Configuring DHCP Snooping
Available Languages
Contents
- Configuring DHCP Snooping
- Information About DHCP Snooping
- Feature Enabled and Globally Enabled
- Trusted and Untrusted Sources
- DHCP Snooping Binding Database
- Information About the DHCP Relay Agent
- DHCP Relay Agent
- VRF Support for the DHCP Relay Agent
- DHCP Relay Binding Database
- Guidelines and Limitations for DHCP Snooping
- Default Settings for DHCP Snooping
- Configuring DHCP Snooping
- Minimum DHCP Snooping Configuration
- Enabling or Disabling the DHCP Snooping Feature
- Enabling or Disabling DHCP Snooping Globally
- Enabling or Disabling DHCP Snooping on a VLAN
- Enabling or Disabling Strict DHCP Packet Validation
- Configuring an Interface as Trusted or Untrusted
- Enabling or Disabling the DHCP Relay Agent
- Enabling or Disabling VRF Support for the DHCP Relay Agent
- Enabling or Disabling Subnet Broadcast Support for the DHCP Relay Agent on a Layer 3 Interface
- Creating a DHCP Static Binding
- Verifying the DHCP Snooping Configuration
- Displaying DHCP Bindings
- Clearing the DHCP Snooping Binding Database
- Configuration Examples for DHCP Snooping
Configuring DHCP Snooping
This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping on a Cisco NX-OS device.
- Information About DHCP Snooping
- Information About the DHCP Relay Agent
- Guidelines and Limitations for DHCP Snooping
- Default Settings for DHCP Snooping
- Configuring DHCP Snooping
- Verifying the DHCP Snooping Configuration
- Displaying DHCP Bindings
- Clearing the DHCP Snooping Binding Database
- Configuration Examples for DHCP Snooping
Information About DHCP Snooping
DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP servers. DHCP snooping performs the following activities:
- Validates DHCP messages received from untrusted sources and filters out invalid messages.
- Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
- Uses the DHCP snooping binding database to validate subsequent requests from untrusted hosts.
DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.
Feature Enabled and Globally Enabled
When you are configuring DHCP snooping, it is important that you understand the difference between enabling the DHCP snooping feature and globally enabling DHCP snooping.
Feature Enablement
The DHCP snooping feature is disabled by default. When the DHCP snooping feature is disabled, you cannot configure it or any of the features that depend on DHCP snooping. The commands to configure DHCP snooping and its dependent features are unavailable when DHCP snooping is disabled.
When you enable the DHCP snooping feature, the switch begins building and maintaining the DHCP snooping binding database. Features dependent on the DHCP snooping binding database can now make use of it and can therefore also be configured.
Enabling the DHCP snooping feature does not globally enable it. You must separately enable DHCP snooping globally.
Disabling the DHCP snooping feature removes all DHCP snooping configuration from the switch. If you want to disable DHCP snooping and preserve the configuration, globally disable DHCP snooping and do not disable the DHCP snooping feature.
Global Enablement
After DHCP snooping is feature enabled, DHCP snooping is globally disabled by default. Global enablement is a second level of enablement that allows you to have separate control of whether the switch is actively performing DHCP snooping that is independent from enabling the DHCP snooping binding database.
When you globally enable DHCP snooping, on each untrusted interface of VLANs that have DHCP snooping enabled, the switch begins validating DHCP messages received and using the DHCP snooping binding database to validate subsequent requests from untrusted hosts.
When you globally disable DHCP snooping, the switch stops validating DHCP messages and validating subsequent requests from untrusted hosts. It also removes the DHCP snooping binding database. Globally disabling DHCP snooping does not remove any DHCP snooping configuration or the configuration of other features that are dependent upon the DHCP snooping feature.
Trusted and Untrusted Sources
You can configure whether DHCP snooping trusts traffic sources. An untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks, DHCP snooping filters messages from untrusted sources.
In an enterprise network, a trusted source is a switch that is under your administrative control. These switchs include the switches, routers, and servers in the network. Any switch beyond the firewall or outside the network is an untrusted source. Generally, host ports are treated as untrusted sources.
In a service provider environment, any switch that is not in the service provider network is an untrusted source (such as a customer switch). Host ports are untrusted sources.
In the Cisco Nexus 3000 Series switch, you indicate that a source is trusted by configuring the trust state of its connecting interface.
The default trust state of all interfaces is untrusted. You must configure DHCP server interfaces as trusted. You can also configure other interfaces as trusted if they connect to switches (such as switches or routers) inside your network. You usually do not configure host port interfaces as trusted.
Note
For DHCP snooping to function properly, all DHCP servers must be connected to the switch through trusted interfaces.
DHCP Snooping Binding Database
Using information extracted from intercepted DHCP messages, DHCP snooping dynamically builds and maintains a database. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces.
Note
The DHCP snooping binding database is also referred to as the DHCP snooping binding table.
DHCP snooping updates the database when the switch receives specific DHCP messages. For example, the feature adds an entry to the database when the switch receives a DHCPACK message from the server. The feature removes the entry in the database when the IP address lease expires or the switch receives a DHCPRELEASE message from the host.
Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host.
You can remove entries from the binding database by using the clear ip dhcp snooping binding command.
Information About the DHCP Relay Agent
DHCP Relay Agent
You can configure the device to run a DHCP relay agent, which forwards DHCP packets between clients and servers. This feature is useful when clients and servers are not on the same physical subnet. Relay agent forwarding is distinct from the normal forwarding of an IP router, where IP datagrams are switched between networks somewhat transparently. By contrast, relay agents receive DHCP messages and then generate a new DHCP message to send out on another interface. The relay agent sets the gateway address (giaddr field of the DHCP packet) and, if configured, adds the relay agent information option (Option 82) in the packet and forwards it to the DHCP server. The reply from the server is forwarded back to the client after removing Option 82.
Note
When the device relays a DHCP request that already includes Option 82 information, the device forwards the request with the original Option 82 information without altering it.
VRF Support for the DHCP Relay Agent
You can configure the DHCP relay agent to forward DHCP broadcast messages from clients in a virtual routing and forwarding instance (VRF) to DHCP servers in a different VRF. By using a single DHCP server to provide DHCP support to clients in multiple VRFs, you can conserve IP addresses by using a single IP address pool rather than one for each VRF.
Enabling VRF support for the DHCP relay agent requires that you enable Option 82 for the DHCP relay agent.
If a DHCP request arrives on an interface that you have configured with a DHCP relay address and VRF information and the address of the DCHP server belongs to a network on an interface that is a member of a different VRF, the device inserts Option 82 information in the request and forwards it to the DHCP server in the server VRF. The Option 82 information that the devices adds to a DHCP request relayed to a different VRF includes the following:
- VPN identifier
Contains the name of the VRF that the interface that receives the DHCP request is a member of.
- Link selection
Contains the subnet address of the interface that receives the DHCP request.
- Server identifier override
Contains the IP address of the interface that receives the DHCP request.
Note
The DHCP server must support the VPN identifier, link selection, and server identifier override options.
When the device receives the DHCP response message, it strips off the Option 82 information and forwards the response to the DHCP client in the client VRF.
DHCP Relay Binding Database
A relay binding is an entity that associates a DHCP or BOOTP client with a relay agent address and its subnet. Each relay binding stores the client MAC address, active relay agent address, active relay agent address mask, logical and physical interfaces to which the client is connected, giaddr retry count, and total retry count. The giaddr retry count is the number of request packets transmitted with that relay agent address, and the total retry count is the total number of request packets transmitted by the relay agent. One relay binding entry is maintained for each DHCP or BOOTP client.
Note
When DHCP smart relay is enabled globally or at the interface level on any switch, the relay bindings on all switches should be synchronized with the vPC peer.
Guidelines and Limitations for DHCP Snooping
DHCP snooping has the following configuration guidelines and limitations:
- The DHCP snooping database can store 2000 bindings.
- DHCP snooping is not active until you enable the feature, enable DHCP snooping globally, and enable DHCP snooping on at least one VLAN.
- Before globally enabling DHCP snooping on the switch, make sure that the switches acting as the DHCP server and the DHCP relay agent are configured and enabled.
- If a VLAN ACL (VACL) is configured on a VLAN that you are configuring with DHCP snooping, ensure that the VACL permits DHCP traffic between DHCP servers and DHCP hosts.
Configuring DHCP Snooping
Minimum DHCP Snooping Configuration
Enabling or Disabling the DHCP Snooping Feature
You can enable or disable the DHCP snooping feature on the switch. By default, DHCP snooping is disabled.
Before You BeginSUMMARY STEPSIf you disable the DHCP snooping feature, all DHCP snooping configuration is lost. If you want to turn off DHCP snooping and preserve the DHCP snooping configuration, disable DHCP globally.
1. config t
2. [no] feature dhcp
3. show running-config dhcp
4. (Optional) copy running-config startup-config
DETAILED STEPS
Enabling or Disabling DHCP Snooping Globally
You can enable or disable the DHCP snooping globally on the switch. Globally disabling DHCP snooping stops the switch from performing any DHCP snooping or relaying DHCP messages. It preserves DCHP snooping configuration.
Before You BeginSUMMARY STEPSEnsure that you have enabled the DHCP snooping feature.
By default, DHCP snooping is globally disabled.
1. config t
2. [no] ip dhcp snooping
3. show running-config dhcp
4. (Optional) copy running-config startup-config
DETAILED STEPS
Enabling or Disabling DHCP Snooping on a VLAN
Before You BeginSUMMARY STEPSBy default, DHCP snooping is disabled on all VLANs.
Ensure that DHCP snooping is enabled.
Note
If a VACL is configured on a VLAN that you are configuring with DHCP snooping, ensure that the VACL permits DHCP traffic between DHCP servers and DHCP hosts.
1. config t
2. [no] ip dhcp snooping vlan vlan-list
3. show running-config dhcp
4. (Optional) copy running-config startup-config
DETAILED STEPS
Enabling or Disabling Strict DHCP Packet Validation
SUMMARY STEPSYou can enable or disable the strict validation of DHCP packets by the DHCP snooping feature. By default, strict validation of DHCP packets is disabled.
1. config t
2. [no] ip dhcp packet strict-validation
3. show running-config dhcp
4. (Optional) copy running-config startup-config
DETAILED STEPS
Configuring an Interface as Trusted or Untrusted
SUMMARY STEPSYou can configure whether an interface is a trusted or untrusted source of DHCP messages. You can configure DHCP trust on the following types of interfaces:
1. config t
2. Do one of the following options.
3. [no] ip dhcp snooping trust
4. show running-config dhcp
5. (Optional) copy running-config startup-config
DETAILED STEPS
Enabling or Disabling the DHCP Relay Agent
SUMMARY STEPS
1. config t
2. [no] ip dhcp relay
3. (Optional) show ip dhcp relay
4. (Optional) show running-config dhcp
5. (Optional) copy running-config startup-config
DETAILED STEPS
Enabling or Disabling VRF Support for the DHCP Relay Agent
SUMMARY STEPSYou can configure the device to support the relaying of DHCP requests that arrive on an interface in one VRF to a DHCP server in a different VRF.
1. config t
2. [no] ip dhcp relay information option vpn
3. [no] ip dhcp relay sub-option type cisco
4. (Optional) show ip dhcp relay
5. (Optional) show running-config dhcp
6. (Optional) copy running-config startup-config
DETAILED STEPS
Enabling or Disabling Subnet Broadcast Support for the DHCP Relay Agent on a Layer 3 Interface
You can configure the device to support the relaying of DHCP packets from clients to a subnet broadcast IP address. When this feature is enabled, the VLAN ACLs (VACLs) accept IP broadcast packets and all subnet broadcast (primary subnet broadcast as well as secondary subnet broadcast) packets.
Before You BeginSUMMARY STEPSEnsure that the DHCP feature is enabled.
Ensure that the DHCP relay agent is enabled.
1. config t
2. interface interface slot/port
3. [no] ip dhcp relay subnet-broadcast
4. exit
5. exit
6. (Optional) show ip dhcp relay
7. (Optional) show running-config dhcp
8. (Optional) copy running-config startup-config
DETAILED STEPS
Creating a DHCP Static Binding
SUMMARY STEPS
1. config t
2. ip source binding IP-address MAC-address vlan vlan-id {interface ethernet slot/port | port-channel channel-no}
3. (Optional) show ip dhcp snooping binding
4. (Optional) show ip dhcp snooping binding dynamic
5. (Optional) copy running-config startup-config
DETAILED STEPS
Verifying the DHCP Snooping Configuration
To display DHCP snooping configuration information, perform one of the following tasks. For detailed information about the fields in the output from these commands, see the Cisco Nexus 3000 Series NX-OS System Management Configuration Guide.
Command
Purpose
show running-config dhcp
Displays the DHCP snooping configuration.
show ip dhcp snooping
Displays general information about DHCP snooping.
Displaying DHCP Bindings
Use the show ip dhcp snooping binding command to display the DHCP static and dynamic binding table. Use the show ip dhcp snooping binding dynamic to display the DHCP dynamic binding table.
For detailed information about the fields in the output from this command, see the Cisco Nexus 3000 Series NX-OS System Management Configuration Guide.
This example shows how to create a static DHCP binding and then verify the binding using the show ip dhcp snooping binding command.
switch# configuration terminal switch(config)# ip source binding 10.20.30.40 0000.1111.2222 vlan 400 interface port-channel 500 switch(config)# show ip dhcp snooping binding MacAddress IpAddress LeaseSec Type VLAN Interface ----------------- --------------- -------- ---------- ---- ------------- 00:00:11:11:22:22 10.20.30.40 infinite static 400 port-channel500Clearing the DHCP Snooping Binding Database
SUMMARY STEPSYou can remove entries from the DHCP snooping binding database, including a single entry, all entries associated with an interface, or all entries in the database.
1. (Optional) clear ip dhcp snooping binding
2. (Optional) clear ip dhcp snooping binding interface ethernet slot/port[.subinterface-number]
3. (Optional) clear ip dhcp snooping binding interface port-channel channel-number[.subchannel-number]
4. (Optional) clear ip dhcp snooping binding vlan vlan-id mac mac-address ip ip-address interface {ethernet slot/port[.subinterface-number | port-channel channel-number[.subchannel-number] }
5. show ip dhcp snooping binding
DETAILED STEPS
Configuration Examples for DHCP Snooping
This example shows how to enable DHCP snooping on two VLANs, with Option 82 support enabled and Ethernet interface 2/5 trusted because the DHCP server is connected to that interface:
feature dhcp ip dhcp snooping ip dhcp snooping info option interface Ethernet 2/5 ip dhcp snooping trust ip dhcp snooping vlan 1 ip dhcp snooping vlan 50
Feedback