The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure the Dynamic Host Configuration Protocol (DHCP) on a Cisco NX-OS device.
This chapter includes the following sections:
Your software release might not support all the features documented in this module. For the latest caveats and feature information, see the Bug Search Tool at https://tools.cisco.com/bugsearch/ and the release notes for your software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "New and Changed Information"chapter or the Feature History table in this chapter.
DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP servers. DHCP snooping performs the following activities:
Validates DHCP messages received from untrusted sources and filters out invalid messages.
Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
Uses the DHCP snooping binding database to validate subsequent requests from untrusted hosts.
DHCP snooping can be enabled globally and on a per-VLAN basis. By default, the feature is disabled globally and on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.
You can configure whether DHCP snooping trusts traffic sources. An untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks, DHCP snooping filters messages from untrusted sources.
In an enterprise network, a trusted source is a device that is under your administrative control. These devices include the switches, routers, and servers in the network. Any device beyond the firewall or outside the network is an untrusted source. Generally, host ports are treated as untrusted sources.
In a service provider environment, any device that is not in the service provider network is an untrusted source (such as a customer switch). Host ports are untrusted sources.
In the Cisco NX-OS device, you indicate that a source is trusted by configuring the trust state of its connecting interface.
The default trust state of all interfaces is untrusted. You must configure DHCP server interfaces as trusted. You can also configure other interfaces as trusted if they connect to devices (such as switches or routers) inside your network. You usually do not configure host port interfaces as trusted.
 Note |
For DHCP snooping to function properly, all DHCP servers must be connected to the device through trusted interfaces. |
Using information extracted from intercepted DHCP messages, DHCP snooping dynamically builds and maintains a database. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces.
Note |
The DHCP snooping binding database is also referred to as the DHCP snooping binding table. |
DHCP snooping updates the database when the device receives specific DHCP messages. For example, the feature adds an entry to the database when the device receives a DHCPACK message from the server. The feature removes the entry in the database when the IP address lease expires or the device receives a DHCPRELEASE message from the host.
Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host.
Dynamic ARP inspection (DAI) and IP Source Guard also use information stored in the DHCP snooping binding database.
You can remove entries from the binding database by using the clear ip dhcp snooping binding command.
The device validates DHCP packets received on the untrusted interfaces of VLANs that have DHCP snooping enabled. The device forwards the DHCP packet unless any of the following conditions occur (in which case, the packet is dropped):
The device receives a DHCP response packet (such as a DHCPACK, DHCPNAK, or DHCPOFFER packet) on an untrusted interface.
The device receives a packet on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match. This check is performed only if the DHCP snooping MAC address verification option is turned on.
The device receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.
In addition, you can enable strict validation of DHCP packets, which checks the options field of DHCP packets, including the “magic cookie” value in the first four bytes of the options field. By default, strict validation is disabled. When you enable it, by using the ip dhcp packet strict-validation command, if DHCP snooping processes a packet that has an invalid options field, it drops the packet.
DHCP can centrally manage the IP address assignments for a large number of subscribers. When you enable Option 82, the device identifies a subscriber device that connects to the network (in addition to its MAC address). Multiple hosts on the subscriber LAN can connect to the same port on the access device and are uniquely identified.
When you enable Option 82 on the Cisco NX-OS device, the following sequence of events occurs:
The host (DHCP client) generates a DHCP request and broadcasts it on the network.
When the Cisco NX-OS device receives the DHCP request, it adds the Option 82 information in the packet. The Option 82 information contains the device MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (the circuit ID suboption). For hosts behind the port channel, the circuit ID is filled with the if_index of the port channel.
The device forwards the DHCP request that includes the Option 82 field to the DHCP server.
The DHCP server receives the packet. If the server is Option 82 capable, it can use the remote ID, the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID. The DHCP server echoes the Option 82 field in the DHCP reply.
The DHCP server sends the reply to the Cisco NX-OS device. The Cisco NX-OS device verifies that it originally inserted the Option 82 data by inspecting the remote ID and possibly the circuit ID fields. The Cisco NX-OS device removes the Option 82 field and forwards the packet to the interface that connects to the DHCP client that sent the DHCP request.
If the previously described sequence of events occurs, the following values do not change:
Circuit ID suboption fields
Suboption type
Length of the suboption type
Circuit ID type
Length of the circuit ID type
Remote ID suboption fields
Suboption type
Length of the suboption type
Remote ID type
Length of the circuit ID type
This figure shows the packet formats for the remote ID suboption and the circuit ID suboption. The Cisco NX-OS device uses the packet formats when you globally enable DHCP snooping and when you enable Option 82 data insertion and removal. For the circuit ID suboption, the module field is the slot number of the module.
Beginning with Cisco NX-OS Release 6.2(2), a new circuit ID format is used when Option 82 is enabled in DHCP snooping. The new circuit ID format is used by default and cannot be disabled. However, you might need to configure the DHCP server for the new circuit ID format if it was using the old Option 82 format for IP address allocation. These figures show the new default circuit ID format that is used for regular interfaces and vPC interfaces when Option 82 is enabled for DHCP snooping.
The enhanced Option 82 format improves DHCP packet processing. For vPC and vPC+ interfaces, the new format assigns vPC peers a unique circuit ID in case some are configured with different port channel numbers.
You can configure the device to run a DHCP relay agent, which forwards DHCP packets between clients and servers. This feature is useful when clients and servers are not on the same physical subnet. Relay agents receive DHCP messages and then generate a new DHCP message to send out on another interface. The relay agent sets the gateway address (giaddr field of the DHCP packet) and, if configured, adds the relay agent information option (Option 82) in the packet and forwards it to the DHCP server. The reply from the server is forwarded back to the client after removing Option 82.
After you enable Option 82, the device uses the binary ifindex format by default. If needed, you can change the Option 82 setting to use an encoded string format instead.
Note |
When the device relays a DHCP request that already includes Option 82 information, the device forwards the request with the original Option 82 information without altering it. |
You can enable the device to insert and remove Option 82 information on DHCP packets that are forwarded by the relay agent.
This figure shows an example of a metropolitan Ethernet network in which a centralized DHCP server assigns IP addresses to subscribers connected to the device at the access layer. Because the DHCP clients and their associated DHCP server do not reside on the same IP network or subnet, a DHCP relay agent is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages between the clients and the server.
When you enable Option 82 for the DHCP relay agent on the Cisco NX-OS device, the following sequence of events occurs:
The host (DHCP client) generates a DHCP request and broadcasts it on the network.
When the Cisco NX-OS device receives the DHCP request, it adds the Option 82 information in the packet. The Option 82 information contains the device MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (the circuit ID suboption). In DHCP relay, the circuit ID is filled with the if_index of the SVI or Layer 3 interface on which DHCP relay is configured.
Note |
For vPC peer devices, the remote ID suboption contains the vPC device MAC address, which is unique in both devices. This MAC address is computed with the vPC domain ID. The Option 82 information is inserted at the device where the DHCP request is first received before it is forwarded to the other vPC peer device. |
When dhcp relay source interface interface is configured the device adds the configured source interface IP address as giaddr to the DHCP packet if source interface vrf is same as that of DHCP server VRF, otherwise IP address of the interface through which the server is reachable will be used as giaddr.
The device forwards the DHCP request that includes the Option 82 field to the DHCP server.
The DHCP server receives the packet. If the server is Option 82 capable, it can use the remote ID, the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID. The DHCP server echoes the Option 82 field in the DHCP reply.
The DHCP server unicasts the reply to the Cisco NX-OS device if the request was relayed to the server by the device. The Cisco NX-OS device verifies that it originally inserted the Option 82 data by inspecting the remote ID and possibly the circuit ID fields. The Cisco NX-OS device removes the Option 82 field and forwards the packet to the interface that connects to the DHCP client that sent the DHCP request.
You can configure the device to run a DHCPv6 relay agent, which forwards DHCPv6 packets between clients and servers. This feature is useful when clients and servers are not on the same physical subnet. Relay agents receive DHCPv6 messages and then generate a new DHCPv6 message to send out on another interface. The relay agent sets the gateway address (giaddr field of the DHCPv6 packet) and forwards it to the DHCPv6 server.
You can configure the DHCPv6 relay agent to forward DHCPv6 broadcast messages from clients in a virtual routing and forwarding (VRF) instance to DHCPv6 servers in a different VRF. By using a single DHCPv6 server to provide DHCP support to clients in multiple VRFs, you can conserve IP addresses by using a single IP address pool rather than one for each VRF. For general information about VRFs, see the Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide.
In a secured fabric network, a DHCP server is deployed as a shared service in a network, which is different from the fabric end points. Every fabric edge is configured as a DHCP relay agent to relay the DHCP traffic between the fabric end points and the DHCP server. A border node uses a fabric border as the packet forwarder to communicate with the DHCP server. Also, a any-cast address is configured across all the fabric edge nodes.
When a DHCP relay agent intercepts a DISCOVER packet, the DHCP relay agent sets a any-cast address as the gateway address (giaddr) and inserts the Option-82 information in the packet, which includes the circuit ID and remote ID suboptions. The DHCP server sends the OFFER packet with the destination as giaddr. However, forwarding the OFFER packet to the correct switch is difficult because the any-cast address is the same on the edge network.
From Cisco NX-OS Release 8.2(1), you can use the ip dhcp redirect-response command on a DHCP server-facing interface to redirect packets to the correct switch. When you run this command, the border node processes the SERVER REPLY packets. When the DHCP server sends the OFFER packets, the border node uses the information from the remote ID option to create a VXLAN header that includes the source locator set as the outer destination address, and the VXLAN Network Identifier of the client segment. This helps the border node send the OFFER packet to the correct switch.
The following information applies to DHCP used in virtual device contexts (VDCs):
DHCP snooping binding databases are unique per VDC. Bindings in one VDC do not affect DHCP snooping in other VDCs.
The system does not limit the binding database size on a per-VDC basis.
The DHCP smart relay agent can be configured independently in default and nondefault VDCs.
DHCP has the following prerequisite:
You should be familiar with DHCP before you configure DHCP snooping or the DHCP relay agent.
DHCP has the following configuration guidelines and limitations:
Use the uRFP loose mode, not uRFP strict.
Configure static routes for the interface address on the affected FHRP interfaces and redistribute the static routes into IGP.
Using the ip dhcp relay source-interface interface-name command, you can configure a different interface as the source interface. This command is used for DHCP relay in VPN and in non-VPN environments. The dhcp relay information option with vpn sub-option must be enabled for this command configuration to work. To enable VRF support for the DHCP relay agent, use the ip dhcp relay information option vpn command. For more details about the ip dhcp relay information option vpn command, see the Cisco Nexus 7000 Series Security Command Reference.
For Cisco NX-OS Release 6.2 and later releases, you must enable the insertion of Option 82 information for DHCP packets to support the highest DHCP snooping scale.
After System Switchover, DHCP Global stats show incorrect values as they are not stored in PSS and get erased. Updating stats in PSS during packet path will affect scale.
If you use DHCP relay where DHCP clients and servers are in different VRF instances, use only one DHCP server within a VRF.
Before globally enabling DHCP snooping on the device, make sure that the devices acting as the DHCP server and the DHCP relay agent are configured and enabled.
DHCP snooping does not work with DHCP relay configured on the same nexus device.
If a VLAN ACL (VACL) is configured on a VLAN that you are configuring with DHCP snooping, ensure that the VACL permits DHCP traffic between DHCP servers and DHCP hosts. When both DHCP snooping and DHCP relay are enabled on a VLAN and the SVI of that VLAN, DHCP relay takes precedence.
If an ingress router ACL is configured on a Layer 3 interface that you are configuring with a DHCP server address, ensure that the router ACL permits DHCP traffic between DHCP servers and DHCP hosts.
Access-control list (ACL) statistics are not supported if the DHCP snooping feature is enabled.
Before using POAP, make sure that DHCP snooping is enabled and firewall rules are set to block unintended or malicious DHCP servers.
When you configure DHCPv6 server addresses on an interface, a destination interface cannot be used with global IPv6 addresses.
The following guidelines and limitations are applicable for the DHCP redirect reponse feature:
Supported only on the Cisco M3 Series modules.
Supported on the L3 or SVI interfaces.
This feature is also supported on a Secure Fabric configured with VRF leaking.
Note |
For DHCP configuration limits, see the Cisco Nexus 7000 Series NX-OS Verified Scalability Guide. |
This table lists the default settings for DHCP parameters.
|
Parameters |
Default |
|---|---|
|
DHCP feature |
Disabled |
|
DHCP snooping |
Disabled |
|
DHCP snooping on VLANs |
Disabled |
|
DHCP snooping MAC address verification |
Enabled |
|
DHCP snooping Option 82 support |
Disabled |
|
DHCP snooping trust |
Untrusted |
|
DHCP relay agent |
Enabled |
|
DHCPv6 relay agent |
Enabled |
|
Lightweight DHCPv6 Relay Agent |
Disabled |
|
UDP Relay feature |
Disabled |
|
VRF support for the DHCP relay agent |
Disabled |
|
VRF support for the DHCPv6 relay agent |
Disabled |
|
DHCP relay sub-option type cisco |
Disabled |
|
DHCPv6 relay option type cisco |
Disabled |
|
DHCP Option 82 for relay agent |
Disabled |
|
DHCP server IP address |
None |
|
Step 1 |
Enable the DHCP feature. When the DHCP feature is disabled, you cannot configure DHCP snooping. |
|
Step 2 |
Enable DHCP snooping globally. |
|
Step 3 |
Enable DHCP snooping on at least one VLAN. By default, DHCP snooping is disabled on all VLANs. |
|
Step 4 |
Ensure that the DHCP server is connected to the device using a trusted interface. |
|
Step 5 |
(Optional) Configure an interface with the IP address of the DHCP server. |
You can enable or disable the DHCP feature on the device. By default, DHCP is disabled.
When the DHCP feature is disabled, you cannot configure DHCP snooping, the DHCP relay agent, or any of the features that depend on DHCP, such as dynamic ARP inspection and IP Source Guard. In addition, all DHCP, dynamic ARP inspection, and IP Source Guard configuration is removed from the device.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
config t Example: |
Enters global configuration mode. |
|
Step 2 |
[no] feature dhcp Example: |
Enables the DHCP feature. The no option disables the DHCP feature and erases all DHCP configuration. |
|
Step 3 |
(Optional) show running-config dhcp Example: |
(Optional)
Displays the DHCP configuration. |
|
Step 4 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can enable or disable DHCP snooping globally on the device.
Ensure that you have enabled the DHCP feature.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
config t Example: |
Enters global configuration mode. |
|
Step 2 |
[no] ip dhcp snooping Example: |
Enables DHCP snooping globally. The no option disables DHCP snooping. |
|
Step 3 |
(Optional) show running-config dhcp Example: |
(Optional)
Displays the DHCP configuration. |
|
Step 4 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can enable or disable DHCP snooping on one or more VLANs. By default, DHCP snooping is disabled on all VLANs.
Ensure that the DHCP feature is enabled.
Note |
If a VACL is configured on a VLAN that you are configuring with DHCP snooping, ensure that the VACL permits DHCP traffic between DHCP servers and DHCP hosts. |
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
config t Example: |
Enters global configuration mode. |
|
Step 2 |
[no] ip dhcp snooping vlan vlan-list Example: |
Enables DHCP snooping on the VLANs specified by vlan-list . The no option disables DHCP snooping on the VLANs specified. |
|
Step 3 |
(Optional) show running-config dhcp Example: |
(Optional)
Displays the DHCP configuration. |
|
Step 4 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can enable or disable DHCP snooping MAC address verification. If the device receives a packet on an untrusted interface and the source MAC address and the DHCP client hardware address do not match, address verification causes the device to drop the packet. MAC address verification is enabled by default.
Ensure that the DHCP feature is enabled.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
config t Example: |
Enters global configuration mode. |
|
Step 2 |
[no] ip dhcp snooping verify mac-address Example: |
Enables DHCP snooping MAC address verification. The no option disables MAC address verification. |
|
Step 3 |
(Optional) show running-config dhcp Example: |
(Optional)
Displays the DHCP configuration. |
|
Step 4 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can enable or disable the insertion and removal of Option 82 information for DHCP packets forwarded without the use of the DHCP relay agent. By default, the device does not include Option 82 information in DHCP packets.
Note |
DHCP relay agent support for Option 82 is configured separately. |
Note |
To support a higher DHCP pps scale, you must enable the insertion of Option 82 information for DHCP packets. |
Ensure that the DHCP feature is enabled.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
config t Example: |
Enters global configuration mode. |
|
Step 2 |
[no] ip dhcp snooping information option Example: |
Enables the insertion and removal of Option 82 information for DHCP packets. The no option disables the insertion and removal of Option 82 information. |
|
Step 3 |
(Optional) show running-config dhcp Example: |
(Optional)
Displays the DHCP configuration. |
|
Step 4 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can configure whether an interface is a trusted or untrusted source of DHCP messages. By default, all interfaces are untrusted. You can configure DHCP trust on the following types of interfaces:
Layer 2 Ethernet interfaces
Layer 2 port-channel interfaces
Ensure that the DHCP feature is enabled.
Ensure that the interface is configured as a Layer 2 interface.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
config t Example: |
Enters global configuration mode. |
|
Step 2 |
Do one of the following options:
Example: |
|
|
Step 3 |
[no] ip dhcp snooping trust Example: |
Configures the interface as a trusted interface for DHCP snooping. The no option configures the port as an untrusted interface. |
|
Step 4 |
(Optional) show running-config dhcp Example: |
(Optional)
Displays the DHCP configuration. |
|
Step 5 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can enable or disable the DHCP relay trusted port functionality. By default, if the gateway address is set to all zeros in the DHCP packet and the relay information option is already present in the packet, the DHCP relay agent will not discard the packet. If the ip dhcp relay information option trust command is configured globally, the DHCP relay agent will discard the packet if the gateway address is set to all zeros.
Ensure that the DHCP feature is enabled.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
config t Example: |
Enters global configuration mode. |
|
Step 2 |
[no] ip dhcp relay information option trust Example: |
Enables the DHCP relay trusted port functionality. The no option disables this functionality. |
|
Step 3 |
(Optional) show ip dhcp relay Example: |
(Optional)
Displays the DHCP relay configuration. |
|
Step 4 |
(Optional) show ip dhcp relay information trusted-sources Example: |
(Optional)
Displays the DHCP relay trusted ports configuration. |
|
Step 5 |
(Optional) show running-config dhcp Example: |
(Optional)
Displays the DHCP configuration. |
|
Step 6 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can configure whether a Layer 3 interface is a DHCP relay trusted or untrusted interface. By default, all interfaces are untrusted. You can configure DHCP relay trust on the following types of interfaces:
Layer 3 Ethernet interfaces and sub-interfaces
Layer 3 port-channel interfaces
Interface VLAN
Ensure that the DHCP feature is enabled.
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
config t Example: |
Enters global configuration mode. |
||
|
Step 2 |
Do one of the following options:
Example: |
|
||
|
Step 3 |
[no] ip dhcp relay information trusted Example: |
Configures the interface as a trusted interface for DHCP relay agent information. The no option configures the port as an untrusted interface.
|
||
|
Step 4 |
show ip dhcp relay information trusted-sources Example: |
Displays the DHCP relay trusted ports configuration. |
||
|
Step 5 |
(Optional) show running-config dhcp Example: |
(Optional)
Displays the DHCP configuration. |
||
|
Step 6 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can configure all Layer 3 interfaces as DHCP relay trusted or untrusted interfaces. By default, all interfaces are untrusted. You can configure DHCP relay trust on the following types of interfaces:
Layer 3 Ethernet interfaces and sub-interfaces
Layer 3 port-channel interfaces
Interface VLAN
When you enable the ip dhcp relay information trust-all command, any Layer 3 interface cannot be considered as untrusted irrespective of the interface-level configuration.
Ensure that the DHCP feature is enabled.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
config t Example: |
Enters global configuration mode. |
|
Step 2 |
[no] ip dhcp relay information trust-all Example: |
Configures the interfaces as trusted sources of DHCP messages. The no option configures the ports as untrusted interfaces. |
|
Step 3 |
show ip dhcp relay information trusted-sources Example: |
Displays the DHCP relay trusted ports configuration. |
|
Step 4 |
(Optional) show running-config dhcp Example: |
(Optional)
Displays the DHCP configuration. |
|
Step 5 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can enable or disable the DHCP relay agent. By default, the DHCP relay agent is enabled.
Ensure that the DHCP feature is enabled.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
config t Example: |
Enters global configuration mode. |
|
Step 2 |
[no] ip dhcp relay Example: |
Enables the DHCP relay agent. The no option disables the relay agent. |
|
Step 3 |
(Optional) show ip dhcp relay Example: |
(Optional)
Displays the DHCP relay configuration. |
|
Step 4 |
(Optional) show running-config dhcp Example: |
(Optional)
Displays the DHCP configuration. |
|
Step 5 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can enable or disable the DHCP relay source interface. You can configure a different interface as the source of the DHCP relay agent.
Ensure that the DHCP feature is enabled.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
[no] ip dhcp relay source-interface interface-name Example: |
Enables the DHCP relay source interface. You can configure a different interface as the source of the DHCP relay agent. The no option disables the relay source interface. The source interface’s IP address will be used as the source address in the DHCP packet, only when the source interface and the DHCP server are in the same VRF. If not in same VRF, IP address of any other interface (through which server will be reachable) will be used. |
|
Step 3 |
[no] ip dhcp relay information option vpn Example: |
Enables VRF support for the DHCP relay agent. The no option disables the VRF support. The VPN option will be added in option-82 only when the server and the client are in the different VRF. Three sub-options get added in the information option of the relayed packet only when the server and client are in different VRFs. Sub-option 151 - VRF Name / VPN ID: this indicates the VRF information of the client. Sub-option 11 - Server ID override: this indicates the client subnet gateway. Sub-option 5 - Link Selection: provides the client subnet address. When the client and server are in different VRFs, the DHCP server address configuration must have use-vrf vrf-name for the DHCP relay to work. |
|
Step 4 |
interface interface-name Example: |
Configures the interface and enters interface configuration mode. |
|
Step 5 |
[no] ip dhcp relay address ip address use-vrf vrf-name Example: |
Configures an IP address for a DHCP server to which the relay agent forwards the packets received on this interface. The use-vrf option specifies the virtual routing and forwarding instance (VRF) that the DHCP server is within, where the vrf-name argument is the name of the VRF. The VRF membership of the interface connected to the DHCP server determines the VRF that the DHCP is within. The source interface’s IP address will be used as the source address only when the source interface and the server are in the same VRF. |
|
Step 6 |
(Optional) show ip dhcp relay source-interface Example: |
(Optional)
Displays the DHCP relay source-interface configuration. |
|
Step 7 |
(Optional) show running-config dhcp Example: |
(Optional)
Displays the DHCP configuration. |
|
Step 8 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can enable or disable the device to insert and remove Option 82 information on DHCP packets forwarded by the relay agent.
By default, the DHCP relay agent does not include Option 82 information in DHCP packets.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
[no] ip dhcp relay Example: |
Enables the DHCP relay feature. The no option disables this behavior. |
|
Step 3 |
[no] ip dhcp relay information option Example: |
Enables the DHCP relay agent to insert and remove Option 82 information on the packets that it forwards. The Option 82 information is in binary ifindex format by default. The no option disables this behavior. |
|
Step 4 |
(Optional) show ip dhcp relay Example: |
(Optional)
Displays the DHCP relay configuration. |
|
Step 5 |
(Optional) show running-config dhcp Example: |
(Optional)
Displays the DHCP configuration. |
|
Step 6 |
(Optional) copy running-config startup-config Example: |
(Optional)
Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration. |
You can configure DHCP server IP addresses on an interface. When an inbound DHCP BOOTREQUEST packet arrives on the interface, the relay agent forwards the packet to all DHCP server IP addresses specified. The relay agent forwards replies from all DHCP servers to the host that sent the request.
Ensure that the DHCP feature is enabled.
Ensure that the DHCP server is correctly configured.
Determine the IP address for each DHCP server that you want to configure on the interface.
If the DHCP server is in a different VRF instance than the interface, ensure that you have enabled VRF support.
Note |
If an ingress router ACL is configured on an interface that you are configuring with a DHCP server address, ensure that the router ACL permits DHCP traffic between DHCP servers and DHCP hosts. |
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
config t Example: |
Enters global configuration mode. |
|
Step 2 |
Do one of the following options:
Example: |
|
|
Step 3 |
ip dhcp relay address IP-address Example: |
Configures an IP address for a DHCP server to which the relay agent forwards BOOTREQUEST packets received on this interface. To configure more than one IP address, use the ip dhcp relay address command once per address. |
|
Step 4 |
(Optional) show ip dhcp relay address Example: |
(Optional)
Displays all the configured DHCP server addresses. |
|
Step 5 |
(Optional) show running-config dhcp Example: |
(Optional)
Displays the DHCP configuration. |
|
Step 6 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
Configuring DHCPv6
You can enable or disable the DHCPv6 relay agent. By default, the DHCPv6 relay agent is enabled.
Ensure that the DHCP feature is enabled.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
[no] ipv6 dhcp relay Example: |
Enables the DHCPv6 relay agent. The no option disables the relay agent. |
|
Step 3 |
(Optional) show ipv6 dhcp relay [interface interface] Example: |
(Optional)
Displays the DHCPv6 relay configuration. |
|
Step 4 |
(Optional) show running-config dhcp Example: |
(Optional)
Displays the DHCP configuration. |
|
Step 5 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can configure the device to support the relaying of DHCPv6 requests that arrive on an interface in one VRF to a DHCPv6 server in a different VRF.
Ensure that the DHCP feature is enabled.
Ensure that the DHCPv6 relay agent is enabled.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
[no] ipv6 dhcp relay option vpn Example: |
Enables VRF support for the DHCPv6 relay agent. The no option disables this behavior. |
|
Step 3 |
[no] ipv6 dhcp relay option type cisco Example: |
Causes the DHCPv6 relay agent to insert virtual subnet selection (VSS) details as part of the vendor-specific option. The no option causes the DHCPv6 relay agent to insert VSS details as part of the VSS option (68), which is defined in RFC-6607. This command is useful when you want to use DHCPv6 servers that do not support RFC-6607 but allocate IPv6 addresses based on the client VRF name. |
|
Step 4 |
(Optional) show ipv6 dhcp relay [interface interface] Example: |
(Optional)
Displays the DHCPv6 relay configuration. |
|
Step 5 |
(Optional) show running-config dhcp Example: |
(Optional)
Displays the DHCP configuration. |
|
Step 6 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can configure DHCPv6 server IP addresses on an interface. When an inbound DHCP BOOTREQUEST packet arrives on the interface, the relay agent forwards the packet to all DHCPv6 server IP addresses specified. The relay agent forwards replies from all DHCPv6 servers to the host that sent the request.
Ensure that the DHCP feature is enabled.
Ensure that the DHCPv6 server is correctly configured.
Determine the IP address for each DHCPv6 server that you want to configure on the interface.
If the DHCPv6 server is in a different VRF than the interface, ensure that you have enabled VRF support.
Note |
If an ingress router ACL is configured on an interface that you are configuring with a DHCPv6 server address, ensure that the router ACL permits DHCP traffic between DHCPv6 servers and DHCP hosts. |
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
config t Example: |
Enters global configuration mode. |
|
Step 2 |
Do one of the following options:
Example: |
|
|
Step 3 |
[no] ipv6 dhcp relay address IPv6-address Example: |
Configures an IP address for a DHCPv6 server to which the relay agent forwards BOOTREQUEST packets received on this interface. Use the use-vrf option to specify the VRF name of the server if it is in a different VRF and the other argument interface is used to specify the output interface for the destination. The server address can either be a link-scoped unicast or multicast address or a global or site-local unicast or multicast address. The interface option is mandatory for a link-scoped server address and multicast address. It is not allowed for a global or site-scoped server address. To configure more than one IP address, use the ipv6 dhcp relay address command once per address. |
|
Step 4 |
(Optional) show running-config dhcp Example: |
(Optional)
Displays the DHCPv6 configuration. |
|
Step 5 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can configure the source interface for the DHCPv6 relay agent. By default, the DHCPv6 relay agent uses the relay agent address as the source address of the outgoing packet. Configuring the source interface enables you to use a more stable address (such as the loopback interface address) as the source address of relayed messages.
Ensure that the DHCP feature is enabled.
Ensure that the DHCPv6 relay agent is enabled.
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
||
|
Step 2 |
[no] ipv6 dhcp relay source-interface interface Example: |
Configures the source interface for the DHCPv6 relay agent.
|
||
|
Step 3 |
(Optional) show ipv6 dhcp relay [interface interface] Example: |
(Optional)
Displays the DHCPv6 relay configuration. |
||
|
Step 4 |
(Optional) show running-config dhcp Example: |
(Optional)
Displays the DHCP configuration. |
||
|
Step 5 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
|
Step 1 |
Enter global configuration mode: switch# configure terminal |
|
Step 2 |
Enable the DHCP feature: switch(config)# feature dhcp |
|
Step 3 |
Specify the DHCP server-facing interface: switch(config)# interface ethernet slot/ethernet |
|
Step 4 |
Configure DHCP response redirect: switch(config-if)# [no] ip dhcp redirect-response |
|
Step 5 |
Exit the interface and global configuration modes: switch(config-if)# end |
|
Step 6 |
(Optional) Display the DHCP configuration: switch# show running-config dhcp |
The following running configuration example shows how to configure DHCP response redirect on a DHCP server-facing interface. Replace the <placeholders> with relevant values for your setup.
configure terminal
interface Ethernet <2/1>
ip dhcp redirect-response
end
The following example shows the DHCP response redirect configuration details:
switch# show running-config dhcp
!Command: show running-config dhcp
!Time: Fri Dec 11 09:36:15 2016
version 8.2(0)SK(1)
feature dhcp
service dhcp
ip dhcp relay
ipv6 dhcp relay
interface Ethernet2/1
ip dhcp redirect-response
To display DHCP configuration information, perform one of the following tasks. For detailed information about the fields in the output from these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.
|
Command |
Purpose |
|---|---|
|
show running-config dhcp [all] |
Displays the DHCP configuration in the running configuration. |
|
show ip dhcp relay |
Displays the DHCP relay configuration. |
|
show ipv6 dhcp relay [interface interface] |
Displays the DHCPv6 relay global or interface-level configuration. |
|
show ip dhcp relay address |
Displays all the DHCP server addresses configured on the device. |
|
show ip dhcp snooping |
Displays general information about DHCP snooping. |
|
show startup-config dhcp [all] |
Displays the DHCP configuration in the startup configuration. |
Use the show ip dhcp snooping binding command to display the DHCP binding table. For detailed information about the fields in the output from this command, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.
You can remove entries from the DHCP snooping binding database, including a single entry, all entries associated with an interface, or all entries in the database.
Ensure that the DHCP feature is enabled.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
(Optional) clear ip dhcp snooping binding Example: |
(Optional)
Clears all entries from the DHCP snooping binding database. |
|
Step 2 |
(Optional) clear ip dhcp snooping binding interface ethernet slot/port[.subinterface-number] Example: |
(Optional)
Clears entries associated with a specific Ethernet interface from the DHCP snooping binding database. |
|
Step 3 |
(Optional) clear ip dhcp snooping binding interface port-channel channel-number[.subchannel-number] Example: |
(Optional)
Clears entries associated with a specific port-channel interface from the DHCP snooping binding database. |
|
Step 4 |
(Optional) clear ip dhcp snooping binding vlan vlan-id mac mac-address ip ip-address interface {ethernet slot/port[.subinterface-number | port-channel channel-number[.subchannel-number] } Example: |
(Optional)
Clears a single, specific entry from the DHCP snooping binding database. |
|
Step 5 |
(Optional) show ip dhcp snooping binding Example: |
(Optional)
Displays the DHCP snooping binding database. |
Use the clear ip dhcp relay statistics command to clear the global DHCP relay statistics.
Use the clear ip dhcp relay statistics interface interface command to clear the DHCP relay statistics for a particular interface.
Use the clear ipv6 dhcp relay statistics command to clear the global DHCPv6 relay statistics.
Use the clear ipv6 dhcp relay statistics interface interface command to clear the DHCPv6 relay statistics for a particular interface.
Use the show ip dhcp snooping statistics command to monitor DHCP snooping.
Use the show ip dhcp relay statistics [interface interface] command to monitor DHCP relay statistics at the global or interface level.
Use the (Optional) show ip dhcp snooping statistics vlan [vlan-id] interface [ethernet|port-channel][id] command to know the exact statistics about snooping statistics per interface under a vlan.
Use the show ipv6 dhcp relay statistics [interface interface] command to monitor DHCPv6 relay statistics at the global or interface level.
Note |
For detailed information about the fields in the output from these commands, see the Cisco Nexus 7000 Series NX-OS Security Command Reference. |
|
Related Topic |
Document Title |
|---|---|
|
DHCP commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples |
Cisco Nexus 7000 Series NX-OS Security Command Reference |
|
VRFs and Layer 3 virtualization |
Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide |
|
Cisco Nexus 7000 Series NX-OS Interfaces Configuration Guide |
|
Standards |
Title |
|---|---|
|
RFC-2131 |
Dynamic Host Configuration Protocol |
|
RFC-3046 |
DHCP Relay Agent Information Option |
|
RFC-6607 |
Virtual Subnet Selection Options for DHCPv4 and DHCPv6 |
This table lists the release history for this feature.
|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
IP DHCP Relay Source Interface |
8.2(3) |
Added support for the DHCP relay source interface. |
|
DHCP |
8.2(1) |
Added support for the DHCP redirect response feature. |
|
DHCP |
6.2(2) |
Added support for the DHCPv6 relay agent. |
|
DHCP |
6.2(2) |
Added a new default circuit ID format that is used when Option 82 is enabled for DHCP snooping. |
|
DHCP |
6.0(1) |
No change from Release 5.2. |
|
DHCP |
4.2(1) |
Deprecated the service dhcp command and replaced it with the ip dhcp relay command. |
Feedback