Routing

 Greetings!

Im trying to deploy dhcp-local-server on mx204(21.4R3-S3.4) in vrf but it doesnt work.

I have an access profile with radius which is set in dhcp-local-server.

Dhcp-local-server is configured in vrf.

Subscriber interfaces are raised through auto-configure with a stacked-vlan triggered by dhcp discover packet,

but things don't go any further. There is no radius requests from MX to radius server.

I tried to define an routing-instance in radius-server(and separate interface linked to radius server), tried DO NOT define routing-instance but with source address of loopback of vrf(hello rib-groups)

Tried to make a separate RI for radius only and define this RI in profile... but RADIUS requests are not sent.

In all these attempt radius server was reachable from configured source address.

What i missing? How to make dhcp server work in vrf with RADIUS?

some config..

show access profile TH-DHCPaccounting-order radius;authentication-order radius;radius {    authentication-server 10.133.252.253;    accounting-server [ 10.133.252.253 10.133.252.231 ];}session-options {    client-idle-timeout 1440;}radius-server {    10.133.252.253 {        port 1812;        accounting-port 1813;        secret "secret; ## SECRET-DATA        timeout 20;        retry 5;        source-address 10.132.255.203; // loopback ip    }....
show routing-instances vrf-cus-th system services dhcp-local-server dhcpv6 {    group th-dhcp6 {        overrides {            dual-stack th-ds;        }        interface ae0.0;        interface demux0.0;    }}pool-match-order {    external-authority;}authentication {    username-include {        delimiter "@";        domain-name th;        mac-address;    }}access-profile TH-DHCP;short-cycle-protection lockout-min-time 4 lockout-max-time 16;group th-dhcp {    overrides {        dual-stack th-ds;    }    interface ae0.0;    interface demux0.0;}dual-stack-group th-ds {                    access-profile TH-DHCP;    dynamic-profile DProf-dhcp-ds;    classification-key {        mac-address;    }    protocol-master inet;}no-stale-timer-refresh;stale-timer 12;show dynamic-profiles DProf-dhcp-ds routing-instances {    "$junos-routing-instance" {        interface "$junos-interface-name";    }}interfaces {    demux0 {        description DHCP;        unit "$junos-interface-unit" {            actual-transit-statistics;            no-traps;            proxy-arp restricted;            demux-options {                underlying-interface "$junos-underlying-interface";            }            family inet {                demux-source {                    $junos-subscriber-ip-address;                }                unnumbered-address "$junos-loopback-interface" preferred-source-address "$junos-preferred-source-address";            }            family inet6 {                demux-source {                    "$junos-subscriber-ipv6-address";                }                unnumbered-address "$junos-loopback-interface";            }        }    }}protocols {    router-advertisement {        interface "$junos-interface-name" {            managed-configuration;            other-stateful-configuration;            link-mtu;            prefix $junos-ipv6-ndra-prefix {                valid-lifetime 3600;                on-link;                preferred-lifetime 3600;            }        }    }}

 Greetings!

Im trying to deploy dhcp-local-server on mx204(21.4R3-S3.4) in vrf but it doesnt work.

I have an access profile with radius which is set in dhcp-local-server.

Dhcp-local-server is configured in vrf.

Subscriber interfaces are raised through auto-configure with a stacked-vlan triggered by dhcp discover packet,

but things don't go any further. There is no radius requests from MX to radius server.

I tried to define an routing-instance in radius-server(and separate interface linked to radius server), tried DO NOT define routing-instance but with source address of loopback of vrf(hello rib-groups)

Tried to make a separate RI for radius only and define this RI in profile... but RADIUS requests are not sent.

In all these attempt radius server was reachable from configured source address.

What i missing? How to make dhcp server work in vrf with RADIUS?

some config..

show access profile TH-DHCPaccounting-order radius;authentication-order radius;radius {    authentication-server 10.133.252.253;    accounting-server [ 10.133.252.253 10.133.252.231 ];}session-options {    client-idle-timeout 1440;}radius-server {    10.133.252.253 {        port 1812;        accounting-port 1813;        secret "secret; ## SECRET-DATA        timeout 20;        retry 5;        source-address 10.132.255.203; // loopback ip    }....
show routing-instances vrf-cus-th system services dhcp-local-server dhcpv6 {    group th-dhcp6 {        overrides {            dual-stack th-ds;        }        interface ae0.0;        interface demux0.0;    }}pool-match-order {    external-authority;}authentication {    username-include {        delimiter "@";        domain-name th;        mac-address;    }}access-profile TH-DHCP;short-cycle-protection lockout-min-time 4 lockout-max-time 16;group th-dhcp {    overrides {        dual-stack th-ds;    }    interface ae0.0;    interface demux0.0;}dual-stack-group th-ds {                    access-profile TH-DHCP;    dynamic-profile DProf-dhcp-ds;    classification-key {        mac-address;    }    protocol-master inet;}no-stale-timer-refresh;stale-timer 12;show dynamic-profiles DProf-dhcp-ds routing-instances {    "$junos-routing-instance" {        interface "$junos-interface-name";    }}interfaces {    demux0 {        description DHCP;        unit "$junos-interface-unit" {            actual-transit-statistics;            no-traps;            proxy-arp restricted;            demux-options {                underlying-interface "$junos-underlying-interface";            }            family inet {                demux-source {                    $junos-subscriber-ip-address;                }                unnumbered-address "$junos-loopback-interface" preferred-source-address "$junos-preferred-source-address";            }            family inet6 {                demux-source {                    "$junos-subscriber-ipv6-address";                }                unnumbered-address "$junos-loopback-interface";            }        }    }}protocols {    router-advertisement {        interface "$junos-interface-name" {            managed-configuration;            other-stateful-configuration;            link-mtu;            prefix $junos-ipv6-ndra-prefix {                valid-lifetime 3600;                on-link;                preferred-lifetime 3600;            }        }    }}

Do you have a dhcp-local-server configured in the default routing instance?

You will need one there to accept the initial DHCP request and kick off the RADIUS Authentication process. 

The radius reply can then supply the routing instance information etc. 

 Greetings!

Im trying to deploy dhcp-local-server on mx204(21.4R3-S3.4) in vrf but it doesnt work.

I have an access profile with radius which is set in dhcp-local-server.

Dhcp-local-server is configured in vrf.

Subscriber interfaces are raised through auto-configure with a stacked-vlan triggered by dhcp discover packet,

but things don't go any further. There is no radius requests from MX to radius server.

I tried to define an routing-instance in radius-server(and separate interface linked to radius server), tried DO NOT define routing-instance but with source address of loopback of vrf(hello rib-groups)

Tried to make a separate RI for radius only and define this RI in profile... but RADIUS requests are not sent.

In all these attempt radius server was reachable from configured source address.

What i missing? How to make dhcp server work in vrf with RADIUS?

some config..

show access profile TH-DHCPaccounting-order radius;authentication-order radius;radius {    authentication-server 10.133.252.253;    accounting-server [ 10.133.252.253 10.133.252.231 ];}session-options {    client-idle-timeout 1440;}radius-server {    10.133.252.253 {        port 1812;        accounting-port 1813;        secret "secret; ## SECRET-DATA        timeout 20;        retry 5;        source-address 10.132.255.203; // loopback ip    }....
show routing-instances vrf-cus-th system services dhcp-local-server dhcpv6 {    group th-dhcp6 {        overrides {            dual-stack th-ds;        }        interface ae0.0;        interface demux0.0;    }}pool-match-order {    external-authority;}authentication {    username-include {        delimiter "@";        domain-name th;        mac-address;    }}access-profile TH-DHCP;short-cycle-protection lockout-min-time 4 lockout-max-time 16;group th-dhcp {    overrides {        dual-stack th-ds;    }    interface ae0.0;    interface demux0.0;}dual-stack-group th-ds {                    access-profile TH-DHCP;    dynamic-profile DProf-dhcp-ds;    classification-key {        mac-address;    }    protocol-master inet;}no-stale-timer-refresh;stale-timer 12;show dynamic-profiles DProf-dhcp-ds routing-instances {    "$junos-routing-instance" {        interface "$junos-interface-name";    }}interfaces {    demux0 {        description DHCP;        unit "$junos-interface-unit" {            actual-transit-statistics;            no-traps;            proxy-arp restricted;            demux-options {                underlying-interface "$junos-underlying-interface";            }            family inet {                demux-source {                    $junos-subscriber-ip-address;                }                unnumbered-address "$junos-loopback-interface" preferred-source-address "$junos-preferred-source-address";            }            family inet6 {                demux-source {                    "$junos-subscriber-ipv6-address";                }                unnumbered-address "$junos-loopback-interface";            }        }    }}protocols {    router-advertisement {        interface "$junos-interface-name" {            managed-configuration;            other-stateful-configuration;            link-mtu;            prefix $junos-ipv6-ndra-prefix {                valid-lifetime 3600;                on-link;                preferred-lifetime 3600;            }        }    }}

already, yes

Thanks. Its was not too obviously for me

And now i wonder what is minimum configuration must be in every routing-instance

Do you have a dhcp-local-server configured in the default routing instance?

You will need one there to accept the initial DHCP request and kick off the RADIUS Authentication process. 

The radius reply can then supply the routing instance information etc. 

 Greetings!

Im trying to deploy dhcp-local-server on mx204(21.4R3-S3.4) in vrf but it doesnt work.

I have an access profile with radius which is set in dhcp-local-server.

Dhcp-local-server is configured in vrf.

Subscriber interfaces are raised through auto-configure with a stacked-vlan triggered by dhcp discover packet,

but things don't go any further. There is no radius requests from MX to radius server.

I tried to define an routing-instance in radius-server(and separate interface linked to radius server), tried DO NOT define routing-instance but with source address of loopback of vrf(hello rib-groups)

Tried to make a separate RI for radius only and define this RI in profile... but RADIUS requests are not sent.

In all these attempt radius server was reachable from configured source address.

What i missing? How to make dhcp server work in vrf with RADIUS?

some config..

show access profile TH-DHCPaccounting-order radius;authentication-order radius;radius {    authentication-server 10.133.252.253;    accounting-server [ 10.133.252.253 10.133.252.231 ];}session-options {    client-idle-timeout 1440;}radius-server {    10.133.252.253 {        port 1812;        accounting-port 1813;        secret "secret; ## SECRET-DATA        timeout 20;        retry 5;        source-address 10.132.255.203; // loopback ip    }....
show routing-instances vrf-cus-th system services dhcp-local-server dhcpv6 {    group th-dhcp6 {        overrides {            dual-stack th-ds;        }        interface ae0.0;        interface demux0.0;    }}pool-match-order {    external-authority;}authentication {    username-include {        delimiter "@";        domain-name th;        mac-address;    }}access-profile TH-DHCP;short-cycle-protection lockout-min-time 4 lockout-max-time 16;group th-dhcp {    overrides {        dual-stack th-ds;    }    interface ae0.0;    interface demux0.0;}dual-stack-group th-ds {                    access-profile TH-DHCP;    dynamic-profile DProf-dhcp-ds;    classification-key {        mac-address;    }    protocol-master inet;}no-stale-timer-refresh;stale-timer 12;show dynamic-profiles DProf-dhcp-ds routing-instances {    "$junos-routing-instance" {        interface "$junos-interface-name";    }}interfaces {    demux0 {        description DHCP;        unit "$junos-interface-unit" {            actual-transit-statistics;            no-traps;            proxy-arp restricted;            demux-options {                underlying-interface "$junos-underlying-interface";            }            family inet {                demux-source {                    $junos-subscriber-ip-address;                }                unnumbered-address "$junos-loopback-interface" preferred-source-address "$junos-preferred-source-address";            }            family inet6 {                demux-source {                    "$junos-subscriber-ipv6-address";                }                unnumbered-address "$junos-loopback-interface";            }        }    }}protocols {    router-advertisement {        interface "$junos-interface-name" {            managed-configuration;            other-stateful-configuration;            link-mtu;            prefix $junos-ipv6-ndra-prefix {                valid-lifetime 3600;                on-link;                preferred-lifetime 3600;            }        }    }}

You may already have it, since you didn't share that part of the config. But the main difference I have is the address pool must be within the routing instance. 

bng-4> show configuration routing-instances CGNAT access   
address-assignment {
    pool CGNAT {
        family inet {
            network 100.110.0.0/16;
            range CPE {
                low 100.110.0.2;
                high 100.110.255.254;
            }
            dhcp-attributes {
                domain-name example.com.au;
                router {
                    100.110.0.1;
                }
            }
        }
    }
}

already, yes

Thanks. Its was not too obviously for me

And now i wonder what is minimum configuration must be in every routing-instance

Do you have a dhcp-local-server configured in the default routing instance?

You will need one there to accept the initial DHCP request and kick off the RADIUS Authentication process. 

The radius reply can then supply the routing instance information etc. 

 Greetings!

Im trying to deploy dhcp-local-server on mx204(21.4R3-S3.4) in vrf but it doesnt work.

I have an access profile with radius which is set in dhcp-local-server.

Dhcp-local-server is configured in vrf.

Subscriber interfaces are raised through auto-configure with a stacked-vlan triggered by dhcp discover packet,

but things don't go any further. There is no radius requests from MX to radius server.

I tried to define an routing-instance in radius-server(and separate interface linked to radius server), tried DO NOT define routing-instance but with source address of loopback of vrf(hello rib-groups)

Tried to make a separate RI for radius only and define this RI in profile... but RADIUS requests are not sent.

In all these attempt radius server was reachable from configured source address.

What i missing? How to make dhcp server work in vrf with RADIUS?

some config..

show access profile TH-DHCPaccounting-order radius;authentication-order radius;radius {    authentication-server 10.133.252.253;    accounting-server [ 10.133.252.253 10.133.252.231 ];}session-options {    client-idle-timeout 1440;}radius-server {    10.133.252.253 {        port 1812;        accounting-port 1813;        secret "secret; ## SECRET-DATA        timeout 20;        retry 5;        source-address 10.132.255.203; // loopback ip    }....
show routing-instances vrf-cus-th system services dhcp-local-server dhcpv6 {    group th-dhcp6 {        overrides {            dual-stack th-ds;        }        interface ae0.0;        interface demux0.0;    }}pool-match-order {    external-authority;}authentication {    username-include {        delimiter "@";        domain-name th;        mac-address;    }}access-profile TH-DHCP;short-cycle-protection lockout-min-time 4 lockout-max-time 16;group th-dhcp {    overrides {        dual-stack th-ds;    }    interface ae0.0;    interface demux0.0;}dual-stack-group th-ds {                    access-profile TH-DHCP;    dynamic-profile DProf-dhcp-ds;    classification-key {        mac-address;    }    protocol-master inet;}no-stale-timer-refresh;stale-timer 12;show dynamic-profiles DProf-dhcp-ds routing-instances {    "$junos-routing-instance" {        interface "$junos-interface-name";    }}interfaces {    demux0 {        description DHCP;        unit "$junos-interface-unit" {            actual-transit-statistics;            no-traps;            proxy-arp restricted;            demux-options {                underlying-interface "$junos-underlying-interface";            }            family inet {                demux-source {                    $junos-subscriber-ip-address;                }                unnumbered-address "$junos-loopback-interface" preferred-source-address "$junos-preferred-source-address";            }            family inet6 {                demux-source {                    "$junos-subscriber-ipv6-address";                }                unnumbered-address "$junos-loopback-interface";            }        }    }}protocols {    router-advertisement {        interface "$junos-interface-name" {            managed-configuration;            other-stateful-configuration;            link-mtu;            prefix $junos-ipv6-ndra-prefix {                valid-lifetime 3600;                on-link;                preferred-lifetime 3600;            }        }    }}