Cisco CNS Network Registrar User's Guide, 5.5
Configuring Clients and Client-Classes
Downloads: This chapterpdf (PDF - 280.0KB) The complete bookPDF (PDF - 5.45MB) | Feedback

Configuring Clients and Client-Classes

Table Of Contents

Configuring Clients and Client-Classes

Client-Class Process

Setting Up Client-Class on the Server

Enabling Client-Class Processing

Defining Scope Selection Tags

Defining Client-Classes and Setting Their Properties

Setting Client-Class Scope Selection Criteria

Associating a Selection Tag With a Scope

Configuring an Embedded Policy for the Client-Class

Setting Client Properties

Adding and Editing a Client

Configuring an Embedded Policy for a Client

Setting Windows 2000 Client Properties

Settings in the Windows 2000 Client

Settings in the DHCP Server

Providing Provisional Addresses to Unknown Clients

Moving a Client to Another Subnet

Skipping Client Entries for Client-Classing

Limiting Client Authentication

Setting Client Caching Parameters

Troubleshooting Client-Class


Configuring Clients and Client-Classes


You can use Network Registrar's client or client-class facility to provide differentiated services to users across a common network. You can group clients based on administrative criteria, and then ensure that each group receives the appropriate class of service.

If you do not enable client-class processing, the Network Registrar DHCP server provides client leases based solely on their network location.

Table 10-1 lists the client-class configuration topics and the sections to go to for more information.

Table 10-1 Client-Class Configuration Topics

If you want to...
Go to the...

Know more about why you would configure client-classes for Network Registrar servers

"Client-Class Quality of Service" section

Enable client-class processing on a DHCP server

"Enabling Client-Class Processing" section

Add, list, or delete scope selection tags

"Defining Scope Selection Tags" section

Add, edit, or remove client-classes

"Defining Client-Classes and Setting Their Properties" section

Set the client-class scope selection criteria

"Setting Client-Class Scope Selection Criteria" section

Associate a client-class selection tag with a scope

"Associating a Selection Tag With a Scope" section

Configure an embedded client-class policy

"Configuring an Embedded Policy for the Client-Class" section

Add and edit a client

"Adding and Editing a Client" section

Set Windows 200 client properties

"Setting Windows 2000 Client Properties" section

Provide provisional addresses to unknown clients

"Providing Provisional Addresses to Unknown Clients" section

Move a client to another subnet

"Moving a Client to Another Subnet" section

Troubleshoot client-class

"Troubleshooting Client-Class" section


Client-Class Process

You can enable or disable client-class processing for the DHCP server and apply a set of properties to groups of clients. With client-class processing enabled, the DHCP server assigns the client to an address from a matching scope. The server acts according to the client and client-class data in each packet. To configure client-class:

1. Enable client-class processing for the DHCP server.

2. Define scope selection tags for the server.

3. Define client-classes that include or exclude those scope selection tags.

4. Apply the selection tags to specific scopes.

5. Assign clients to these classes.

Setting Up Client-Class on the Server

Setting up client-classes involves enabling client-class processing on the DHCP server, creating scope selection tags, and creating the client-classes themselves.

Enabling Client-Class Processing

The first step is to enable client-class processing for the DHCP server and its scopes.

Using the CLI

Use the dhcp enable client-class command to enable client-class processing.

nrcmd> dhcp enable client-class 
100 Ok
client-class=enabled

Using the GUI

In the Server Manager window, double-click the DHCP server. In the DHCP Server Properties dialog box, click the Scope Selection Tags tab (Figure 10-1). Check the "Enable client-class processing" box. There are initially no scope selection tags defined.

Figure 10-1 Scope Selection Tags Tab (DHCP Server Properties Dialog Box)

Defining Scope Selection Tags

The next step is to define a list of scope selection tags for the DHCP server. The tag names are case-insensitive, so that tagPC is the same as TAGpc. When the DHCP server configures itself, it checks the tags defined for a scope "network" (the aggregation of all scopes related to a subnet). This includes all scopes that share a common network number, subnet mask, and primary scope. When the DHCP server reads a client entry, it checks its scope selection inclusion and exclusion criteria against the selection tags defined for the scopes. You may notice performance degradations with a large number of selection tags defined.

If you delete a selection tag, Network Registrar removes it from the selection tag list, but does not remove it from any existing scope, client, or client-class configuration.

Using the CLI

Use the scope-selection-tag name create command to create each scope selection tag. Then, reload the DHCP server and use the scope-selection-tag list command to list all the tags.

nrcmd> scope-selection-tag tagCableModem create 
nrcmd> dhcp reload 
nrcmd> scope-selection-tag list 

Use the dhcp set log-settings command to debug selection tags, particularly the client-criteria-processing and unknown-criteria settings.

nrcmd> dhcp set log-settings=client-criteria-processing,unknown-criteria 

To delete a scope selection tag, use the scope-selection-tag name delete command.

nrcmd> scope-selection-tag tagCableModem delete 

Using the GUI


Step 1 On the Scope Selection Tags tab of the DHCP Server Properties dialog box (Figure 10-1), enter a name in the field at the bottom of the dialog box. To identify it as a tag, it is best to prefix it accordingly; for example, tagCableModemUnprov. Click Clear to clear the field, if necessary.

Step 2 Click Add. The name appears under "<none>" in the table in the middle of the dialog box. (Using the GUI, you can only add selection tags, you cannot delete them.)

Step 3 Add more tags in the same way. If you change your mind about your entries, click Cancel.

Step 4 Click OK.

Step 5 Reload the DHCP server.


Defining Client-Classes and Setting Their Properties

The next step is to define the client-classes themselves. Again, you do this on the server level.

Using the CLI


Step 1 Use the client-class name create command to create a client-class. The name should clearly identify its intent. It is case-insensitive, so that classPC is the same as Classpc.

nrcmd> client-class CableModem create 

Step 2 Use the client-class name set command to set the properties of the clients in the client-class. You can specify the hostname each client should adopt. This can be an absolute, valid DNS value to override that included in the DHCP client request, or can be any of those described in Step 4 of the "Using the GUI" section. To do this, use the client-class name set host-name command. You can also get any property value and unset any optional property.

nrcmd> client-class CableModem set host-name=@use-macaddress 
nrcmd> client-class CableModem get host-name 
nrcmd> client-class CableModem unset host-name 

Step 3 Also, set the appropriate policy to associate with, and the action to perform for, the client-class. For a description of the possible actions to perform, see the "Providing Provisional Addresses to Unknown Clients" section. Use the appropriate command for each of these settings.

nrcmd> client-class CableModem set policy-name=policyCableModem 
nrcmd> client-class CableModem set action=one-shot 

If you do not want to choose an action on a global level, you can choose to include or exclude scope selection tags that you defined in the "Defining Scope Selection Tags" section. To do this, see the "Setting Client-Class Scope Selection Criteria" section.

Step 4 You can set for a client-class all of the other attributes you can for a client, such as the domain name, authenticate-until property, and the user-defined string. See the "Setting Client Properties" section for details.

Use the client-class name [show] command to show the properties for a particular client-class. You can also list the properties for all the client-classes created, or list just their names.

nrcmd> client-class CableModem 
nrcmd> client-class list 
nrcmd> client-class listnames 

Step 5 To delete the client-class, use the client-class name delete command.

nrcmd> client-class UnwantedClass delete 

Step 6 To debug client-class problems, use the dhcp set log-settings=client-criteria-processing command.


Using the GUI


Step 1 In the DHCP Server Properties dialog box for the appropriate server, click the Client-Classes tab (Figure 10-2).

Figure 10-2 Client-Classes Tab (DHCP Server Properties Dialog Box)

Step 2 Click Add to open the Add Client-Class dialog box (Figure 10-3).

Figure 10-3 Add Client-Class Dialog Box (from DHCP Client-Classes Tab)

Step 3 Enter a name in the Client-Class field that clearly identifies its intent, such as CableModem. Client-class names are otherwise case-insensitive, so that classPC is the same as ClassPC.

Step 4 In the Host Name field, enter a hostname or choose one of the predefined names:

If you enter a hostname, dynamic DNS updating must be in effect. See "Configuring Dynamic DNS Update." Also, enter in the adjoining Domain Name field the domain name of the DNS zone to use when performing DNS updates.

@host-name-option—The server uses whatever hostname option the client sent.

@no-host-name-option—The server ignores the hostname sent by the client. If DNS name generation is in effect, a generated name is used, if so set up for dynamic DNS updating. See the appropriate step of the "Configuring Dynamic DNS for a Scope" section.

@use-macaddress—The server synthesizes a hostname from the client's MAC address. For example, if a client's MAC address is 1-6-00-d0-ba-d3-bd-3b, the synthesized hostname would be x1-6-00-d0-ba-d3-bd-3b.

<Not Specified>—Leaves the hostname unspecified.

Step 5 In the Policy Name field, choose the DHCP policy that is appropriate for the client-class, such as policyCableModem. To leave the policy name unspecified, choose <Not Specified>.

Step 6 In the Action field, choose an action performed on a global level for the client-class:

exclude—The server ignores all communication with the client.

one-shot—Offers an address only once to the client, without renewing or re-offering any lease. This action allocates provisional addresses when you want unknown clients to have only short leases. See the "Providing Provisional Addresses to Unknown Clients" section.

<Not Specified>—Leaves the action unspecified.

Step 7 If you do not want to choose an action on a global level, you can choose to include or exclude scope selection tags that you defined in the previous section. See the "Setting Client-Class Scope Selection Criteria" section.

Step 8 Enter a comment or keyword in the "User Defined String" field. You can use this to index, sort, or search for the client-classes.

Step 9 Click Apply to continue adding client-classes in the same way, or OK to finish.

To remove a client-class from the DHCP Server Properties dialog box, choose it, then click Remove.


Setting Client-Class Scope Selection Criteria

If you omit a general action to perform on a client-class, you can specify which scope selection tags to include or exclude. See Step 6 in the "Defining Client-Classes and Setting Their Properties" section. If a scope has a selection tag assigned to it and client-class assigns an:

Inclusion tag, the client can get an address from that scope.

Exclusion tag, the client will not get any address from that scope.

For example, assume three scopes, A, B, and C, with the following attributes: A/red, B/blue, C/blue,green. If a client-class specifies inclusion of red, the client gets an address from scope A. Inclusion of blue gives the client an address from either scope B or C. Inclusion of blue and exclusion of green gives the client an address from scope B only.

Using the CLI

Use the client-class name set selection-criteria command to set the inclusion criteria and the client-class name set selection-criteria-excluded command to set the exclusion criteria. Avoid setting conflicting inclusion and exclusion criteria. Ensure that they are mutually exclusive.

nrcmd> client-class CableModem set selection-criteria=tagPC 
       selection-criteria-excluded=tagUnprovPC 

Using the GUI


Step 1 In the Add Client-Class (or Edit Client-Class) dialog box, click Edit Criteria.This opens the Edit Scope Selection Criteria dialog box (Figure 10-4).

Figure 10-4 Edit Scope Selection Criteria Dialog Box (DHCP Server Properties Client-Classes Tab)

Step 2 Check the boxes for the scope selection tags that you want included and excluded in this client-class. (You cannot choose the same tags for both.)

Step 3 Click OK.


Associating a Selection Tag With a Scope

The next step is to associate the appropriate scope selection tags with the scope, which must be under the server you configured in the "Setting Up Client-Class on the Server" section.

Using the CLI

Use the scope name set selection-tags command to associate existing selection tags (created in the "Defining Client-Classes and Setting Their Properties" section) with a scope.

nrcmd> scope scopeUnprovPC set selection-tags=tagCableModemUnprov 
nrcmd> dhcp reload 

Using the GUI


Step 1 In the Server Manager window, double-click the scope.

Step 2 Click the Selection Tags tab (Figure 10-5).

Figure 10-5 Selection Tags Tab (Scope Properties Dialog Box

Step 3 Click Edit Tags. This opens the Choose Scope Selection Tags dialog box.

Step 4 Check the boxes for one or more of the scope selection tags defined for the server.

Step 5 Click OK.

Step 6 Click OK in the Scope Properties dialog box.

Step 7 Reload the DHCP server.

Step 8 Repeat these steps for each additional scope.


Configuring an Embedded Policy for the Client-Class

Network Registrar automatically creates an embedded policy for each client-class. The embedded policy has no properties or DHCP options associated with it until you enable or add them. This is similar to an embedded policy you can configure for a scope, as described in the "Configuring an Embedded Policy for the Scope" section.

Using the CLI

Use the client-class-policy command in the CLI, using the client-class name as the policy name.


Step 1 See if there are any embedded property values already set for a client-class.

nrcmd> client-class-policy CableModem 

Step 2 Enable or disable an attribute.

nrcmd> client-class-policy CableModem enable allow-lease-time-override 

Step 3 Get, set, and unset client-class attributes. Deleting a client-class policy unsets all its properties.

nrcmd> client-class-policy CableModem get server-lease-time 
nrcmd> client-class-policy CableModem set server-lease-time=2880 
nrcmd> client-class-policy CableModem unset server-lease-time 
nrcmd> client-class-policy CableModem delete 

Step 4 List, get, set, and unset DHCP options. You can also set, unset, and list vendor options. For vendor options, see the "Supporting Vendor-Specific DHCP Options" section.

nrcmd> client-class-policy CableModem listOptions 
nrcmd> client-class-policy CableModem getOption routers 
nrcmd> client-class-policy CableModem setOption routers 192.168.40.1 
nrcmd> client-class-policy CableModem unsetOption routers 

Step 5 If necessary, set the lease time for the embedded client-class. Verify by listing the options.

nrcmd> client-class-policy CableModem setLeaseTime 86400 
nrcmd> client-class-policy CableModem listOptions 
100 Ok
<51>dhcp-lease-time: 86400 


Setting Client Properties

You can set the properties of individual DHCP clients. These properties include the client's participating client-class, its associated policy, the action to perform, and the inclusion and exclusion criteria for scope selection tags.

Adding and Editing a Client

A client inherits the properties from its client-class, which you may choose to override or supplement by specifying different ones for the client.

Using the CLI


Step 1 Use the client name create command to create a client. Specify the name by MAC address, using the prefix, if necessary. You can also create a client named default that does not have a specific client configuration. For example, you can have this client always use its MAC address for its hostname.

nrcmd> client 1,6,00:d0:ba:d3:bd:3b create 
nrcmd> client default create host-name=@use-macaddress 

Step 2 Use the client name set command to set the client properties. These properties need not be set in any particular order, but the following steps give some suggestions and provide a basic process.

Step 3 Set the host-name attribute to @no-host-name-option to provide provisional addresses to unknown clients. See the "Providing Provisional Addresses to Unknown Clients" section.

nrcmd> client 1,6,00:d0:ba:d3:bd:3b set client-class-name=CableModem 
       host-name=@no-host-name-option 

Step 4 Set the domain name of the zone to use when performing dynamic DNS updates.

nrcmd> client 1,6,00:d0:ba:d3:bd:3b set domain-name=example.com. 

Step 5 Set the policy and action for the client. With the exclude action, the server ignores all communication from this client (no packets are shown); with the one-shot action, the server does not renew or re-offer a lease to this client.

nrcmd> client 1,6,00:d0:ba:d3:bd:3b set policy-name=policyCableModem action=exclude 

Step 6 Set the scope selection tags, as defined with the scope-selection-tag tag create command, that you want included or excluded for a client.

nrcmd> client 1,6,00:d0:ba:d3:bd:3b set selection-criteria=tagCableModem 
       selection-criteria-excluded=tagCableModemUnprov 

Step 7 Choose the number of time units (seconds, minutes, hours, days, weeks), or UNIX style date (such as Mar 24 12:00:00 2002) to indicate when the authentication expires, or use forever.

nrcmd> client 1,6,00:d0:ba:d3:bd:3b set authenticate-until=+100d 

Step 8 You can also unset any of the optional client options.

nrcmd> client 1,6,00:d0:ba:d3:bd:3b unset authenticate-until 

Step 9 Use the client name [show] command to display properties of a specific client. Use the client list command to display properties for all the clients, or the client listnames command to list just the names.

nrcmd> client 1,6,00:d0:ba:d3:bd:3b 
nrcmd> client list 
nrcmd> client listnames 

Step 10 Use the client name delete command to delete a client.

nrcmd> client 1,6,00:d0:ba:d3:bd:3b delete 


Using the GUI


Step 1 In the DHCP Server Properties dialog box, click the Clients tab (Figure 10-6).

Figure 10-6 Clients Tab (DHCP Server Properties Dialog Box)

Step 2 Click Add to open the Add Client dialog box (Figure 10-7).

Figure 10-7 Add Client Dialog Box (DHCP Server Properties Clients Tab)

Step 3 The dialog box is similar to the one used for adding and editing client-classes (Figure 10-3). The difference is the additional "MAC address" and "Authenticate Until" fields:

MAC address—You can omit the 1,6 prefix, but you must enter the full MAC address.

Client-Class—Choose from the existing client-classes, or click New and create a new client-class.

Host Name—Choose a predefined name or enter a new name. For a description of the predefined names, see the "Defining Client-Classes and Setting Their Properties" section.

Domain Name—Domain name of the zone to use when performing DNS updates.

Policy Name—Choose an existing policy or <Not Specified>.

Action—Exclude causes the server to ignore all communication from this client. One-shot prevents the server from renewing or re-offering any lease to this client.

Scope Selection Criteria—If necessary, click Edit Criteria to define the tags that you want included or excluded. See the "Setting Client-Class Scope Selection Criteria" section.

Authenticate Until—Choose the predefined authentication method ("forever") or enter the number of time units (seconds, minutes, hours, days, weeks), or UNIX-style date, such as Mar 24 12:00:00 2002, to indicate when the authentication expires. Note that seconds are optional.

User Defined String—Comment or keyword.

Step 4 Click OK to finish or Apply to continue adding clients.

To edit a client, double-click the client in the DHCP Server Properties dialog box.

To remove a client, choose it in the DHCP Server Properties dialog box, then click Remove.


Configuring an Embedded Policy for a Client

Network Registrar automatically creates an embedded policy for each client. The embedded policy has no properties or DHCP options associated with it until you enable or add them. This is similar to an embedded policy you can configure for a scope, as described in the "Configuring an Embedded Policy for the Scope" section.

Using the CLI

Use the client-policy command in the CLI. Note that you use the client MAC address (or default) as the client policy name.


Step 1 See if there is an embedded policy for the client and what its properties are using the client-policy name show command.

Step 2 Show or get the value of any attributes.

nrcmd> client-policy 1,6,00:d0:ba:d3:bd:3b show 
nrcmd> client-policy 1,6,00:d0:ba:d3:bd:3b get server-lease-time 

Step 3 Enable or disable an attribute using the client-policy name enable, or client-policy name disable, command.

nrcmd> client-policy 1,6,00:d0:ba:d3:bd:3b enable allow-lease-time-override 

Step 4 Set attributes. You can unset any optional ones. Deleting the client policy unsets all its properties.

nrcmd> client-policy 1,6,00:d0:ba:d3:bd:3b set server-lease-time=2880 
nrcmd> client-policy 1,6,00:d0:ba:d3:bd:3b unset server-lease-time 
nrcmd> client-policy 1,6,00:d0:ba:d3:bd:3b delete 

Step 5 You can also list, get, set, and unset any DHCP options, set or unset vendor options, and get and set the lease time for the embedded policy. For vendor options, see the "Supporting Vendor-Specific DHCP Options" section.

nrcmd> client-policy 1,6,00:d0:ba:d3:bd:3b listOptions 
nrcmd> client-policy 1,6,00:d0:ba:d3:bd:3b getOption routers 
nrcmd> client-policy 1,6,00:d0:ba:d3:bd:3b setOption routers 192.168.40.1 
nrcmd> client-policy 1,6,00:d0:ba:d3:bd:3b unsetOption routers 
nrcmd> client-policy 1,6,00:d0:ba:d3:bd:3b setVendorOption dev1 sub_8 boot_server_type 2 
nrcmd> client-policy 1,6,00:d0:ba:d3:bd:3b unsetVendorOption dev1 sub_8 boot_server_type 
nrcmd> client-policy 1,6,00:d0:ba:d3:bd:3b getOption dhcp-lease-time 
nrcmd> client-policy 1,6,00:d0:ba:d3:bd:3b setLeaseTime 228800 


Setting Windows 2000 Client Properties

Windows 2000 clients support class-based provisioning. You can set certain properties in the CLI that relate to client-class processing. These are:

Looking up the client entry to determine the default client for client-class processing.

Mapping the user class ID to the client-class or scope selection tag.

Whether to append the class ID to the scope selection tag name.

Settings in the Windows 2000 Client

On the Windows 2000 client host, use the ipconfig /setclassid command to set the class ID. If you plan to map this client ID to a client-class or selection tag, it must have the same name. Then confirm by using the ipconfig /showclassid command.

DOS> ipconfig /setclassid adapter engineering 
DOS> ipconfig /showclassid adapter 

Settings in the DHCP Server

You must also set Windows 2000 client properties in the DHCP server.

Using the CLI

Use the dhcp set command attributes to set the Windows 2000 client properties for the server. If you set the skip-client-lookup attribute to true (the default is false), the DHCP server skips the client entry for client-class processing. See the "Skipping Client Entries for Client-Classing" section. Use one of the map-user-class-id attribute settings:

0—Ignore the user class ID (the default)

1—Map the user class ID to the scope-selection tag

2—Map the user class ID to the client-class

If you map the user class ID to the scope-selection tag (value=1), you can also append it to the selection name by enabling the append-user-class-id-to-selection-tag attribute. With the class ID set in the client configuration example in the "Settings in the Windows 2000 Client" section, the selection tag in this example would become "tagPCengineering."

nrcmd> dhcp enable skip-client-lookup 
nrcmd> dhcp set map-user-class-id=1 
nrcmd> dhcp enable append-user-class-id-to-selection-tag 
nrcmd> dhcp reload 

Providing Provisional Addresses to Unknown Clients

The DHCP server can allocate provisional addresses to unknown clients for a short time on a one-shot basis. The server gives an address to the unknown client only as long as its lease period (which should be set short) and ignores all the client's requests during the grace period and until the address is re-allocated to another client. You can thus configure the grace period to offer the unknown client an extended time in which to register with an authority and become known.

Using the CLI

Use the policy unknown create grace-period=extended-time, and client default create policy-name=unknown action=one-shot commands to give provisional addresses to unknown clients.

nrcmd> policy unknown create grace-period=5d 
nrcmd> client default create policy-name=unknown action=one-shot 
nrcmd> dhcp reload 

Using the GUI


Step 1 Open the Add (Edit) Client dialog box. See the "Adding and Editing a Client" section.

Step 2 Enter the word default in the MAC address field.

Step 3 You have two options:

If you have a client-class that handles one-shot leases, choose it from the Client-Class field. Then, choose one-shot in the Action field.

To exclude access to all unknown clients, choose exclude in the Action field.

Step 4 Click OK.

Step 5 Reload the DHCP server.


Moving a Client to Another Subnet

If you move a DHCP client to another subnet, you need to reboot the machine when it arrives on the new subnet or explicitly release and re-acquire a lease using the Windows ipconfig /release, and ipconfig /renew, utilities.

Skipping Client Entries for Client-Classing

Using the CLI

Use the dhcp enable skip-client-lookup command in the CLI to have the DHCP skip looking up client entries for client-class processing.

nrcmd> dhcp enable skip-client-lookup 

Limiting Client Authentication

By default, client entries get unlimited authentication. Using the authenticate-until attribute, you can limit authenticating a client entry by specifying an expiration time.

When a client entry is no longer authenticated, the DHCP server uses the unauthenticated-client-class-
name
attribute value for the name of the client-class entry to use in answering this DHCP request. If this attribute is not set, or if there is no client-class entry in it, the DHCP server ignores the request and does not provide the client an address. The following are the valid authentication values:

+num unit—Time in the future, where num is a decimal number and unit is s, m, h, d, or w for seconds, minutes, hours, days or weeks, respectively. For example, "+3w" is three weeks in the future.

date—Month, day, 24-hour, and 2-or-4-digit-year. For example: "Jun 30 20:00:00 2002." Enter the time that is local to the nrcmd process. If the server runs in another time zone, disregard the time zone and use local time instead.

forever—Does not expire the authentication for this client.

Using the CLI

The following steps give an example of using the authenticate-until attribute to distinguish between clients that are authenticated and those that are not authenticated. After the authentication expires and the client requests another address, the DHCP server assigns the client an address from the range.


Step 1 Create two scope-selection tags to tie the authenticated and unauthenticated client to a scope.

nrcmd> scope-selection-tag AuthSelectionTag create 
nrcmd> scope-selection-tag UnauthSelectionTag create 

Step 2 Create an authenticated and an unauthenticated client-class. Set the selection criteria for each as appropriate.

nrcmd> client-class AuthClientClass create selection-criteria=AuthSelectionTag 
nrcmd> client-class UnauthClientClass create selection-criteria=UnauthSelectionTag 

Step 3 Create the client and include the authenticate-until expiration time. Set the client-class-name and unauthenticated-client-class-name attributes as appropriate.

nrcmd> client 01:02:03:04:05:06 create authenticate-until=+10m 
       client-class-name=AuthClientClass 
       unauthenticated-client-class-name=UnauthClientClass 

Step 4 Create the authenticated and unauthenticated scopes, define their address ranges, and tie them to their respective scope-selection tags.

nrcmd> scope AuthScope create 192.168.2.0 255.255.255.0 selection-tags=AuthSelectionTag 
nrcmd> scope AuthScope addRange 192.168.2.1 192.168.2.50 
nrcmd> scope UnauthScope create 192.168.2.0 255.255.255.0 
       selection-tags=UnauthSelectionTag 
nrcmd> scope UnauthScope addRange 192.168.2.51 192.168.2.100 

Step 5 Enable client-class processing for the server.

nrcmd> dhcp set client-class=enabled 

Step 6 Set the destination and receive ports. You must set the session visibility to 3. Reset the visibility to 5 after using the commands.

nrcmd> session set visibility=3 
nrcmd> dhcp-interface default set dhcp-port=506 client-port=5067 
nrcmd> session set visibility=5 

Step 7 Reload the server.

nrcmd> dhcp reload 


Setting Client Caching Parameters

A client's initial request for an address from a DHCP server often goes through a DHCPDISCOVER-
DHCPOFFER-DHCPREQUEST cycle. This process requires that the DHCP server must consult the database twice for client data per request. If the client caching parameters are set, the DHCP server caches client data in memory so that it only needs to consult the database once. Client caching can provide a noticeable performance improvement in systems that store client information in LDAP.

You can adjust the maximum cache count and TTL parameters based on the expected rate of client requests. If you expect an onslaught of requests, you might want to increase the cache count, up to a limit based on your available memory. If you expect a longer request cycle, you might want to increase the TTL. The aim is to have the server consult the client cache once during the request cycle.

Using the CLI

You can set the limit on the number of entries the server keeps in the client cache using the dhcp set client-cache-count command. By default, the maximum number to cache is 1000 clients.

nrcmd> dhcp set client-cache-count=2000 

The client cache is usually valid for only ten seconds, called the cache time to live (TTL). After the TTL expires, the server reads the client information right from the database. You can adjust this TTL using the dhcp set client-cache-ttl command.

nrcmd> dhcp set client-cache-ttl=20 

When the client cache count reaches the specified maximum, the server cannot cache any more clients until the TTL expires, after which it reads from the database and begins caching again.

Troubleshooting Client-Class

To troubleshoot client-class, enable the following logging using the dhcp set log-settings= command, then reload the DHCP server:

client-detail—Logs a single line at the end of every client-class client lookup operation. This line shows all the data found for the client as well as the data that was found in the client's client-class.

client-criteria-processing—Logs a message whenever the server examines a scope to find an available lease or to determine if a lease is still acceptable for a client that already has one.

ldap-query-detail—Logs messages whenever the DHCP server initiates a lease state entry creation to an LDAP server, receives a response from an LDAP server, or retrieves a result or error message from an LDAP server.

If the problem could be related to your LDAP server, also enable the LDAP can-query setting.

These logs will help answer the following questions:

Is the server reading the client entry from the expected database?

The server can read the client entry from LDAP or MCD (the Network Registrar internal database). The client-detail log shows you from where the server is reading the client entry.

Is client-class enabled?

If client-class is enabled, but you are getting unexpected results, verify the database that your Network Registrar server is reading. Is it reading from LDAP or MCD? The ldap-query-detail log tells you if it is reading from LDAP. If not, enable the DHCP use-ldap-client-data property.


Note Using LDAP requires configuring the LDAP server for queries. Set the LDAP can-query attribute to true. You also must configure the DHCP server to use LDAP for queries.


Is the server providing clients the right data, but you are seeing the wrong results from that data (for example, clients are not receiving the expected IP addresses)?

Verify the explicit relationships on your network. The client-criteria-processing log shows from what scopes the server is getting addresses. If it is not getting them from the expected scopes, explicit relationships might be incorrectly defined. A scope that you thought was a secondary scope might not be defined that way.

Did you set the include and exclude for scope selection tags properly?

If you define a series of scope selection tags to include, a scope's tags must match those of the client. If you define a series to exclude, a scope must have none of these tags defined so that the client can get configuration parameters from it. Avoid complex inclusion and exclusion scenarios as you begin working with selection tags.