "ludb-1"
}
Associate a LUDB with a DHCPv6 server (classic CLI)
A:node-2>config>router>dhcp6# info
----------------------------------------------
local-dhcp-server "dhcpv6-s1" create
shutdown
user-db "ludb-1"
exit
----------------------------------------------
LUDB configuration (MD-CLI)
[ex:/configure subscriber-mgmt]
A:admin@node-2# info
local-user-db "ludb-1" {
admin-state enable
ipoe {
match-list [duid-ll-llt duid-en]
mask type duid-ll-llt {
suffix {
length 8
}
}
host "default" {
admin-state enable
ipv6 {
option boot-file-url {
ascii-string "http://10.1.1.1:80/ztp/default.py"
}
}
}
host "group-1" {
admin-state enable
host-identification {
duid-ll-llt 00:00:5e:00:53:00
}
ipv6 {
option boot-file-url {
ascii-string "http://10.1.1.1:80/ztp/group-1.py"
}
}
}
}
LUDB configuration (classic CLI)
A:node-2>config>subscr-mgmt# info
----------------------------------------------
local-user-db "ludb-1" create
ipoe
match-list duid-ll-llt duid-en
mask type duid-ll-llt suffix-length 8
host "default" create
options6
boot-file-url "http://10.1.1.1:80/ztp/default.py"
exit
no shutdown
exit
host "group-1" create
host-identification
duid-ll-llt 00:00:5e:00:53:00
exit
options6
boot-file-url "http://10.1.1.1:80/ztp/group-1.py"
exit
no shutdown
exit
exit
no shutdown
exit
----------------------------------------------
The following actions occur when DHCPv6 server “dhcpv6-s1” performs a lookup in the LUDB “ludb-1”:
-
DHCPv6 clients with Client ID option (1) DUID type equal to 1 or 3, hardware-type equal to 1 (Ethernet), and hardware address in the range 00:00:5e:00:53:00 through 00:00:5e:00:53:FF match host “group-1”. DHCPv6 option 59 BOOTFILE_URL with URL “http://10.1.1.1:80/ztp/group-1.py” are added to the DHCPv6 server message.
The hardware address range match is achieved with a duid-ll-llt suffix length mask of 8 bits. The last 8 bits of the hardware address are masked (set to zero) when performing the lookup. The corresponding host-identification duid-ll-llt value must be configured with the last 8 bits equal to zero.
-
All other DHCPv6 clients that match the “default” host and DHCPv6 option 59 BOOTFILE_URL with URL “http://10.1.1.1:80/ztp/default.py” are added to the DHCPv6 server message.
LUDB lookup for DHCPv6 relay on IES or VPRN interfaces
A DHCPv6 relay can be configured with a LUDB on IES and VPRN IP interfaces (that is no subscriber interfaces). The LUDB can insert options in the DHCPv6 message to the server (to-server-options) or to the client (to-client-options). The IES or VPRN interface must have lease-populate enabled and there should be no other Relay Agent between the DHCPv6 client and the DHCPv6 Relay when using the IPv6 to-server-options in the associated LUDB. To enable lease-populate, use the following commands:
-
MD-CLI
configure service ies interface ipv6 dhcp6 relay lease-populate configure service vprn interface ipv6 dhcp6 relay lease-populate -
classic CLI
configure service ies interface ipv6 dhcp6-relay lease-populate configure service vprn interface ipv6 dhcp6-relay lease-populate
See DHCPv6 to server option for more information.