Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 5.x
Configuring DHCP
Downloads: This chapterpdf (PDF - 1.37MB) The complete bookPDF (PDF - 10.7MB) | The complete bookePub (ePub - 3.43MB) | Feedback

Configuring DHCP

Contents

Configuring DHCP

This chapter describes how to configure the Dynamic Host Configuration Protocol (DHCP) on a Cisco NX-OS device.

This chapter includes the following sections:

Information About DHCP Snooping

DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP servers. DHCP snooping performs the following activities:

  • Validates DHCP messages received from untrusted sources and filters out invalid messages.
  • Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
  • Uses the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

DHCP snooping can be enabled globally and on a per-VLAN basis. By default, the feature is disabled globally and on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.

Trusted and Untrusted Sources

You can configure whether DHCP snooping trusts traffic sources. An untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks, DHCP snooping filters messages from untrusted sources.

In an enterprise network, a trusted source is a device that is under your administrative control. These devices include the switches, routers, and servers in the network. Any device beyond the firewall or outside the network is an untrusted source. Generally, host ports are treated as untrusted sources.

In a service provider environment, any device that is not in the service provider network is an untrusted source (such as a customer switch). Host ports are untrusted sources.

In the Cisco NX-OS device, you indicate that a source is trusted by configuring the trust state of its connecting interface.

The default trust state of all interfaces is untrusted. You must configure DHCP server interfaces as trusted. You can also configure other interfaces as trusted if they connect to devices (such as switches or routers) inside your network. You usually do not configure host port interfaces as trusted.


Note


For DHCP snooping to function properly, all DHCP servers must be connected to the device through trusted interfaces.


DHCP Snooping Binding Database

Using information extracted from intercepted DHCP messages, DHCP snooping dynamically builds and maintains a database. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces.


Note


The DHCP snooping binding database is also referred to as the DHCP snooping binding table.


DHCP snooping updates the database when the device receives specific DHCP messages. For example, the feature adds an entry to the database when the device receives a DHCPACK message from the server. The feature removes the entry in the database when the IP address lease expires or the device receives a DHCPRELEASE message from the host.

Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host.

Dynamic ARP inspection (DAI) and IP Source Guard also use information stored in the DHCP snooping binding database.

You can remove entries from the binding database by using the clear ip dhcp snooping binding command.

DHCP Snooping in a vPC Environment

A virtual port channel (vPC) allows two Cisco NX-OS switches to appear as a single logical port channel to a third device. The third device can be a switch, server, or any other networking device that supports port channels.

In a typical vPC environment, DHCP requests can reach one vPC peer switch and the responses can reach the other vPC peer switch, resulting in a partial DHCP (IP-MAC) binding entry in one switch and no binding entry in the other switch. As a result, DHCP snooping and associated features such as dynamic ARP inspection (DAI) and IP Source Guard are disrupted. Beginning with Cisco NX-OS Release 5.1, this issue is addressed by using Cisco Fabric Service over Ethernet (CFSoE) distribution to ensure that all DHCP packets (requests and responses) appear on both switches, which helps in creating and maintaining the same binding entry on both switches for all clients behind the vPC link.

CFSoE distribution also allows only one switch to forward the DHCP requests and responses on the vPC link. In non-vPC environments, both switches forward the DHCP packets.

Synchronizing DHCP Snooping Binding Entries

The dynamic DHCP binding entries should be synchronized in the following scenarios:
  • When the remote vPC is online, all the binding entries for that vPC link should be synchronized with the peer.
  • When DHCP snooping is enabled on the peer switch, the dynamic binding entries for all vPC links should be synchronized with the peer.

Packet Validation

The device validates DHCP packets received on the untrusted interfaces of VLANs that have DHCP snooping enabled. The device forwards the DHCP packet unless any of the following conditions occur (in which case, the packet is dropped):

  • The device receives a DHCP response packet (such as a DHCPACK, DHCPNAK, or DHCPOFFER packet) on an untrusted interface.
  • The device receives a packet on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match. This check is performed only if the DHCP snooping MAC address verification option is turned on.
  • The device receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.

In addition, you can enable strict validation of DHCP packets, which checks the options field of DHCP packets, including the “magic cookie” value in the first four bytes of the options field. By default, strict validation is disabled. When you enable it, by using the ip dhcp packet strict-validation command, if DHCP snooping processes a packet that has an invalid options field, it drops the packet.

DHCP Snooping Option 82 Data Insertion

DHCP can centrally manage the IP address assignments for a large number of subscribers. When you enable Option 82, the device identifies a subscriber device that connects to the network (in addition to its MAC address). Multiple hosts on the subscriber LAN can connect to the same port on the access device and are uniquely identified.

When you enable Option 82 on the Cisco NX-OS device, the following sequence of events occurs:

  1. The host (DHCP client) generates a DHCP request and broadcasts it on the network.
  2. When the Cisco NX-OS device receives the DHCP request, it adds the Option 82 information in the packet. The Option 82 information contains the device MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (the circuit ID suboption). For hosts behind the port channel, the circuit ID is filled with the if_index of the port channel.

    Note


    For vPC peer switches, the remote ID suboption contains the vPC switch MAC address, which is unique in both switches. This MAC address is computed with the vPC domain ID. The Option 82 information is inserted at the switch where the DHCP request is first received before it is forwarded to the other vPC peer switch.


  3. The device forwards the DHCP request that includes the Option 82 field to the DHCP server.
  4. The DHCP server receives the packet. If the server is Option 82 capable, it can use the remote ID, the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID. The DHCP server echoes the Option 82 field in the DHCP reply.
  5. The DHCP server sends the reply to the Cisco NX-OS device. The Cisco NX-OS device verifies that it originally inserted the Option 82 data by inspecting the remote ID and possibly the circuit ID fields. The Cisco NX-OS device removes the Option 82 field and forwards the packet to the interface that connects to the DHCP client that sent the DHCP request.

If the previously described sequence of events occurs, the following values do not change:

  • Circuit ID suboption fields
    • Suboption type
    • Length of the suboption type
    • Circuit ID type
    • Length of the circuit ID type
  • Remote ID suboption fields
    • Suboption type
    • Length of the suboption type
    • Remote ID type
    • Length of the circuit ID type
Figure 1. Suboption Packet Formats.

This figure shows the packet formats for the remote ID suboption and the circuit ID suboption. The Cisco NX-OS device uses the packet formats when you globally enable DHCP snooping and when you enable Option 82 data insertion and removal. For the circuit ID suboption, the module field is the slot number of the module.



Information About the DHCP Relay Agent

DHCP Relay Agent

You can configure the device to run a DHCP relay agent, which forwards DHCP packets between clients and servers. This feature is useful when clients and servers are not on the same physical subnet. Relay agents receive DHCP messages and then generate a new DHCP message to send out on another interface. The relay agent sets the gateway address (giaddr field of the DHCP packet) and, if configured, adds the relay agent information option (Option 82) in the packet and forwards it to the DHCP server. The reply from the server is forwarded back to the client after removing Option 82.

After you enable Option 82, the device uses the binary ifindex format by default. If needed, you can change the Option 82 setting to use an encoded string format instead.


Note


When the device relays a DHCP request that already includes Option 82 information, the device forwards the request with the original Option 82 information without altering it.


DHCP Relay Agent Option 82

You can enable the device to insert and remove Option 82 information on DHCP packets that are forwarded by the relay agent.

Figure 2. DHCP Relay Agent in a Metropolitan Ethernet Network.

This figure shows an example of a metropolitan Ethernet network in which a centralized DHCP server assigns IP addresses to subscribers connected to the device at the access layer. Because the DHCP clients and their associated DHCP server do not reside on the same IP network or subnet, a DHCP relay agent is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages between the clients and the server.



When you enable Option 82 for the DHCP relay agent on the Cisco NX-OS device, the following sequence of events occurs:

  1. The host (DHCP client) generates a DHCP request and broadcasts it on the network.
  2. When the Cisco NX-OS device receives the DHCP request, it adds the Option 82 information in the packet. The Option 82 information contains the device MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (the circuit ID suboption). In DHCP relay, the circuit ID is filled with the if_index of the SVI or Layer 3 interface on which DHCP relay is configured.

    Note


    For vPC peer switches, the remote ID suboption contains the vPC switch MAC address, which is unique in both switches. This MAC address is computed with the vPC domain ID. The Option 82 information is inserted at the switch where the DHCP request is first received before it is forwarded to the other vPC peer switch.


  3. The device adds the IP address of the relay agent to the DHCP packet.
  4. The device forwards the DHCP request that includes the Option 82 field to the DHCP server.
  5. The DHCP server receives the packet. If the server is Option 82 capable, it can use the remote ID, the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID. The DHCP server echoes the Option 82 field in the DHCP reply.
  6. The DHCP server unicasts the reply to the Cisco NX-OS device if the request was relayed to the server by the device. The Cisco NX-OS device verifies that it originally inserted the Option 82 data by inspecting the remote ID and possibly the circuit ID fields. The Cisco NX-OS device removes the Option 82 field and forwards the packet to the interface that connects to the DHCP client that sent the DHCP request.

VRF Support for the DHCP Relay Agent

You can configure the DHCP relay agent to forward DHCP broadcast messages from clients in a virtual routing and forwarding (VRF) instance to DHCP servers in a different VRF. By using a single DHCP server to provide DHCP support to clients in multiple VRFs, you can conserve IP addresses by using a single IP address pool rather than one for each VRF. For general information about VRFs, see the Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide.

Enabling VRF support for the DHCP relay agent requires that you enable Option 82 for the DHCP relay agent.

If a DHCP request arrives on an interface that you have configured with a DHCP relay address and VRF information and the address of the DCHP server belongs to a network on an interface that is a member of a different VRF, the device inserts Option 82 information in the request and forwards it to the DHCP server in the server VRF. The Option 82 information includes the following:

VPN identifier

Name of the VRF that the interface that receives the DHCP request is a member of.

Link selection

Subnet address of the interface that receives the DHCP request. When DHCP smart relay is enabled, the link selection is filled with the subnet of the active giaddr.

Server identifier override

IP address of the interface that receives the DHCP request. When DHCP smart relay is enabled, the server identifier is filled with the active giaddr.


Note


The DHCP server must support the VPN identifier, link selection, and server identifier override options.


When the device receives the DHCP response message, it strips off the Option 82 information and forwards the response to the DHCP client in the client VRF.

DHCP Smart Relay Agent

When the DHCP relay agent receives broadcast DHCP request packets from a host, it sets giaddr to the primary address of the inbound interface and forwards the packets to the server. The server allocates IP addresses from the giaddr subnet pool until the pool is exhausted and ignores further requests.

Beginning with Cisco NX-OS Release 5.2, you can configure the DHCP smart relay agent to allocate IP addresses from the secondary IP address subnet pool if the first subnet pool is exhausted or the server ignores further requests. This enhancement is useful if the number of hosts is greater than the number of IP addresses in the pool or if multiple subnets are configured on an interface using secondary addresses.

Virtualization Support for DHCP

The following information applies to DHCP used in virtual device contexts (VDCs):

  • DHCP snooping binding databases are unique per VDC. Bindings in one VDC do not affect DHCP snooping in other VDCs.
  • The system does not limit the binding database size on a per-VDC basis.
  • The DHCP smart relay agent can be configured independently in default and nondefault VDCs.

Licensing Requirements for DHCP

This table shows the licensing requirements for DHCP.

Product

License Requirement

Cisco NX-OS

DHCP requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.

Prerequisites for DHCP

DHCP has the following prerequisite:

  • You should be familiar with DHCP before you configure DHCP snooping or the DHCP relay agent.

Guidelines and Limitations for DHCP

DHCP has the following configuration guidelines and limitations:

  • The DHCP snooping database can store 2000 bindings.
  • For DHCP relay, you can configure up to 16 DHCP server addresses on an interface.
  • If you use DHCP relay where DHCP clients and servers are in different VRFs, use only one DHCP server within a VRF.
  • Before globally enabling DHCP snooping on the device, make sure that the devices acting as the DHCP server and the DHCP relay agent are configured and enabled.
  • DHCP snooping should not be followed by DHCP relay in the network.
  • If a VLAN ACL (VACL) is configured on a VLAN that you are configuring with DHCP snooping, ensure that the VACL permits DHCP traffic between DHCP servers and DHCP hosts. When both DHCP snooping and DHCP relay are enabled on a VLAN and the SVI of that VLAN, DHCP relay takes precedence.
  • If an ingress router ACL is configured on a Layer 3 interface that you are configuring with a DHCP server address, ensure that the router ACL permits DHCP traffic between DHCP servers and DHCP hosts.
  • Access-control list (ACL) statistics are not supported if the DHCP snooping feature is enabled.
  • Make sure that the DHCP configuration is synchronized across the switches in a vPC link. Otherwise, a run-time error can occur, resulting in dropped packets.
  • Beginning with Cisco NX-OS Release 5.1, DHCP snooping is supported with FabricPath. Follow these guidelines when enabling DHCP snooping in a FabricPath network:
    • DHCP snooping should be enabled on CE-FabricPath boundary switches.
    • DHCP snooping is enabled on all access layer switches to secure the network at the access layer itself.
    • DHCP does not learn any binding entries on ports in FabricPath mode as users should have enabled DHCP snooping on all access layer switches. As a result, when DAI is enabled, ARP packets received on FabricPath ports are allowed.
    • IPSG cannot be enabled on ports in FabricPath mode.

    Note


    For more information on FabricPath, see the Cisco Nexus 7000 Series NX-OS FabricPath Configuration Guide.


  • DHCP smart relay and DHCP subnet broadcast support are limited to the first 100 IP addresses of the interface on which they are enabled.
  • You must configure a helper address on the interface in order to use DHCP smart relay and DHCP subnet broadcast support.
  • A maximum of 10,000 clients can use DHCP smart relay at any given time.
  • In a vPC environment with DHCP smart relay enabled, the subnet of the primary and secondary addresses of an interface should be the same on both Cisco NX-OS devices.

Default Settings for DHCP

This table lists the default settings for DHCP parameters.



Table 1 Default DHCP Parameters

Parameters

Default

DHCP feature

Disabled

DHCP snooping

Disabled

DHCP snooping on VLANs

Disabled

DHCP snooping MAC address verification

Enabled

DHCP snooping Option 82 support

Disabled

DHCP snooping trust

Untrusted

DHCP relay agent

Enabled

DHCP Option 82 for relay agent

Disabled

Subnet broadcast support for the DHCP relay agent

Disabled

DHCP smart relay agent

Disabled

DHCP server IP address

None

Configuring DHCP

Minimum DHCP Configuration


    Step 1   Enable the DHCP feature.

    When the DHCP feature is disabled, you cannot configure DHCP snooping.

    Step 2   Enable DHCP snooping globally.
    Step 3   Enable DHCP snooping on at least one VLAN.

    By default, DHCP snooping is disabled on all VLANs.

    Step 4   Ensure that the DHCP server is connected to the device using a trusted interface.
    Step 5   (Optional)If DHCP servers and clients are in different VRFs, do the following:
    1. Enable Option 82 for the DHCP relay agent.
    2. Enable VRF support for the DHCP relay agent.
    Step 6   (Optional) Configure an interface with the IP address of the DHCP server.

    Enabling or Disabling the DHCP Feature

    You can enable or disable the DHCP feature on the device. By default, DHCP is disabled.

    When the DHCP feature is disabled, you cannot configure DHCP snooping, the DHCP relay agent, or any of the features that depend on DHCP, such as dynamic ARP inspection and IP Source Guard. In addition, all DHCP, dynamic ARP inspection, and IP Source Guard configuration is removed from the device.

    SUMMARY STEPS

      1.    config t

      2.    [no] feature dhcp

      3.    (Optional) show running-config dhcp

      4.    (Optional) copy running-config startup-config


    DETAILED STEPS
        Command or Action Purpose
      Step 1 config t


      Example:
      switch# config t
      switch(config)#
       

      Enters global configuration mode.

       
      Step 2 [no] feature dhcp


      Example:
      switch(config)# feature dhcp
       

      Enables the DHCP feature. The no option disables the DHCP feature and erases all DHCP configuration.

       
      Step 3 show running-config dhcp


      Example:
      switch(config)# show running-config dhcp
       
      (Optional)

      Displays the DHCP configuration.

       
      Step 4 copy running-config startup-config


      Example:
      switch(config)# copy running-config startup-config
       
      (Optional)

      Copies the running configuration to the startup configuration.

       

      Enabling or Disabling DHCP Snooping Globally

      You can enable or disable DHCP snooping globally on the device.

      Before You Begin

      Ensure that you have enabled the DHCP feature.

      SUMMARY STEPS

        1.    config t

        2.    [no] ip dhcp snooping

        3.    (Optional) show running-config dhcp

        4.    (Optional) copy running-config startup-config


      DETAILED STEPS
          Command or Action Purpose
        Step 1 config t


        Example:
        switch# config t
        switch(config)#
         

        Enters global configuration mode.

         
        Step 2 [no] ip dhcp snooping


        Example:
        switch(config)# ip dhcp snooping
         

        Enables DHCP snooping globally. The no option disables DHCP snooping.

         
        Step 3 show running-config dhcp


        Example:
        switch(config)# show running-config dhcp
         
        (Optional)

        Displays the DHCP configuration.

         
        Step 4 copy running-config startup-config


        Example:
        switch(config)# copy running-config startup-config
         
        (Optional)

        Copies the running configuration to the startup configuration.

         

        Enabling or Disabling DHCP Snooping on a VLAN

        You can enable or disable DHCP snooping on one or more VLANs. By default, DHCP snooping is disabled on all VLANs.

        Before You Begin

        Ensure that the DHCP feature is enabled.


        Note


        If a VACL is configured on a VLAN that you are configuring with DHCP snooping, ensure that the VACL permits DHCP traffic between DHCP servers and DHCP hosts.


        SUMMARY STEPS

          1.    config t

          2.    [no] ip dhcp snooping vlan vlan-list

          3.    (Optional) show running-config dhcp

          4.    (Optional) copy running-config startup-config


        DETAILED STEPS
            Command or Action Purpose
          Step 1 config t


          Example:
          switch# config t
          switch(config)#
           

          Enters global configuration mode.

           
          Step 2 [no] ip dhcp snooping vlan vlan-list


          Example:
          switch(config)# ip dhcp snooping vlan 100,200,250-252
           

          Enables DHCP snooping on the VLANs specified by vlan-list. The no option disables DHCP snooping on the VLANs specified.

           
          Step 3 show running-config dhcp


          Example:
          switch(config)# show running-config dhcp
           
          (Optional)

          Displays the DHCP configuration.

           
          Step 4 copy running-config startup-config


          Example:
          switch(config)# copy running-config startup-config
           
          (Optional)

          Copies the running configuration to the startup configuration.

           

          Enabling or Disabling DHCP Snooping MAC Address Verification

          You can enable or disable DHCP snooping MAC address verification. If the device receives a packet on an untrusted interface and the source MAC address and the DHCP client hardware address do not match, address verification causes the device to drop the packet. MAC address verification is enabled by default.

          Before You Begin

          Ensure that the DHCP feature is enabled.

          SUMMARY STEPS

            1.    config t

            2.    [no] ip dhcp snooping verify mac-address

            3.    (Optional) show running-config dhcp

            4.    (Optional) copy running-config startup-config


          DETAILED STEPS
              Command or Action Purpose
            Step 1 config t


            Example:
            switch# config t
            switch(config)#
             

            Enters global configuration mode.

             
            Step 2 [no] ip dhcp snooping verify mac-address


            Example:
            switch(config)# ip dhcp snooping verify mac-address
             

            Enables DHCP snooping MAC address verification. The no option disables MAC address verification.

             
            Step 3 show running-config dhcp


            Example:
            switch(config)# show running-config dhcp
             
            (Optional)

            Displays the DHCP configuration.

             
            Step 4 copy running-config startup-config


            Example:
            switch(config)# copy running-config startup-config
             
            (Optional)

            Copies the running configuration to the startup configuration.

             

            Enabling or Disabling Option 82 Data Insertion and Removal

            You can enable or disable the insertion and removal of Option 82 information for DHCP packets forwarded without the use of the DHCP relay agent. By default, the device does not include Option 82 information in DHCP packets.


            Note


            DHCP relay agent support for Option 82 is configured separately.


            Before You Begin

            Ensure that the DHCP feature is enabled.

            SUMMARY STEPS

              1.    config t

              2.    [no] ip dhcp snooping information option

              3.    (Optional) show running-config dhcp

              4.    (Optional) copy running-config startup-config


            DETAILED STEPS
                Command or Action Purpose
              Step 1 config t


              Example:
              switch# config t
              switch(config)#
               

              Enters global configuration mode.

               
              Step 2 [no] ip dhcp snooping information option


              Example:
              switch(config)# ip dhcp snooping information option
               

              Enables the insertion and removal of Option 82 information for DHCP packets. The no option disables the insertion and removal of Option 82 information.

               
              Step 3 show running-config dhcp


              Example:
              switch(config)# show running-config dhcp
               
              (Optional)

              Displays the DHCP configuration.

               
              Step 4 copy running-config startup-config


              Example:
              switch(config)# copy running-config startup-config
               
              (Optional)

              Copies the running configuration to the startup configuration.

               

              Enabling or Disabling Strict DHCP Packet Validation

              You can enable or disable the strict validation of DHCP packets. By default, strict validation of DHCP packets is disabled.

              SUMMARY STEPS

                1.    config t

                2.    [no] ip dhcp packet strict-validation

                3.    (Optional) show running-config dhcp

                4.    (Optional) copy running-config startup-config


              DETAILED STEPS
                  Command or Action Purpose
                Step 1 config t


                Example:
                switch# config t
                switch(config)#
                 

                Enters global configuration mode.

                 
                Step 2 [no] ip dhcp packet strict-validation


                Example:
                switch(config)# ip dhcp packet strict-validation
                 

                Enables the strict validation of DHCP packets. The no option disables strict DHCP packet validation.

                 
                Step 3 show running-config dhcp


                Example:
                switch(config)# show running-config dhcp
                 
                (Optional)

                Displays the DHCP configuration.

                 
                Step 4 copy running-config startup-config


                Example:
                switch(config)# copy running-config startup-config
                 
                (Optional)

                Copies the running configuration to the startup configuration.

                 

                Configuring an Interface as Trusted or Untrusted

                You can configure whether an interface is a trusted or untrusted source of DHCP messages. By default, all interfaces are untrusted. You can configure DHCP trust on the following types of interfaces:

                • Layer 2 Ethernet interfaces
                • Layer 2 port-channel interfaces
                Before You Begin

                Ensure that the DHCP feature is enabled.

                Ensure that the interface is configured as a Layer 2 interface.

                SUMMARY STEPS

                  1.    config t

                  2.    Do one of the following options:

                  • interface ethernet slot/port
                  • interface port-channel channel-number

                  3.    [no] ip dhcp snooping trust

                  4.    (Optional) show running-config dhcp

                  5.    (Optional) copy running-config startup-config


                DETAILED STEPS
                    Command or Action Purpose
                  Step 1 config t


                  Example:
                  switch# config t
                  switch(config)#
                   

                  Enters global configuration mode.

                   
                  Step 2 Do one of the following options:
                  • interface ethernet slot/port
                  • interface port-channel channel-number


                  Example:
                  switch(config)# interface ethernet 2/1
                  switch(config-if)#
                   
                  • Enters interface configuration mode, where slot/port is the Layer 2 Ethernet interface that you want to configure as trusted or untrusted for DHCP snooping.
                  • Enters interface configuration mode, where slot/port is the Layer 2 port-channel interface that you want to configure as trusted or untrusted for DHCP snooping.
                   
                  Step 3 [no] ip dhcp snooping trust


                  Example:
                  switch(config-if)# ip dhcp snooping trust
                   

                  Configures the interface as a trusted interface for DHCP snooping. The no option configures the port as an untrusted interface.

                   
                  Step 4 show running-config dhcp


                  Example:
                  switch(config-if)# show running-config dhcp
                   
                  (Optional)

                  Displays the DHCP configuration.

                   
                  Step 5 copy running-config startup-config


                  Example:
                  switch(config-if)# copy running-config startup-config
                   
                  (Optional)

                  Copies the running configuration to the startup configuration.

                   

                  Enabling or Disabling the DHCP Relay Agent

                  You can enable or disable the DHCP relay agent. By default, the DHCP relay agent is enabled.

                  Before You Begin

                  Ensure that the DHCP feature is enabled.

                  SUMMARY STEPS

                    1.    config t

                    2.    [no] ip dhcp relay

                    3.    (Optional) show ip dhcp relay

                    4.    (Optional) show running-config dhcp

                    5.    (Optional) copy running-config startup-config


                  DETAILED STEPS
                      Command or Action Purpose
                    Step 1 config t


                    Example:
                    switch# config t
                    switch(config)#
                     

                    Enters global configuration mode.

                     
                    Step 2 [no] ip dhcp relay


                    Example:
                    switch(config)# ip dhcp relay
                     

                    Enables the DHCP relay agent. The no option disables the DHCP relay agent.

                     
                    Step 3 show ip dhcp relay


                    Example:
                    switch(config)# show ip dhcp relay
                     
                    (Optional)

                    Displays the DHCP relay configuration.

                     
                    Step 4 show running-config dhcp


                    Example:
                    switch(config)# show running-config dhcp
                     
                    (Optional)

                    Displays the DHCP configuration.

                     
                    Step 5 copy running-config startup-config


                    Example:
                    switch(config)# copy running-config startup-config
                     
                    (Optional)

                    Copies the running configuration to the startup configuration.

                     

                    Enabling or Disabling Option 82 for the DHCP Relay Agent

                    You can enable or disable the device to insert and remove Option 82 information on DHCP packets forwarded by the relay agent.

                    By default, the DHCP relay agent does not include Option 82 information in DHCP packets.

                    Before You Begin

                    Ensure that the DHCP feature is enabled.

                    SUMMARY STEPS

                      1.    switch# configure terminal

                      2.    switch(config)#[no] ip dhcp relay information option

                      3.    (Optional) switch(config)# ip dhcp relay information sub-option circuit-id format-type string

                      4.    (Optional) switch(config)# show ip dhcp relay

                      5.    (Optional) switch(config)# show running-config dhcp

                      6.    (Optional) switch(config)# copy running-config startup-config


                    DETAILED STEPS
                        Command or Action Purpose
                      Step 1 switch# configure terminal 

                      Enters global configuration mode.

                       
                      Step 2 switch(config)#[no] ip dhcp relay information option  

                      Enables the DHCP relay agent to insert and remove Option 82 information on the packets that it forwards. The Option 82 information is in binary ifindex format by default. The no option disables this behavior.

                       
                      Step 3 switch(config)# ip dhcp relay information sub-option circuit-id format-type string   (Optional)

                      Configures Option 82 to use encoded string format instead of the default binary ifindex format.

                       
                      Step 4 switch(config)# show ip dhcp relay   (Optional)

                      Displays the DHCP relay configuration.

                       
                      Step 5 switch(config)# show running-config dhcp   (Optional)

                      Displays the DHCP configuration.

                       
                      Step 6 switch(config)# copy running-config startup-config  (Optional)

                      Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

                       

                      Enabling or Disabling VRF Support for the DHCP Relay Agent

                      You can configure the device to support the relaying of DHCP requests that arrive on an interface in one VRF to a DHCP server in a different VRF.

                      Before You Begin

                      You must enable Option 82 for the DHCP relay agent.

                      SUMMARY STEPS

                        1.    config t

                        2.    [no] ip dhcp relay information option vpn

                        3.    [no] ip dhcp relay sub-option type cisco

                        4.    (Optional) show ip dhcp relay

                        5.    (Optional) show running-config dhcp

                        6.    (Optional) copy running-config startup-config


                      DETAILED STEPS
                          Command or Action Purpose
                        Step 1 config t


                        Example:
                        switch# config t
                        switch(config)#
                         

                        Enters global configuration mode.

                         
                        Step 2 [no] ip dhcp relay information option vpn


                        Example:
                        switch(config)# ip dhcp relay information option vpn
                         

                        Enables VRF support for the DHCP relay agent. The no option disables this behavior.

                         
                        Step 3 [no] ip dhcp relay sub-option type cisco


                        Example:
                        switch(config)# ip dhcp relay sub-option type cisco
                         

                        Enables DHCP to use Cisco proprietary numbers 150, 152, and 151 when filling the link selection, server ID override, and VRF name/VPN ID relay agent Option 82 suboptions. The no option causes DHCP to use RFC numbers 5, 11, and 151 for the link selection, server ID override, and VRF name/VPN ID suboptions.

                         
                        Step 4 show ip dhcp relay


                        Example:
                        switch(config)# show ip dhcp relay
                         
                        (Optional)

                        Displays the DHCP relay configuration.

                         
                        Step 5 show running-config dhcp


                        Example:
                        switch(config)# show running-config dhcp
                         
                        (Optional)

                        Displays the DHCP configuration.

                         
                        Step 6 copy running-config startup-config


                        Example:
                        switch(config)# copy running-config startup-config
                         
                        (Optional)

                        Copies the running configuration to the startup configuration.

                         

                        Enabling or Disabling Subnet Broadcast Support for the DHCP Relay Agent on a Layer 3 Interface

                        You can configure the device to support the relaying of DHCP packets from clients to a subnet broadcast IP address. When this feature is enabled, the VLAN ACLs (VACLs) accept IP broadcast packets and all subnet broadcast (primary subnet broadcast as well as secondary subnet broadcast) packets.

                        Before You Begin

                        Ensure that the DHCP feature is enabled.

                        Ensure that the DHCP relay agent is enabled.

                        SUMMARY STEPS

                          1.    config t

                          2.    interface interface slot/port

                          3.    [no] ip dhcp relay subnet-broadcast

                          4.    exit

                          5.    exit

                          6.    (Optional) show ip dhcp relay

                          7.    (Optional) show running-config dhcp

                          8.    (Optional) copy running-config startup-config


                        DETAILED STEPS
                            Command or Action Purpose
                          Step 1 config t


                          Example:
                          switch# config t
                          switch(config)#
                           

                          Enters global configuration mode.

                           
                          Step 2 interface interface slot/port


                          Example:
                          switch(config)# interface ethernet 2/2
                          switch(config-if)#
                           

                          Enters interface configuration mode, where slot/port is the interface for which you want to enable or disable subnet broadcast support for the DHCP relay agent.

                           
                          Step 3 [no] ip dhcp relay subnet-broadcast


                          Example:
                          switch(config-if)# ip dhcp relay subnet-broadcast
                           

                          Enables subnet broadcast support for the DHCP relay agent. The no option disables this behavior.

                           
                          Step 4 exit


                          Example:
                          switch(config-if)# exit
                          switch(config)#
                           

                          Exits interface configuration mode.

                           
                          Step 5 exit


                          Example:
                          switch(config)# exit
                          switch#
                           

                          Exits global configuration mode.

                           
                          Step 6 show ip dhcp relay


                          Example:
                          switch# show ip dhcp relay
                           
                          (Optional)

                          Displays the DHCP relay configuration.

                           
                          Step 7 show running-config dhcp


                          Example:
                          switch# show running-config dhcp
                           
                          (Optional)

                          Displays the DHCP configuration.

                           
                          Step 8 copy running-config startup-config


                          Example:
                          switch# copy running-config startup-config
                           
                          (Optional)

                          Copies the running configuration to the startup configuration.

                           

                          Configuring DHCP Server Addresses on an Interface

                          You can configure DHCP server IP addresses on an interface. When an inbound DHCP BOOTREQUEST packet arrives on the interface, the relay agent forwards the packet to all DHCP server IP addresses specified. The relay agent forwards replies from all DHCP servers to the host that sent the request.

                          Before You Begin

                          Ensure that the DHCP feature is enabled.

                          Ensure that the DHCP server is correctly configured.

                          Determine the IP address for each DHCP server that you want to configure on the interface.

                          If the DHCP server is in a different VRF than the interface, ensure that you have enabled VRF support.


                          Note


                          If an ingress router ACL is configured on an interface that you are configuring with a DHCP server address, ensure that the router ACL permits DHCP traffic between DHCP servers and DHCP hosts.


                          SUMMARY STEPS

                            1.    config t

                            2.    Do one of the following options:

                            • interface ethernet slot/port[. number]
                            • interface vlan vlan-id
                            • interface port-channel channel-id[.subchannel-id]

                            3.    ip dhcp relay address IP-address [use-vrf vrf-name]

                            4.    (Optional) show ip dhcp relay address

                            5.    (Optional) show running-config dhcp

                            6.    (Optional) copy running-config startup-config


                          DETAILED STEPS
                              Command or Action Purpose
                            Step 1 config t


                            Example:
                            switch# config t
                            switch(config)#
                             

                            Enters global configuration mode.

                             
                            Step 2 Do one of the following options:
                            • interface ethernet slot/port[. number]
                            • interface vlan vlan-id
                            • interface port-channel channel-id[.subchannel-id]


                            Example:
                            switch(config)# interface ethernet 2/3
                            switch(config-if)#
                             
                            • Enters interface configuration mode, where slot/port is the physical Ethernet interface that you want to configure with a DHCP server IP address. If you want to configure a subinterface, include the number argument to specify the subinterface number.
                            • Enters interface configuration mode, where vlan-id is the ID of the VLAN that you want to configure with a DHCP server IP address.
                            • Enters interface configuration mode, where channel-id is the ID of the port channel that you want to configure with a DHCP server IP address. If you want to configure a subchannel, include the subchannel-id argument to specify the subchannel ID.
                             
                            Step 3 ip dhcp relay address IP-address [use-vrf vrf-name]


                            Example:
                            switch(config-if)# ip dhcp relay address 10.132.7.120 use-vrf red
                             

                            Configures an IP address for a DHCP server to which the relay agent forwards BOOTREQUEST packets received on this interface.

                            To configure more than one IP address, use the ip dhcp relay address command once per address.

                             
                            Step 4 show ip dhcp relay address


                            Example:
                            switch(config-if)# show ip dhcp relay address
                             
                            (Optional)

                            Displays all the configured DHCP server addresses.

                             
                            Step 5 show running-config dhcp


                            Example:
                            switch(config-if)# show running-config dhcp
                             
                            (Optional)

                            Displays the DHCP configuration.

                             
                            Step 6 copy running-config startup-config


                            Example:
                            switch(config-if)# copy running-config startup-config
                             
                            (Optional)

                            Copies the running configuration to the startup configuration.

                             

                            Enabling or Disabling DHCP Smart Relay Globally

                            You can enable or disable DHCP smart relay globally on the device.

                            Before You Begin

                            Ensure that the DHCP feature is enabled.

                            Ensure that the DHCP relay agent is enabled.

                            SUMMARY STEPS

                              1.    config t

                              2.    [no] ip dhcp smart-relay global

                              3.    (Optional) show ip dhcp relay

                              4.    (Optional) show running-config dhcp

                              5.    (Optional) copy running-config startup-config


                            DETAILED STEPS
                                Command or Action Purpose
                              Step 1 config t


                              Example:
                              switch# config t
                              switch(config)#
                               

                              Enters global configuration mode.

                               
                              Step 2 [no] ip dhcp smart-relay global


                              Example:
                              switch(config)# ip dhcp smart-relay global
                               

                              Enables DHCP smart relay globally. The no option disables DHCP smart relay.

                               
                              Step 3 show ip dhcp relay


                              Example:
                              switch(config)# show ip dhcp relay
                               
                              (Optional)

                              Displays the DHCP smart relay configuration.

                               
                              Step 4 show running-config dhcp


                              Example:
                              switch(config)# show running-config dhcp
                               
                              (Optional)

                              Displays the DHCP configuration.

                               
                              Step 5 copy running-config startup-config


                              Example:
                              switch(config)# copy running-config startup-config
                               
                              (Optional)

                              Copies the running configuration to the startup configuration.

                               

                              Enabling or Disabling DHCP Smart Relay on a Layer 3 Interface

                              You can enable or disable DHCP smart relay on Layer 3 interfaces.

                              Before You Begin

                              Ensure that the DHCP feature is enabled.

                              Ensure that the DHCP relay agent is enabled.

                              SUMMARY STEPS

                                1.    config t

                                2.    interface interface slot/port

                                3.    [no] ip dhcp smart-relay

                                4.    exit

                                5.    exit

                                6.    (Optional) show ip dhcp relay

                                7.    (Optional) show running-config dhcp

                                8.    (Optional) copy running-config startup-config


                              DETAILED STEPS
                                  Command or Action Purpose
                                Step 1 config t


                                Example:
                                switch# config t
                                switch(config)#
                                 

                                Enters global configuration mode.

                                 
                                Step 2 interface interface slot/port


                                Example:
                                switch(config)# interface ethernet 2/3
                                switch(config-if)#
                                 

                                Enters interface configuration mode, where slot/port is the interface for which you want to enable or disable DHCP smart relay.

                                 
                                Step 3 [no] ip dhcp smart-relay


                                Example:
                                switch(config-if)# ip dhcp smart-relay
                                 

                                Enables DHCP smart relay on the interface. The no option disables DHCP smart relay on the interface.

                                 
                                Step 4 exit


                                Example:
                                switch(config-if)# exit
                                switch(config)#
                                 

                                Exits interface configuration mode.

                                 
                                Step 5 exit


                                Example:
                                switch(config)# exit
                                switch#
                                 

                                Exits global configuration mode.

                                 
                                Step 6 show ip dhcp relay


                                Example:
                                switch# show ip dhcp relay
                                 
                                (Optional)

                                Displays the DHCP smart relay configuration.

                                 
                                Step 7 show running-config dhcp


                                Example:
                                switch# show running-config dhcp
                                 
                                (Optional)

                                Displays the DHCP configuration.

                                 
                                Step 8 copy running-config startup-config


                                Example:
                                switch# copy running-config startup-config
                                 
                                (Optional)

                                Copies the running configuration to the startup configuration.

                                 

                                Verifying the DHCP Configuration

                                To display DHCP configuration information, perform one of the following tasks. For detailed information about the fields in the output from these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.

                                Command

                                Purpose

                                show running-config dhcp

                                Displays the DHCP configuration.

                                show ip dhcp relay

                                Displays the DHCP relay configuration.

                                show ip dhcp relay address

                                Displays all the DHCP server addresses configured on the device.

                                show ip dhcp snooping

                                Displays general information about DHCP snooping.

                                Displaying DHCP Bindings

                                Use the show ip dhcp snooping binding command to display the DHCP binding table. For detailed information about the fields in the output from this command, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.

                                Clearing the DHCP Snooping Binding Database

                                You can remove entries from the DHCP snooping binding database, including a single entry, all entries associated with an interface, or all entries in the database.

                                Before You Begin

                                Ensure that the DHCP feature is enabled.

                                SUMMARY STEPS

                                  1.    (Optional) clear ip dhcp snooping binding

                                  2.    (Optional) clear ip dhcp snooping binding interface ethernet slot/port[.subinterface-number]

                                  3.    (Optional) clear ip dhcp snooping binding interface port-channel channel-number[.subchannel-number]

                                  4.    (Optional) clear ip dhcp snooping binding vlan vlan-id mac mac-address ip ip-address interface {ethernet slot/port[.subinterface-number | port-channel channel-number[.subchannel-number] }

                                  5.    (Optional) show ip dhcp snooping binding


                                DETAILED STEPS
                                    Command or Action Purpose
                                  Step 1 clear ip dhcp snooping binding


                                  Example:
                                  switch# clear ip dhcp snooping binding
                                   
                                  (Optional)

                                  Clears all entries from the DHCP snooping binding database.

                                   
                                  Step 2 clear ip dhcp snooping binding interface ethernet slot/port[.subinterface-number]


                                  Example:
                                  switch# clear ip dhcp snooping binding interface ethernet 1/4
                                   
                                  (Optional)

                                  Clears entries associated with a specific Ethernet interface from the DHCP snooping binding database.

                                   
                                  Step 3 clear ip dhcp snooping binding interface port-channel channel-number[.subchannel-number]


                                  Example:
                                  switch# clear ip dhcp snooping binding interface port-channel 72
                                   
                                  (Optional)

                                  Clears entries associated with a specific port-channel interface from the DHCP snooping binding database.

                                   
                                  Step 4 clear ip dhcp snooping binding vlan vlan-id mac mac-address ip ip-address interface {ethernet slot/port[.subinterface-number | port-channel channel-number[.subchannel-number] }


                                  Example:
                                  switch# clear ip dhcp snooping binding vlan 23 mac 0060.3aeb.54f0 ip 10.34.54.9 interface 
                                  ethernet 2/11
                                   
                                  (Optional)

                                  Clears a single, specific entry from the DHCP snooping binding database.

                                   
                                  Step 5 show ip dhcp snooping binding


                                  Example:
                                  switch# show ip dhcp snooping binding
                                   
                                  (Optional)

                                  Displays the DHCP snooping binding database.

                                   

                                  Monitoring DHCP Snooping

                                  Use the show ip dhcp snooping statistics command to monitor DHCP snooping. For detailed information about the fields in the output from this command, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.

                                  Configuration Examples for DHCP

                                  This example shows how to enable DHCP snooping on two VLANs, with Option 82 support enabled and Ethernet interface 2/5 trusted because the DHCP server is connected to that interface:

                                  feature dhcp 
                                  ip dhcp snooping 
                                  ip dhcp snooping info option
                                  
                                  interface Ethernet 2/5
                                    ip dhcp snooping trust 
                                  ip dhcp snooping vlan 1 
                                  ip dhcp snooping vlan 50
                                  
                                  

                                  This example shows how to enable the DHCP relay agent and configure the DHCP server IP address for Ethernet interface 2/3, where the DHCP server IP address is 10.132.7.120 and the DHCP server is in the VRF named red:

                                  feature dhcp 
                                  ip dhcp snooping 
                                  ip dhcp relay 
                                  ip dhcp relay information option
                                  ip dhcp relay information option vpn
                                  
                                  interface Ethernet 2/3
                                    ip dhcp relay address 10.132.7.120 use-vrf red
                                  
                                  

                                  This example shows how to enable and use the DHCP smart relay agent. In this example, the switch forwards the DHCP broadcast packets received on Ethernet interface 2/2 to the DHCP server (10.55.11.3), inserting 192.168.100.1 in the giaddr field. If the DHCP server has a pool configured for the 192.168.100.0/24 network, it responds. If the server does not respond, the switch sends two more requests using 192.168.100.1 in the giaddr field. If the switch still does not receive a response, it starts using 172.16.31.254 in the giaddr field instead.

                                  feature dhcp
                                  ip dhcp snooping
                                  ip dhcp relay
                                  ip dhcp smart-relay global
                                  
                                  interface Ethernet 2/2
                                  		ip address 192.168.100.1/24
                                  		ip address 172.16.31.254/24 secondary
                                  		ip dhcp relay address 10.55.11.3

                                  Additional References for DHCP

                                  Related Documents

                                  Related Topic

                                  Document Title

                                  DHCP commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples

                                  Cisco Nexus 7000 Series NX-OS Security Command Reference

                                  VRFs and Layer 3 virtualization

                                  Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide

                                  vPCs

                                  Cisco Nexus 7000 Series NX-OS Interfaces Configuration Guide

                                  Standards

                                  Standards

                                  Title

                                  RFC-2131

                                  Dynamic Host Configuration Protocol (http:/​/​tools.ietf.org/​html/​rfc2131)

                                  RFC-3046

                                  DHCP Relay Agent Information Option (http:/​/​tools.ietf.org/​html/​rfc3046)

                                  Feature History for DHCP

                                  This table lists the release history for this feature.



                                  Table 2  Feature History for DHCP

                                  Feature Name

                                  Releases

                                  Feature Information

                                  DHCP

                                  5.2(1)

                                  Added support for DHCP smart relay.

                                  DHCP

                                  5.2(1)

                                  Added subnet broadcast support for the DHCP relay agent.

                                  DHCP

                                  5.1(1)

                                  Optimized DHCP snooping to work in a vPC environment.

                                  DHCP

                                  5.0(2)

                                  Modified the DHCP relay agent to support VRFs, added the ip dhcp relay information option vpn command, and modified the ip dhcp relay address command to add the use-vrf vrf-name option.

                                  DHCP

                                  5.0(2)

                                  Added the ip dhcp relay sub-option type cisco command to enable DHCP to use Cisco proprietary numbers 150, 152, and 151 for the link selection, server ID override, and VRF name/VPN ID relay agent Option 82 suboptions.

                                  DHCP

                                  4.2(1)

                                  Deprecated the service dhcp command and replaced it with the ip dhcp relay command.