Cisco Network Registrar User's Guide, 6.2
20 - Policies and Options
Downloads: This chapterpdf (PDF - 323.0KB) The complete bookPDF (PDF - 18.62MB) | Feedback

Configuring Policies and Options

Table Of Contents

Configuring Policies and Options

Configuring DHCP Policies

Types of Policies

Options Reply Processing

Creating and Applying DHCP Policies

Cloning a Policy

Setting DHCP Option Values for Policies

Editing Embedded Policies

Creating DHCP Option Definition Sets and Option Definitions

Standard Option Definition Sets

Adding Standard DHCP Option Definitions

Setting Custom and Vendor-Specific DHCP Option Definitions

Adding Vendor Option Definition Sets

Creating Custom Option Definitions

Creating Vendor Option Definitions

Editing and Removing Vendor Option Definitions

Option Definition Data Types

Adding Suboptions

Importing and Exporting Option Definition Sets

Setting Option Values for Policies

Option Definition Example Usage


Configuring Policies and Options


This chapter describes how to set up DHCP policies and options. Before clients can use DHCP for address assignment, you must add at least one scope (dynamic address pool) to the server.

Configuring DHCP Policies

Every DHCP server must have one or more policies defined for it. Policies define lease duration, gateway routers, and other configuration parameters, in what are called DHCP options. Policies are especially useful if you have multiple scopes, because you need only define a policy once and apply it to the multiple scopes.

You can define named policies with specific option definitions or you can use system defaults. This section describes how to configure a policy both ways.

Types of Policies

There are three types of policies—system default, named, and embedded policies:

System default (system_default_policy)—Provides a single location for setting default values on certain options for all scopes. Use the system default policy to define standard DHCP options that have common values for all clients on all the networks that the DHCP server supports. You can modify the system default options and their values. If you delete a system default policy, it reappears using its original list of options and their system-defined values (see Table 20-1). These options are visible when using policy name listOptions in the CLI.

Table 20-1 System Default Policy Option Values 

System Default Option
Predefined Value

all-subnets-local

False

arp-cache-timeout

60 seconds

broadcast-address

255.255.255.255

default-ip-ttl

64

default-tcp-ttl

64

dhcp-lease-time

604800 seconds (7d)

ieee802.3-encapsulation

False

interface-mtu

576 bytes

mask-supplier

False

max-dgram-reassembly

576 bytes

non-local-source-routing

False

path-mtu-aging-timeout

6000 seconds

path-mtu-plateau-tables

68, 296, 508, 1006, 1492, 2002, 4352, 8166, 17914, 32000

perform-mask-discovery

False

router-discovery

True

router-solicitation-address

224.0.0.2

tcp-keepalive-garbage

False

tcp-keepalive-interval

0 seconds

trailer-encapsulation

False


Named—Policies you explicitly define by name. Named policies are usually named after their associated scope or client grouping. For example, they might be assigned options that are unique to a subnet, such as for its routers, and then be assigned to the appropriate scope.

Network Registrar includes a policy named default when you install the DHCP server. The server assigns this policy to newly created scopes. You cannot delete this default policy.

Embedded—A policy embedded in (and limited to) a named scope, client, or client-class. An embedded policy is implicitly created (or removed) when you add (or remove) the corresponding object, such as a scope. Embedded policy options have no default values and are initially undefined.

Options Reply Processing

To eliminate any conflicting option values that are set at these various levels, the Network Registrar DHCP server uses a local priority method. It adopts the more locally defined option values first, ignores the ones defined on a more global level, and includes any default ones not otherwise defined. Before returning option values to a DHCPv4 client, the server prioritizes the option values in this order:

1. Client embedded policy.

2. Client assigned policy.

3. Client-class embedded policy.

4. Client-class assigned policy.

5. Scope embedded policy for clients, or address block embedded policy for subnets.

6. Scope assigned policy for clients (or default policy if a named policy is not applied to the scope), or address block assigned policy for subnets.

7. Any remaining unfulfilled options in the system_default_policy.


Note DHCPv6 policy prioritization is different from DHCPv4. See the "DHCPv6 Policy Hierarchy" section on page 25-6.


The server then searches the policies, in order, for these BOOTP and DHCP attribute values and returns the first occurrence of these values in its reply packet:

packet-siaddr returned in the siaddr packet field

packet-file-name returned in the file field

packet-server-name returned in the sname field

Creating and Applying DHCP Policies

This section describes how to create a policy at the DHCP server level and then allow a specific scope or scopes to reference it. A policy can consist of a:

Name—Not case sensitive and must be unique.

Permanent lease option—A permanent lease never expires.

Lease time—How long a client can use an assigned lease before having to renew the lease with the DHCP server (not available for an embedded policy). The default lease time for both system default and default policies is seven days (604800 seconds). A policy contains two lease times—the client lease time and the server lease time:

Client lease time—Determines how long the client believes its lease is valid.

Server lease time—Determines how long the server considers the lease valid. Note that the server lease time is independent of the lease's grace period. The server does not allocate the lease to another client until after the lease time and grace period expire.


Caution Although Network Registrar supports the use of two lease times for special situations, Cisco Systems generally recommends that you not use the server-lease-time attribute.

You can establish these two different lease times if you want to retain information about clients' DNS names and yet have them renew their leases frequently. When you use a single lease time and it expires, the server no longer keeps that client's DNS name. However, if you use a short client lease time and a longer server lease time, then the client information is retained even after the client's lease expires.

Lease grace period—Time period after the lease expires that it is unavailable for reassignment (not available for an embedded policy).

DHCP options values—See Appendix B, "DHCP Options" for the supported option types.


Step 1 In the local cluster Web UI, click DHCP, then Policies to open the List DHCP Policies page (see Figure 20-1).

Step 2 Two policies are initially listed: default and system_default_policy (you cannot delete these). To add an additional policy, click Add Policy to open the Add DHCP Policy page (see Figure 20-2; note that if DHCPv6 is enabled, the DHCPv6 options also appear on this page).

Step 3 Give the policy a unique name. (The name and the values for the offer timeout and grace period are required.)

In the CLI, use policy name create to create the policy.

Step 4 Either accept the offer timeout and grace period defaults or set them differently.

Step 5 See the "Setting DHCP Option Values for Policies" section for adding options.

Figure 20-1 List DHCP Policies Page (Local)

Figure 20-2 Add DHCP Policy Page (Local)

Step 6 Click Add Policy to add the policy. In the CLI:

Use policy set attribute to set the lease options (in this example, the lease grace period).

To set permanent leases for the policy, use policy name enable permanent-leases.

To set specific option values on the policy, use policy name setOption.

To set vendor-specific options on the policy, see the "Setting Custom and Vendor-Specific DHCP Option Definitions" section.

To set the policy's lease time, use policy name setLeaseTime.

To confirm, use policy name listOptions or policy name getOption.

To set the subnet mask, use a combination of policy name setOption subnet-mask and dhcp enable get-subnet-mask-from-policy.

To remove the subnet mask from the policy, either unset the attribute or disable it.

Step 7 Reload the DHCP server.


Cloning a Policy

In the CLI, you can clone a policy from an existing one by using policy clone-name create clone=policy, and then make adjustments to the clone. For example:

nrcmd> policy cloned-policy create clone=example-policy-1 offer-timeout=4m 

Setting DHCP Option Values for Policies

DHCP options automatically supply DHCP clients with configuration parameters, such as domain, nameserver, and subnet router addresses (see the "Creating DHCP Option Definition Sets and Option Definitions" section).

You can view, set, unset, and edit individual option values. When you set an option value, the DHCP server replaces any existing value or creates a new one, as needed for the given option name. Network Registrar DHCP options are grouped into categories to aid you in identifying options that you must set in various usage contexts (Table B-10 on page B-13 describes the categories). You can also create custom options (see the "Setting Custom and Vendor-Specific DHCP Option Definitions" section).


Step 1 In the local cluster Web UI, create a policy, as described in the "Creating and Applying DHCP Policies" section.

Step 2 Add DHCP options to the policy by clicking their numbers and names in the Number drop-down list. The choices indicate the datatype of the option value.

Step 3 Add the appropriate option value in the Value field. The Web UI does error checking based on the value entered. For example, to add the lease time for the policy, click the [51] dhcp-lease-time (unsigned time) option in the Number drop-down list, then add a lease time value in the Value field.

Step 4 Click Add Option for each option. You must supply a value or you cannot add the option.

Step 5 Click Add Policy to add the policy. In the CLI:

To view option values, use policy name getOption and policy name listOptions.

To set option values, use policy name setOption option. When you set an option value, the DHCP server replaces any existing value or creates a new one, as needed, for the given option name.

To unset option values, use policy name unsetOption.


Editing Embedded Policies

You can edit the embedded policy for a scope, scope template, client, and client-class. You can set attributes for the embedded policy, such as offer timeout, grace period, and server lease time. You can also add DHCP options for the embedded policy.


Step 1 In the local cluster Web UI, click DHCP, then one of the following: Scopes, Scope Templates, Clients, Client-Classes, Prefixes, or Links.

Step 2 Click the name of a scope, template, client, client-class, prefix, or link to open the Edit page for that object.

Step 3 Click Edit Embedded Policy under the Embedded Policy section of the page. This opens the Edit DHCP Embedded Policy page for the object (see Figure 20-3 for a partial view of a client-class embedded policy page).

Figure 20-3 Edit DHCP Embedded Policy Page (Local)

Step 4 Click one of the Modify buttons.

In the CLI, use commands such as client-class-policy client-class-name set attribute.


Note You must click Modify... on the next page that comes up to implement the embedded policy changes.



Creating DHCP Option Definition Sets and Option Definitions

DHCP options configure a DHCP client with such important properties as lease times and router addresses. You can configure option values on policies. Numerous RFCs describe the various DHCP options, beginning with RFC 2132. Option definitions are used in the Web UI and CLI to control formatting of option values in policies. Options are available for the DHCPv4 and DHCPv6 address spaces and come in two kinds:

Standard or RFC-defined options.

Custom and vendor-specific options that you can define.

Standard Option Definition Sets

Network Registrar provides two standard option definition sets, dhcp-config and dhcp6-config, for DHCPv4 and DHCPv6 option definitions, respectively. These sets are visible in the local cluster Web UI when you click DHCP, then Options, to open the List DHCP Option Definition Sets page (see Figure 20-4). Click the name of the standard option definition set to add option definitions on the Edit DHCP Option Definition Sets page.

Figure 20-4 List DHCP Option Definition Sets Page (Local)

Adding Standard DHCP Option Definitions

You can set the standard RFC-defined options that are available across the industry for these objects:

DHCPv4 and DHCPv6 policies

Embedded policies for:

DHCPv4 scopes and scope templates

DHCPv4 and DHCPv6 clients

DHCPv4 and DHCPv6 client-classes (see Figure 20-3)

DHCPv6 prefixes

DHCPv6 links

The full list of predefined DHCP option is included in Appendix B, "DHCP Options."

The regular DHCP options are predefined by their own option sets in Network Registrar, one for DHCPv4 and one for DHCPv6. To access the regular DHCP options:


Step 1 In the Web UI, click DHCP, then Options.

Step 2 On the List DHCP Option Definition Sets page, click the dhcp-config or dhcp6-config link.

Step 3 On the Edit DHCP Option Definition Set page, click Add/Edit Option Definitions.

Step 4 View the predefined options on the List DHCP Option Definitions page. These are the options you would normally include in policies, and you would set their values there. You can expand some options to show their suboptions. (Note that the CLI allows only one level of option definition.)

Step 5 To edit an option (not advised), click its name in the table. On the Edit DHCP Option Definition page, you can modify the name, add a description, and change the type and repeat value (whether more than one instance of the option is allowed or required), then click Modify Option Definition.

Step 6 To add an option definition to the standard option set on the List DHCP Option Definitions page, click Add Option Definition. On the Add DHCP Option Definition page, give the option an ID (number), name, description, type, and repeat value, then click Add Option Definition. (Note that you cannot enter an option definition for an option number or name that already exists.)

Step 7 On the List DHCP Option Definitions page, click Modify Option Definition Set (or Return). In the CLI:

To view the entire list of standard DHCP options, use option dhcp-config list or dhcp6-option list, or option {id | name} option-set show to view a specific option definition. For example:

nrcmd> option dhcp-config list 
nrcmd> option subnet-mask dhcp-config show 

To add an option to an option set, use option id option-set create name type. You cannot add an option for an option ID (number) or name that already exists. Note that any options created under the standard option sets are also created under a custom option set. You cannot add a suboption to an option using the CLI; you must use the Web UI to do this. For example:

nrcmd> option 222 dhcp-config create example-option AT_STRING 

To modify a standard option, use option (id | name} set attribute=value.


Caution Be careful in modifying the standard options (or adding suboptions) arbitrarily, because options have far ranging effects as embedded in policies and other objects. You cannot delete the standard option sets, dhcp-config and dhcp6-config.


Setting Custom and Vendor-Specific DHCP Option Definitions

You can send custom and vendor-specific option data to accommodate DHCP clients that request them. In previous Network Registrar releases, setting vendor options was available in the CLI by using vendor-option name create, together with setting option data types by using option-datatype name create and option-datatype name defineField. In Network Registrar 6.2, you can now create custom and option sets using the Web UI or option-set name create in the CLI, and create custom or vendor-specific options in the Web UI or option id option-set-name create in the CLI.

There are three main steps to configuring custom or vendor-specific options for a client:

1. Create the option definition set.

2. Create the custom or vendor-specific option and define it.

3. Set the option inside a policy.

To create option definition sets and custom options, you must be an administrator assigned the dhcp-management subrole of the regional cluster cfg-admin role, or the server-management subrole of the local cluster dhcp-admin role.

Adding Vendor Option Definition Sets

To add a vendor option to a policy, and assign or edit its value:


Step 1 In the Web UI, click DHCP, then Options.

Step 2 On the List DHCP Option Definition Sets page, view the existing DHCPv4 and DHCPv6 options, then click Add Option Definition Set (see Figure 20-4).

Step 3 On the Add DHCP Option Definition Set page (see Figure 20-5), provide a name for the option definition set, then choose DHCPv4 or DHCPv6 from the drop-down list.

Figure 20-5 Add DHCP Option Definition Set Page (Local)

Step 4 Enter either a vendor option string or vendor option enterprise ID. These are required.


Note The DHCP server uses only the vendor options v-i-vendor-info (option 125 for DHCPv4) or vendor-options (option 17 for DHCPv6) configured on policies to process the new vendor options based on enterprise ID values. The server ignores any other configured vendor options with an enterprise ID.


Step 5 Click Add Option Definition Set.

In the CLI, use option-set name create dhcp-type [vendor-option-string=value | vendor-option-enterprise-id=value] to create a DHCP option set. The dhcp-type is either 8-bit or 16-bit. For example, to create an option set with the name myoptionset, used for DHCPv6 with a vendor option string of ve-string, enter:

nrcmd> option-set myoptionset create 16-bit vendor-option-string=ve-string 


Creating Custom Option Definitions

To create custom options definitions, click the dhcp-config or dhcp6-config option definition sets on the List DHCP Option Definition Sets page (see Figure 20-4). Then proceed with the steps in the "Adding Standard DHCP Option Definitions" section.

Creating Vendor Option Definitions


Step 1 Click Add/Edit Option Definitions on the Add DHCP Option Definition Set or Edit DHCP Option Definition Set page. This opens the List DHCP Option Definitions page.

Step 2 Click Add Option Definition. This opens the Add DHCP Option Definition page (see Figure 20-6).

Figure 20-6 Edit DHCP Option Definition Set Page (Local)

Step 3 Enter the ID number of the option, along with its name and a description.

Step 4 Choose the data type and repeat count from the drop-down list (or enter an absolute repeat count in the next field), then click Add Option Definition.

In the Web UI, custom option definitions are marked with an asterisk for the option set.


Tip Avoid mapping numbers to options that DHCP or BOOTP already uses. For a list of preassigned numbers, see Appendix B, "DHCP Options." The option number should be the one the client requests.


In the CLI, use option id option-set create name type. For example:

nrcmd> option 200 myoptionset create option-200 vendor-option-string=ve-string 
nrcmd> save 

Use custom-option name [show] to show an option's values, and custom-option list to show all the custom options, or list just the names. Use custom-option name get to show individual properties of the custom option. You can also unset a custom option.

In the CLI, option-set dhcp-custom list (or listnames) lists just the custom option definitions.


Editing and Removing Vendor Option Definitions

You can edit or remove vendor options. After you edit (or add options to) an option definition set, be sure to click Modify Option Definition Set in the Web UI.

In the CLI, use custom-option name set to change the option type (opttype) or description (desc). To change a custom option's number, you must delete the option and recreate it with the new number. Use custom-option name delete to delete an option. After you delete a custom option, also unset it from all policies that include it by using policy name unsetOption.


Caution Changing custom option properties or deleting the option altogether can have unexpected side effects on policies. If you delete a custom option, also remove it from the policies that include it. Changing an option value in policies changes the way they are displayed, so you do not need to modify the policy value unless you want the policy to return a differently formatted option value.

Option Definition Data Types

The data type values that you can use appear in the following table (not in any particular order):

AT_INT8

AT_IPADDR

AT-RDNSNAME

AT_VENDOR-CLASS

AT_SINT8

AT_STRING

AT_INTI

AT_VENDOR_NOLEN

AT_SHORT

AT_NSTRING

AT_SINTI

AT_ZEROSIZE

AT_SSHORT

AT_BOOL

AT_SHRTI

AT_DATE

AT_INT

AT_DNSNAME

AT_SSHRTI

AT_BLOB

AT_SINT

AT_IP6ADDR

AT_VENDOR-OPTS

AT_MACADDR

AT_TIME

AT_STIME

   

You can view these types in the CLI by using option listtypes.

To set the repeat count in the CLI, set the repeat-count attribute to one of the following, or enter an absolute number:

ZERO_OR_MORE

ONE_OR_MORE

EVEN_NUMBER

Again, you need to specify the option set for the option. For example:

nrcmd> option 200 ex-opt-def-set set repeat-count=ZERO_OR_MORE 
nrcmd> save 

Adding Suboptions

You can set a suboption for the option by clicking Add Suboption Definition on the Edit DHCP Option Definition page. This opens the Add DHCP Option Definition page (see Figure 20-4), where you can add the same values as for an option. The suboption you create is associated with its parent option. There can be three levels of suboptions. You can add suboptions only through the Web UI, not the CLI.

Suboption formats can be packed or type/length/value (TLV):

A suboption with a zero ID value represents packed data with an implicit data type. The option value is the only data in the packet. DHCPv6 options are virtually all defined with packed data. There are no markers for type or length and the layout of the data is inherent in the option definition.

A suboption with a value of 1 through 255 (or 65535) represents TLV data (that includes a type, length, and value). The data in the packet has the type and length preceding the value. In most cases, you will not be mixing packed with TLV suboptions for the same option.

Importing and Exporting Option Definition Sets

Importing and exporting option definition sets is a way to copy them between servers. In the CLI, you can import and export option sets by using import option-set file and export option-set name file. For example, to import an option set for Preboot Execution Environment (PXE) clients, modify and import a sample file located in the /examples/dhcp directory:

nrcmd> import option-set /examples/dhcp/OptionSetPXE.txt 

Some of the guidelines for the file format include:

The version string in the file must match the version for the import utility.

The utility imports just the first option definition set found in the file.

Delimit objects using curly brackets ({ }), attributes using parentheses (( )), and lists of objects in attributes using square brackets ([ ]). Delimit string value attributes using quotes (" ").

Using some care, you can also edit the text file to make minor modifications to an option definition set. Network Registrar provides two sample option definition set text files in the examples/dhcp directory, OptionSetJumpStart.txt and OptionSetPXE.txt:

OptionSetJumpStart.txt—Edit the vendor-option-string to match the dhcp-class-identifier (option 60) that your JumpStart clients are sending.

OptionSetPXE.txt—Edit the vendor-option-string to match the dhcp-class-identifier (option 60) that your Pre-boot Execution Environment (PXE) clients are sending.

Setting Option Values for Policies

You can set DHCPv4 or DHCPv6 options on a policy. In the Web UI, go to the List DHCP Policies page and click a policy to edit it. On the Edit DHCP Policy page:

To associate a standard DHCPv4 option with the policy, choose it from the DHCPv4 Options drop-down list, then set a value for the option. Click Add Option.

To associate a standard DHCPv6 option with the policy, choose it from the DHCPv6 Options drop-down list, then set a value for the option. Click Add Option.

To associate a custom or vendor-specific DHCPv6 option with the policy, choose an option definition set in the DHCPv4 Vendor Options drop-down list and click Select. The page changes to show the drop-down list that includes the option; choose it, then click Add Option.

Click Modify Policy.

In the CLI, use one of these commands:

nrcmd> policy name setOption {name | id} value 
nrcmd> policy name setV6Option {name | id} value 
nrcmd> policy name setVendorOption {name | id} option-set-name value 
nrcmd> policy name setV6VendorOption {name | id} option-set-name value 

To list the options in the policy, use one of these commands:

nrcmd> policy name listOptions 
nrcmd> policy name listV6Options 
nrcmd> policy name listVendorOptions 
nrcmd> policy name lsitV6VendorOptions 

Option Definition Example Usage

Here are some example implementations for DHCP option definitions:

Create an option in the standard dhcp-config or dhcpv6-config option sets—This is possible if there is no existing option by that name or ID already in the option set. The new option is identified by an asterisk (*) after its name. You can delete this type of option; you cannot delete or overwrite any standard option.

Configure an option on a policy while another user is editing the option definition—Log out of the session and log back in to get the new option definition.