When you are configuring DHCP snooping, it is important that you understand the difference between enabling the DHCP snooping feature and globally enabling DHCP snooping.
The DHCP snooping feature is disabled by default. When the DHCP snooping feature is disabled, you cannot configure it or any of the features that depend on DHCP snooping. The commands to configure DHCP snooping and its dependent features are unavailable when DHCP snooping is disabled.
When you enable the DHCP snooping feature, the switch begins building and maintaining the DHCP snooping binding database. Features dependent on the DHCP snooping binding database can now make use of it and can therefore also be configured.
Enabling the DHCP snooping feature does not globally enable it. You must separately enable DHCP snooping globally.
Disabling the DHCP snooping feature removes all DHCP snooping configuration from the switch. If you want to disable DHCP snooping and preserve the configuration, globally disable DHCP snooping and do not disable the DHCP snooping feature.
After DHCP snooping is feature enabled, DHCP snooping is globally disabled by default. Global enablement is a second level of enablement that allows you to have separate control of whether the switch is actively performing DHCP snooping that is independent from enabling the DHCP snooping binding database.
When you globally enable DHCP snooping, on each untrusted interface of VLANs that have DHCP snooping enabled, the switch begins validating DHCP messages received and using the DHCP snooping binding database to validate subsequent requests from untrusted hosts.
When you globally disable DHCP snooping, the switch stops validating DHCP messages and validating subsequent requests from untrusted hosts. It also removes the DHCP snooping binding database. Globally disabling DHCP snooping does not remove any DHCP snooping configuration or the configuration of other features that are dependent upon the DHCP snooping feature.
Trusted and Untrusted Sources
You can configure whether DHCP snooping trusts traffic sources. An untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks, DHCP snooping filters messages from untrusted sources.
In an enterprise network, a trusted source is a switch that is under your administrative control. These switchs include the switches, routers, and servers in the network. Any switch beyond the firewall or outside the network is an untrusted source. Generally, host ports are treated as untrusted sources.
In a service provider environment, any switch that is not in the service provider network is an untrusted source (such as a customer switch). Host ports are untrusted sources.
In the Cisco NX-OS 5000 Series switch, you indicate that a source is trusted by configuring the trust state of its connecting interface.
The default trust state of all interfaces is untrusted. You must configure DHCP server interfaces as trusted. You can also configure other interfaces as trusted if they connect to switchs (such as switches or routers) inside your network. You usually do not configure host port interfaces as trusted.
For DHCP snooping to function properly, all DHCP servers must be connected to the switch through trusted interfaces.
DHCP Snooping Binding Database
Using information extracted from intercepted DHCP messages, DHCP snooping dynamically builds and maintains a database. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces.
The DHCP snooping binding database is also referred to as the DHCP snooping binding table.
DHCP snooping updates the database when the switch receives specific DHCP messages. For example, the feature adds an entry to the database when the switch receives a DHCPACK message from the server. The feature removes the entry in the database when the IP address lease expires or the switch receives a DHCPRELEASE message from the host.
Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host.
You can remove entries from the binding database by using the clear ip dhcp snooping binding command.
DHCP Snooping Option 82 Data Insertion
DHCP can centrally manage the IP address assignments for a large number of subscribers. When you enable Option 82, the device identifies a subscriber device that connects to the network (in addition to its MAC address). Multiple hosts on the subscriber LAN can connect to the same port on the access device and are uniquely identified.
When you enable Option 82 on the Cisco NX-OS device, the following sequence of events occurs:
The host (DHCP client) generates a DHCP request and broadcasts it on the network.
When the Cisco NX-OS device receives the DHCP request, it adds the Option 82 information in the packet. The Option 82 information contains the device MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (the circuit ID suboption). For hosts behind the port channel, the circuit ID is filled with the if_index of the port channel.
The device forwards the DHCP request that includes the Option 82 field to the DHCP server.
The DHCP server receives the packet. If the server is Option 82 capable, it can use the remote ID, the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID. The DHCP server echoes the Option 82 field in the DHCP reply.
The DHCP server sends the reply to the Cisco NX-OS device. The Cisco NX-OS device verifies that it originally inserted the Option 82 data by inspecting the remote ID and possibly the circuit ID fields. The Cisco NX-OS device removes the Option 82 field and forwards the packet to the interface that connects to the DHCP client that sent the DHCP request.
If the previously described sequence of events occurs, the following values do not change:
Circuit ID suboption fields
Length of the suboption type
Circuit ID type
Length of the circuit ID type
Remote ID suboption fields
Length of the suboption type
Remote ID type
Length of the circuit ID type
This figure shows the packet formats for the remote ID suboption and the circuit ID suboption. The Cisco NX-OS device uses the packet formats when you globally enable DHCP snooping and when you enable Option 82 data insertion and removal. For the circuit ID suboption, the module field is the slot number of the module.
Figure 1. Suboption Packet Formats
DHCP Snooping in a vPC Environment
A virtual port channel (vPC) allows two Cisco NX-OS switches to appear as a single logical port channel to a third switch. The third switch can be a switch, server, or any other networking switch that supports port channels.
In a typical vPC environment, DHCP requests can reach one vPC peer switch and the responses can reach the other vPC peer switch, resulting in a partial DHCP (IP-MAC) binding entry in one switch and no binding entry in the other switch. Beginning with Cisco NX-OS Release 5.1, this issue is addressed by using Cisco Fabric Service over Ethernet (CFSoE) distribution to ensure that all DHCP packets (requests and responses) appear on both switches, which helps in creating and maintaining the same binding entry on both switches for all clients behind the vPC link.
CFSoE distribution also allows only one switch to forward the DHCP requests and responses on the vPC link. In non-vPC environments, both switches forward the DHCP packets.
The dynamic DHCP binding entries should be in sync in the following scenarios:
When the remote vPC is online, all the binding entries for that vPC link should be in sync with the peer.
When DHCP snooping is enabled on the peer switch, the dynamic binding entries for all vPC links that are up remotely should be in sync with the peer.
The switch validates DHCP packets received on the untrusted interfaces of VLANs that have DHCP snooping enabled. The switch forwards the DHCP packet unless any of the following conditions occur (in which case, the packet is dropped):
The switch receives a DHCP response packet (such as a DHCPACK, DHCPNAK, or DHCPOFFER packet) on an untrusted interface.
The switch receives a packet on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match. This check is performed only if the DHCP snooping MAC address verification option is turned on.
The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.
In addition, you can enable strict validation of DHCP packets, which checks the options field of DHCP packets, including the “magic cookie” value in the first four bytes of the options field. By default, strict validation is disabled. When you enable it, by using the ip dhcp packet strict-validation command, if DHCP snooping processes a packet that has an invalid options field, it drops the packet.
Information About the DHCP Relay Agent
DHCP Relay Agent
You can configure the device to run a DHCP relay agent, which forwards DHCP packets between clients and servers. This feature is useful when clients and servers are not on the same physical subnet. Relay agent forwarding is distinct from the normal forwarding of an IP router, where IP datagrams are switched between networks somewhat transparently. By contrast, relay agents receive DHCP messages and then generate a new DHCP message to send out on another interface. The relay agent sets the gateway address (giaddr field of the DHCP packet) and, if configured, adds the relay agent information option (Option 82) in the packet and forwards it to the DHCP server. The reply from the server is forwarded back to the client after removing Option 82.
When the device relays a DHCP request that already includes Option 82 information, the device forwards the request with the original Option 82 information without altering it.
VRF Support for the DHCP Relay Agent
You can configure the DHCP relay agent to forward DHCP broadcast messages from clients in a virtual routing and forwarding instance (VRF) to DHCP servers in a different VRF. By using a single DHCP server to provide DHCP support to clients in multiple VRFs, you can conserve IP addresses by using a single IP address pool rather than one for each VRF.
Enabling VRF support for the DHCP relay agent requires that you enable Option 82 for the DHCP relay agent.
If a DHCP request arrives on an interface that you have configured with a DHCP relay address and VRF information and the address of the DCHP server belongs to a network on an interface that is a member of a different VRF, the device inserts Option 82 information in the request and forwards it to the DHCP server in the server VRF. The Option 82 information that the devices adds to a DHCP request relayed to a different VRF includes the following:
Contains the name of the VRF that the interface that receives the DHCP request is a member of.
Contains the subnet address of the interface that receives the DHCP request.
Server identifier override
Contains the IP address of the interface that receives the DHCP request.
The DHCP server must support the VPN identifier, link selection, and server identifier override options.
When the device receives the DHCP response message, it strips off the Option 82 information and forwards the response to the DHCP client in the client VRF.
DHCP Relay Binding Database
A relay binding is an entity that associates a DHCP or BOOTP client with a relay agent address and its subnet. Each relay binding stores the client MAC address, active relay agent address, active relay agent address mask, logical and physical interfaces to which the client is connected, giaddr retry count, and total retry count. The giaddr retry count is the number of request packets transmitted with that relay agent address, and the total retry count is the total number of request packets transmitted by the relay agent. One relay binding entry is maintained for each DHCP or BOOTP client.
Guidelines and Limitations for DHCP Snooping
DHCP snooping has the following configuration guidelines and limitations:
The DHCP snooping database can store 2000 bindings.
DHCP snooping is not active until you enable the feature, enable DHCP snooping globally, and enable DHCP snooping on at least one VLAN.
Before globally enabling DHCP snooping on the switch, make sure that the switches acting as the DHCP server are configured and enabled.
If a VLAN ACL (VACL) is configured on a VLAN that you are configuring with DHCP snooping, ensure that the VACL permits DHCP traffic between DHCP servers and DHCP hosts.
Make sure that the DHCP configuration is synchronized across the switches in a vPC link. Otherwise, a run-time error can occur, resulting in dropped packets.
Default Settings for DHCP Snooping
This table lists the default settings for DHCP snooping parameters.
Table 1 Default DHCP Snooping Parameters
DHCP snooping feature
DHCP snooping globally enabled
DHCP snooping VLAN
DHCP snooping Option 82 support
DHCP snooping trust
Configuring DHCP Snooping
Minimum DHCP Snooping Configuration
Enable the DHCP snooping feature.
When the DHCP snooping feature is disabled, you cannot configure DHCP snooping.
Enable DHCP snooping globally.
Enable DHCP snooping on at least one VLAN.
By default, DHCP snooping is disabled on all VLANs.
Ensure that the DHCP server is connected to the switch using a trusted interface.
Enabling or Disabling the DHCP Snooping Feature
You can enable or disable the DHCP snooping feature on the switch. By default, DHCP snooping is disabled.
Before You Begin
If you disable the DHCP snooping feature, all DHCP snooping configuration is lost. If you want to turn off DHCP snooping and preserve the DHCP snooping configuration, disable DHCP globally.
2.[no] feature dhcp
4.(Optional) copy running-config startup-config
Command or Action
switch# config t
Enters global configuration mode.
[no] feature dhcp
switch(config)# feature dhcp
Enables the DHCP snooping feature. The no option disables the DHCP snooping feature and erases all DHCP snooping configuration.
Copies the running configuration to the startup configuration.
Enabling or Disabling VRF Support for the DHCP Relay Agent
You can configure the device to support the relaying of DHCP requests that arrive on an interface in one VRF to a DHCP server in a different VRF.
Before You Begin
You must enable Option 82 for the DHCP relay agent.
2.[no] ip dhcp relay information option vpn
3.[no] ip dhcp relay sub-option type cisco
4.(Optional) showip dhcp relay
5.(Optional) showrunning-config dhcp
6.(Optional) copy running-config startup-config
Command or Action
switch# config t
Enters global configuration mode.
[no] ip dhcp relay information option vpn
switch(config)# ip dhcp relay information option vpn
Enables VRF support for the DHCP relay agent. The no option disables this behavior.
[no] ip dhcp relay sub-option type cisco
switch(config)# ip dhcp relay sub-option type cisco
Enables DHCP to use Cisco proprietary numbers 150, 152, and 151 when filling the link selection, server ID override, and VRF name/VPN ID relay agent Option 82 suboptions. The no option causes DHCP to use RFC numbers 5, 11, and 151 for the link selection, server ID override, and VRF name/VPN ID suboptions, respectively.
To display DHCP snooping configuration information, perform one of the following tasks. For detailed information about the fields in the output from these commands, see the Cisco Nexus 5000 Series NX-OS Security Command Reference.
show running-config dhcp
Displays the DHCP snooping configuration.
show ip dhcp snooping
Displays general information about DHCP snooping.
Displaying DHCP Bindings
Use the show ip dhcp snooping binding command to display the DHCP static and dynamic binding table. Use the show ip dhcp snooping binding dynamic to display the DHCP dynamic binding table.
For detailed information about the fields in the output from this command, see the Cisco Nexus 5000 Series NX-OS Security Command Reference, Release 5.x.
This example shows how to create a static DHCP binding and then verify the binding using the show ip dhcp snooping binding command.
switch# configuration terminal
switch(config)# ip source binding 10.20.30.40 0000.1111.2222 vlan 400 interface port-channel 500
switch(config)# show ip dhcp snooping binding
MacAddress IpAddress LeaseSec Type VLAN Interface
----------------- --------------- -------- ---------- ---- -------------
00:00:11:11:22:22 10.20.30.40 infinite static 400 port-channel500
Clearing the DHCP Snooping Binding Database
You can remove entries from the DHCP snooping binding database, including a single entry, all entries associated with an interface, or all entries in the database.
Before You Begin
Ensure that DHCP snooping is enabled.
1.(Optional) clear ip dhcp snooping binding
2.(Optional) clear ip dhcp snooping binding interface ethernetslot/port[.subinterface-number]
3.(Optional) clear ip dhcp snooping binding interface port-channelchannel-number[.subchannel-number]