Cisco Nexus 1000V Security Configuration Guide, Release 4.0(4)SV1(2)
Configuring DHCP Snooping
Downloads: This chapterpdf (PDF - 203.0KB) The complete bookPDF (PDF - 5.67MB) | Feedback

Configuring DHCP Snooping

Table Of Contents

Configuring DHCP Snooping

Information About DHCP Snooping

Trusted and Untrusted Sources

DHCP Snooping Binding Database

High Availability

Prerequisites for DHCP Snooping

Guidelines and Limitations

Configuring DHCP Snooping

Minimum DHCP Snooping Configuration

Enabling or Disabling DHCP Snooping Globally

Enabling or Disabling DHCP Snooping on a VLAN

Enabling or Disabling DHCP Snooping MAC Address Verification

Configuring an Interface as Trusted or Untrusted

Configuring the Rate Limit for DHCP Packets

Enabling or Disabling DHCP Error-Disabled Detection

Enabling or Disabling DHCP Error-Disabled Recovery

Clearing the DHCP Snooping Binding Database

Verifying DHCP Snooping Configuration

Monitoring DHCP Snooping

Example Configuration for DHCP Snooping

Default Settings

Additional References

Related Documents   

Standards

Feature History for DHCP Snooping


Configuring DHCP Snooping


This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping, and includes the following sections:

Information About DHCP Snooping

Prerequisites for DHCP Snooping

Guidelines and Limitations

Configuring DHCP Snooping

Verifying DHCP Snooping Configuration

Monitoring DHCP Snooping

Example Configuration for DHCP Snooping

Default Settings

Additional References

Feature History for DHCP Snooping

Information About DHCP Snooping

DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP servers by doing the following:

Validates DHCP messages received from untrusted sources and filters out invalid response messages from DHCP servers.

Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.

Uses the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

Dynamic ARP inspection (DAI) and IP Source Guard also use information stored in the DHCP snooping binding database. For more information about these features, see Chapter 13, "Configuring Dynamic ARP Inspection" and Chapter 14, "Configuring IP Source Guard."

DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.

This section includes the following topics:

Trusted and Untrusted Sources

DHCP Snooping Binding Database

Trusted and Untrusted Sources

DHCP snooping identifyies ports as trusted or untrusted. When the feature is enabled, by default all vEthernet ports are untrusted and all ethernet ports (uplinks), port channels, special vEthernet ports (used by other features, such as VSD, for their operation) are trusted.You can configure whether DHCP trusts traffic sources.

In an enterprise network, a trusted source is a device that is under your administrative control. Any device beyond the firewall or outside the network is an untrusted source. Generally, host ports are treated as untrusted sources.

In a service provider environment, any device that is not in the service provider network is an untrusted source (such as a customer switch). Host ports are untrusted sources.

In the Cisco Nexus 1000V, you indicate that a source is trusted by configuring the trust state of its connecting interface. Uplink ports, as defined with the uplink capability on port profiles, are trusted and cannot be configured to be untrusted. This restriction prevents the uplink from being shut down for not conforming to rate limits or DHCP responses.

You can also configure other interfaces as trusted if they connect to devices (such as switches or routers) inside your network or if the administrator is running the DHCP server in a VM. You usually do not configure host port interfaces as trusted.


Note For DHCP snooping to function properly, all DHCP servers must be connected to the device through trusted interfaces.


DHCP Snooping Binding Database

Using information extracted from intercepted DHCP messages, DHCP snooping dynamically builds and maintains a database on each VEM. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces.


Note The DHCP snooping binding database is also referred to as the DHCP snooping binding table.


DHCP snooping updates the database when the device receives specific DHCP messages. For example, the feature adds an entry to the database when the device receives a DHCPACK message from the server. The feature removes the entry in the database when the IP address lease expires or the device receives a DHCPRELEASE or DHCP DECLINE from the DHCP client or a DHCPNACK from the DHCP server.

Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host.

You can remove dynamically added entries from the binding database by using the clear ip dhcp snooping binding command. For more information, see the "Clearing the DHCP Snooping Binding Database" section.

High Availability

The DHCP snooping binding table and all database entries created on the VEM are exported to the VSM and are persistent across VSM reboots.

Prerequisites for DHCP Snooping

DHCP snooping has the following prerequisites:

You must be familiar with DHCP to configure DHCP snooping.

Guidelines and Limitations

DHCP snooping has the following configuration guidelines and limitations:

A DHCP snooping database is stored on each VEM and can contain up to 1024 bindings.

For seamless DHCP snooping, Virtual Service Domain (VSD) service VM ports are trusted ports by default. If you configure these ports as untrusted, this setting is ignored.

If the VSM uses the VEM for connectivity (that is, the VSM has its VSM AIPC, management, and inband ports on a particular VEM), these virtual Ethernet interfaces must be configured as trusted interfaces.

The connecting interfaces on a device upstream from the Cisco Nexus 1000V must be configured as trusted if DHCP snooping is enabled on the device.

Configuring DHCP Snooping

This section includes the following topics:

Minimum DHCP Snooping Configuration

Enabling or Disabling DHCP Snooping Globally

Enabling or Disabling DHCP Snooping on a VLAN

Enabling or Disabling DHCP Snooping MAC Address Verification

Configuring an Interface as Trusted or Untrusted

Configuring the Rate Limit for DHCP Packets

Enabling or Disabling DHCP Error-Disabled Detection

Enabling or Disabling DHCP Error-Disabled Recovery

Clearing the DHCP Snooping Binding Database

Verifying DHCP Snooping Configuration

Minimum DHCP Snooping Configuration

The minimum configuration for DHCP snooping is as follows:


Step 1 Enable DHCP snooping globally. For more information, see the "Enabling or Disabling DHCP Snooping Globally" section.

Step 2 Enable DHCP snooping on at least one VLAN. For more information, see the "Enabling or Disabling DHCP Snooping on a VLAN" section.

By default, DHCP snooping is disabled on all VLANs.

Step 3 Ensure that the DHCP server is connected to the device using a trusted interface. For more information, see the "Configuring an Interface as Trusted or Untrusted" section.


Enabling or Disabling DHCP Snooping Globally

Use this procedure to globally enable or disable the DHCP snooping.

BEFORE YOU BEGIN

Before beginning this procedure, you must know or do the following:

You are logged in to the CLI in EXEC mode.

By default, DHCP snooping is globally disabled.

If DHCP snooping is globally disabled, all DHCP snooping stops and no DHCP messages are relayed.

If you configure DHCP snooping and then globally disable it, the remaining configuration is preserved.

SUMMARY STEPS

1. config t

2. [no] ip dhcp snooping

3. show running-config dhcp

4. copy running-config startup-config

DETAILED STEPS

 
Command
Purpose

Step 1 

config t


Example:

n1000v# config t

n1000v(config)#

Enters global configuration mode.

Step 2 

[no] ip dhcp snooping


Example:

n1000v(config)# ip dhcp snooping

Enables DHCP snooping globally. The no option disables DHCP snooping but preserves an existing DHCP snooping configuration.

Step 3 

show running-config dhcp


Example:

n1000v(config)# show running-config dhcp

Shows the DHCP snooping configuration.

Step 4 

copy running-config startup-config


Example:

n1000v(config)# copy running-config startup-config

(Optional) Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration.

Enabling or Disabling DHCP Snooping on a VLAN

Use this procedure to enable or disable DHCP snooping on one or more VLANs.

BEFORE YOU BEGIN

Before beginning this procedure, you must know or do the following:

You are logged in to the CLI in EXEC mode.

By default, DHCP snooping is disabled on all VLANs.

SUMMARY STEPS

1. config t

2. [no] ip dhcp snooping vlan vlan-list

3. show running-config dhcp

4. copy running-config startup-config

DETAILED STEPS

 
Command
Purpose

Step 1 

config t


Example:

n1000v# config t

n1000v(config)#

Enters global configuration mode.

Step 2 

[no] ip dhcp snooping vlan vlan-list


Example:

n1000v(config)# ip dhcp snooping vlan 100,200,250-252

Enables DHCP snooping on the VLANs specified by vlan-list. The no option disables DHCP snooping on the VLANs specified.

Step 3 

show running-config dhcp


Example:

n1000v(config)# show running-config dhcp

Shows the DHCP snooping configuration.

Step 4 

copy running-config startup-config


Example:

n1000v(config)# copy running-config startup-config

(Optional) Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration.

Enabling or Disabling DHCP Snooping MAC Address Verification

Use this procedure to enable or disable DHCP snooping MAC address verification. If the device receives a packet on an untrusted interface and the source MAC address and the DHCP client hardware address do not match, address verification causes the device to drop the packet.

BEFORE YOU BEGIN

Before beginning this procedure, you must know or do the following:

You are logged in to the CLI in EXEC mode.

MAC address verification is enabled by default.

SUMMARY STEPS

1. config t

2. [no] ip dhcp snooping verify mac-address

3. show running-config dhcp

4. copy running-config startup-config

DETAILED STEPS

 
Command
Purpose

Step 1 

config t


Example:

n1000v# config t

n1000v(config)#

Enters global configuration mode.

Step 2 

[no] ip dhcp snooping verify mac-address


Example:

n1000v(config)# ip dhcp snooping verify mac-address

Enables DHCP snooping MAC address verification. The no option disables MAC address verification.

Step 3 

show running-config dhcp


Example:

n1000v(config)# show running-config dhcp

Shows the DHCP snooping configuration.

Step 4 

copy running-config startup-config


Example:

n1000v(config)# copy running-config startup-config

(Optional) Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration.

Configuring an Interface as Trusted or Untrusted

Use this procedure to configure whether a virtual interface is a trusted or untrusted source of DHCP messages. You can configure DHCP trust on the following:

Layer 2 vEthernet interfaces

Port Profiles for Layer 2 vEthernet interfaces

BEFORE YOU BEGIN

Before beginning this procedure, you must know or do the following:

You are logged in to the CLI in EXEC mode.

By default, vEthernet interfaces are untrusted. The only exception is the special vEthernet ports used by other features such as VSD which are trusted

Ensure that the vEthernet interface is configured as a Layer 2 interface.

DAI, and IP Source Guard, Virtual Service Domain (VSD) service VM ports are trusted ports by default. If you configure these ports as untrusted, this setting is ignored.

SUMMARY STEPS

1. config t

2. interface vethernet interface-number

port-profile profilename

3. [no] ip dhcp snooping trust

4. show running-config dhcp

5. copy running-config startup-config

DETAILED STEPS

 
Command
Purpose

Step 1 

config t


Example:

n1000v# config t

n1000v(config)#

Enters global configuration mode.

Step 2 

interface vethernet interface-number


Example:

n1000v(config)# interface vethernet 3

n1000v(config-if)#

Enters interface configuration mode, where interface-number is the vEthernet interface that you want to configure as trusted or untrusted for DHCP snooping.

port-profile profilename


Example:

n1000v(config)# port-profile vm-data

n1000v(config-port-prof)#

Enters port profile configuration mode for the specified port profile, where profilename is a unique name of up to 80 characters.

Step 3 

[no] ip dhcp snooping trust


Example:

n1000v(config-if)# ip dhcp snooping trust

Configures the interface as a trusted interface for DHCP snooping. The no option configures the port as an untrusted interface.

Step 4 

show running-config dhcp


Example:

n1000v(config-if)# show running-config dhcp

Shows the DHCP snooping configuration.

Step 5 

copy running-config startup-config


Example:

n1000v(config-if)# copy running-config startup-config

(Optional) Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration.

Configuring the Rate Limit for DHCP Packets

Use this procedure to configure a rate limit for DHCP packets received on each port.

BEFORE YOU BEGIN

Before beginning this procedures, you must know or do the following:

You are logged in to the CLI in EXEC mode.

Ports that exceed the rate limit you configure here are put into an errdisable state.

SUMMARY STEPS

1. config t

2. interface vethernet interface-number

port-profile profilename

3. [no] ip dhcp snooping limit rate rate

4. show running-config dhcp

5. copy running-config startup-config

DETAILED STEPS

 
Command
Purpose

Step 1 

config t


Example:

n1000v# config t

n1000v(config)#

Enters global configuration mode.

Step 2 

interface vethernet interface-number


Example:

n1000v(config)# interface vethernet 3

n1000v(config-if)#

Enters interface configuration mode, where interface-number is the vEthernet interface that you want to configure as trusted or untrusted for DHCP snooping.

port-profile profilename


Example:

n1000v(config)# port-profile vm-data

n1000v(config-port-prof)#

Enters port profile configuration mode for the specified port profile, where profilename is a unique name of up to 80 characters.

Step 3 

[no] ip dhcp snooping limit rate rate


Example:

n1000v(config-if)# ip dhcp snooping limit rate 30

Configures the DHCP limit rate. The no option removes this configuration.

Step 4 

show running-config dhcp


Example:

n1000v(config-if)# show running-config dhcp

Shows the DHCP snooping configuration.

Step 5 

copy running-config startup-config


Example:

n1000v(config-if)# copy running-config startup-config

(Optional) Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration.

Enabling or Disabling DHCP Error-Disabled Detection

Use this procedure to enable or disable error-disabled detection for ports exceeding the DHCP rate limit.

BEFORE YOU BEGIN

Before beginning this procedures, you must know or do the following:

You are logged in to the CLI in EXEC mode.

Ports that exceed the configured rate limit are put into an errdisable state.

You must enter the shutdown command and then the no shutdown command to recover an interface manually from the error-disabled state.

SUMMARY STEPS

1. config t

2. [no] errdisable detect cause dhcp-rate-limit

3. show running-config dhcp

4. copy running-config startup-config

DETAILED STEPS

 
Command
Purpose

Step 1 

config t


Example:

n1000v# config t

n1000v(config)#

Enters global configuration mode.

Step 2 

[no] errdisable detect cause dhcp-rate-limit


Example:

n1000v(config)# errdisable detect cause dhcp-rate-limit

Enables DHCP error-disabled detection. The no option disables DHCP error-disabled detection.

Step 3 

show running-config dhcp


Example:

n1000v(config)# show running-config dhcp

Shows the DHCP snooping configuration.

Step 4 

copy running-config startup-config


Example:

n1000v(config)# copy running-config startup-config

(Optional) Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration.

Enabling or Disabling DHCP Error-Disabled Recovery

Use this procedure to enable or disable error-disabled recovery for ports exceeding the DHCP rate limit.

BEFORE YOU BEGIN

Before beginning this procedures, you must know or do the following:

You are logged in to the CLI in EXEC mode.

Ports that exceed the configured rate limit are put into an errdisable state.

You must enter the shutdown command and then the no shutdown command to recover an interface manually from the error-disabled state.

SUMMARY STEPS

1. config t

2. [no] errdisable recovery cause dhcp-rate-limit

3. errdisable recovery interval timer-interval

4. show running-config dhcp

5. copy running-config startup-config

DETAILED STEPS

 
Command
Purpose

Step 1 

config t


Example:

n1000v# config t

n1000v(config)#

Enters global configuration mode.

Step 2 

[no] errdisable recovery cause dhcp-rate-limit


Example:

n1000v(config)# errdisable detect cause dhcp-rate-limit

Enables DHCP error-disabled recovery. The no option disables DHCP error-recovery.

Step 3 

errdisable recovery interval timer-interval


Example:

n1000v(config)# errdisable recovery interval 30

Sets the DHCP error-disabled recovery interval, where timer-interval is the number of seconds (30-65535).

Step 4 

show running-config dhcp


Example:

n1000v(config)# show running-config dhcp

Shows the DHCP snooping configuration.

Step 5 

copy running-config startup-config


Example:

n1000v(config)# copy running-config startup-config

(Optional) Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration.

Clearing the DHCP Snooping Binding Database

Use this procedure to remove all entries from the DHCP snooping binding database.

BEFORE YOU BEGIN

Before beginning this procedures, you must know or do the following:

You are logged in to the CLI in EXEC mode.

SUMMARY STEPS

1. clear ip dhcp snooping binding

2. show ip dhcp snooping binding

DETAILED STEPS

 
Command
Purpose

Step 1 

clear ip dhcp snooping binding


Example:

n1000v# clear ip dhcp snooping binding

Clears dynamically added entries from the DHCP snooping binding database.

Step 2 

show ip dhcp snooping binding


Example:

n1000v# show ip dhcp snooping binding

Displays the DHCP snooping binding database.

Verifying DHCP Snooping Configuration

To display DHCP snooping configuration information, use the following commands:

Command
Purpose

show running-config dhcp

Displays the DHCP snooping configuration

show ip dhcp snooping

Displays general information about DHCP snooping.

show ip dhcp snooping binding

Displays the DHCP snooping binding database.


For detailed information about the fields in the output from these commands, see the Cisco Nexus 1000V Command Reference, Release 4.0(4)SV1(2).

Monitoring DHCP Snooping

Use the show ip dhcp snooping statistics command to display DHCP snooping statistics. For detailed information about the fields in the output from this command, see the Cisco Nexus 1000V Command Reference, Release 4.0(4)SV1(2).

Example Configuration for DHCP Snooping

This example shows how to enable DHCP snooping on two VLANs, with vEthernet interface 5 trusted because the DHCP server is connected to that interface:

ip dhcp snooping

interface vethernet 5
  ip dhcp snooping trust
ip dhcp snooping vlan 1
ip dhcp snooping vlan 50

Default Settings

Table 12-1 lists the defaults for DHCP snooping.

Table 12-1 Default DHCP Snooping Parameters 

Parameters
Default

DHCP snooping globally enabled

No

DHCP snooping VLAN

Disabled

DHCP snooping MAC address verification

Enabled

DHCP snooping trust

Trusted for Ethernet interfaces, vEthernet interfaces, and port channels, in the VSD feature. Untrusted for vEthernet interfaces not participating in the VSD feature.


Additional References

For additional information related to implementing DHCP snooping, see the following sections:

Related Documents

Standards

Related Documents  

Related Topic
Document Title

IP Source Guard

Cisco Nexus 1000V Security Configuration Guide, Release 4.0(4)SV1(2), Chapter 14, "Configuring IP Source Guard"

Dynamic ARP Inspection

Cisco Nexus 1000V Security Configuration Guide, Release 4.0(4)SV1(2), Chapter 13, "Configuring Dynamic ARP Inspection"

DHCP snooping commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples

Cisco Nexus 1000V Command Reference, Release 4.0(4)SV1(2)


 

Standards

Standards
Title

RFC-2131

Dynamic Host Configuration Protocol (http://tools.ietf.org/html/rfc2131)


Feature History for DHCP Snooping

Table 12-2 lists the release history for this feature.

Table 12-2 Feature History for DHCP Snooping 

Feature Name
Releases
Feature Information

DHCP snooping

4.0(4)SV1(2)

This feature was introduced.