Cisco Nexus 3548 Switch NX-OS Security Configuration Guide, Release 10.1(x)

About DHCP Snooping

DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP servers. DHCP snooping performs the following activities:

Validates DHCP messages received from untrusted sources and filters out invalid messages.
Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
Uses the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.

Feature Enabled and Globally Enabled

When you are configuring DHCP snooping, it is important that you understand the difference between enabling the DHCP snooping feature and globally enabling DHCP snooping.

Feature Enablement

The DHCP snooping feature is disabled by default. When the DHCP snooping feature is disabled, you cannot configure it or any of the features that depend on DHCP snooping. The commands to configure DHCP snooping and its dependent features are unavailable when DHCP snooping is disabled.

When you enable the DHCP snooping feature, the switch begins building and maintaining the DHCP snooping binding database. Features dependent on the DHCP snooping binding database can now make use of it and can therefore also be configured.

Enabling the DHCP snooping feature does not globally enable it. You must separately enable DHCP snooping globally.

Disabling the DHCP snooping feature removes all DHCP snooping configuration from the switch. If you want to disable DHCP snooping and preserve the configuration, globally disable DHCP snooping but do not disable the DHCP snooping feature.

Global Enablement

After DHCP snooping is enabled, DHCP snooping is globally disabled by default. Global enablement is a second level of enablement that allows you to have separate control of whether the switch is actively performing DHCP snooping that is independent from enabling the DHCP snooping binding database.

When you globally enable DHCP snooping, on each untrusted interface of VLANs that have DHCP snooping enabled, the switch begins validating DHCP messages that are received and used the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

When you globally disable DHCP snooping, the switch stops validating DHCP messages and validating subsequent requests from untrusted hosts. It also removes the DHCP snooping binding database. Globally disabling DHCP snooping does not remove any DHCP snooping configuration or the configuration of other features that are dependent upon the DHCP snooping feature.

Trusted and Untrusted Sources

You can configure whether DHCP snooping trusts traffic sources. An untrusted source might initiate traffic attacks or other hostile actions. To prevent such attacks, DHCP snooping filters messages from untrusted sources.

In an enterprise network, a trusted source is a switch that is under your administrative control. These switches include the switches, routers, and servers in the network. Any switch beyond the firewall or outside the network is an untrusted source. Generally, host ports are treated as untrusted sources.

In a service provider environment, any switch that is not in the service provider network is an untrusted source (such as a customer switch). Host ports are untrusted sources.

In a Cisco Nexus device, you indicate that a source is trusted by configuring the trust state of its connecting interface.

The default trust state of all interfaces is untrusted. You must configure DHCP server interfaces as trusted. You can also configure other interfaces as trusted if they connect to switches (such as switches or routers) inside your network. You usually do not configure host port interfaces as trusted.

Note

For DHCP snooping to function properly, you must connect all DHCP servers to the switch through trusted interfaces.

DHCP Snooping Binding Database

Using information extracted from intercepted DHCP messages, DHCP snooping dynamically builds and maintains a database. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts that are connected through trusted interfaces.

Note

The DHCP snooping binding database is also referred to as the DHCP snooping binding table.

DHCP snooping updates the database when the switch receives specific DHCP messages. For example, the feature adds an entry to the database when the switch receives a DHCPACK message from the server. The feature removes the entry in the database when the IP address lease expires or the switch receives a DHCPRELEASE message from the host.

Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host.

You can remove entries from the binding database by using the clear ip dhcp snooping binding command.

Information About the DHCP Relay Agent

DHCP Relay Agent

You can configure the device to run a DHCP relay agent, which forwards DHCP packets between clients and servers. This feature is useful when clients and servers are not on the same physical subnet. Relay agents receive DHCP messages and then generate a new DHCP message to send out on another interface. The relay agent sets the gateway address (giaddr field of the DHCP packet) and, if configured, adds the relay agent information option (Option 82) in the packet and forwards it to the DHCP server. The reply from the server is forwarded back to the client after removing Option 82.

After you enable Option 82, the device uses the binary ifindex format by default. If needed, you can change the Option 82 setting to use an encoded string format instead.

Note

When the device relays a DHCP request that already includes Option 82 information, the device forwards the request with the original Option 82 information without altering it.

VRF Support for the DHCP Relay Agent

You can configure the DHCP relay agent to forward DHCP broadcast messages from clients in a virtual routing and forwarding (VRF) instance to DHCP servers in a different VRF. By using a single DHCP server to provide DHCP support to clients in multiple VRFs, you can conserve IP addresses by using a single IP address pool rather than one for each VRF.

Enabling VRF support for the DHCP relay agent requires that you enable Option 82 for the DHCP relay agent.

If a DHCP request arrives on an interface that you have configured with a DHCP relay address and VRF information, and the address of the DHCP server belongs to a network on an interface that is a member of a different VRF, the device inserts Option 82 information in the request and forwards it to the DHCP server in the server VRF. The Option 82 information includes the following:

VPN identifier: Name of the VRF that the interface that receives the DHCP request is a member of.
Link selection: Subnet address of the interface that receives the DHCP request.
Server identifier override: IP address of the interface that receives the DHCP request.

Note

The DHCP server must support the VPN identifier, link selection, and server identifier override options.

When the device receives the DHCP response message, it strips off the Option 82 information and forwards the response to the DHCP client in the client VRF.

DHCP Relay Binding Database

A relay binding is an entity that associates a DHCP or BOOTP client with a relay agent address and its subnet. Each relay binding stores the client MAC address, active relay agent address, active relay agent address mask, logical and physical interfaces to which the client is connected, giaddr retry count, and total retry count. The giaddr retry count is the number of request packets transmitted with that relay agent address, and the total retry count is the total number of request packets transmitted by the relay agent. One relay binding entry is maintained for each DHCP or BOOTP client.

Note

When DHCP smart relay is enabled globally or at the interface level on any switch, the relay bindings on all switches should be synchronized with the vPC peer.

Prerequisites for DHCP Snooping

You should be familiar with DHCP before you configure DHCP snooping or the DHCP relay agent .

Guidelines and Limitations for DHCP Snooping

Consider the following guidelines and limitations when configuring DHCP snooping:

The DHCP snooping database can store 2000 bindings.
DHCP snooping is not active until you enable the feature, enable DHCP snooping globally, and enable DHCP snooping on at least one VLAN.
Before globally enabling DHCP snooping on the switch, make sure that the switches that act as the DHCP server and the DHCP relay agent are configured and enabled.
If a VLAN ACL (VACL) is configured on a VLAN that you are configuring with DHCP snooping, ensure that the VACL permits DHCP traffic between DHCP servers and DHCP hosts.
DHCP snooping and DHCP relay feature are not supported on the same VLAN.

Default Settings for DHCP Snooping

This table lists the default settings for DHCP snooping parameters.

Table 1. Default DHCP Snooping Parameters
Parameters	Default
DHCP snooping feature	Disabled
DHCP snooping globally enabled	No
DHCP snooping VLAN	None
DHCP snooping Option 82 support	Disabled
DHCP snooping trust	Untrusted
VRF support for the DHCP relay agent	Disabled
DHCP relay agent	Disabled

Minimum DHCP Snooping Configuration

Procedure

	Command or Action	Purpose
Step 1	Enable the DHCP snooping feature.	When the DHCP snooping feature is disabled, you cannot configure DHCP snooping. For details, see Enabling or Disabling the DHCP Snooping Feature.
Step 2	Enable DHCP snooping globally.	For details, see Enabling or Disabling DHCP Snooping Globally.
Step 3	Enable DHCP snooping on at least one VLAN.	By default, DHCP snooping is disabled on all VLANs. For details, see Enabling or Disabling DHCP Snooping on a VLAN.
Step 4	Ensure that the DHCP server is connected to the switch using a trusted interface.	For details, see Configuring an Interface as Trusted or Untrusted.

Enabling or Disabling the DHCP Snooping Feature

You can enable or disable the DHCP snooping feature on the switch. By default, DHCP snooping is disabled.

Before you begin

If you disable the DHCP snooping feature, all DHCP snooping configuration is lost. If you want to turn off DHCP snooping and preserve the DHCP snooping configuration, disable DHCP globally.

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	[no] feature dhcp Example: `switch(config)# feature dhcp`	Enables the DHCP snooping feature. The no option disables the DHCP snooping feature and erases all DHCP snooping configuration.
Step 3	(Optional) show running-config dhcp Example: `switch(config)# show running-config dhcp`	(Optional) Shows the DHCP snooping configuration.
Step 4	(Optional) copy running-config startup-config Example: `switch(config)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Enabling or Disabling DHCP Snooping Globally

You can enable or disable the DHCP snooping globally on the switch. Globally disabling DHCP snooping stops the switch from performing any DHCP snooping or relaying DHCP messages but preserves DCHP snooping configuration.

Before you begin

Ensure that you have enabled the DHCP snooping feature. By default, DHCP snooping is globally disabled.

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	[no] ip dhcp snooping Example: `switch(config)# ip dhcp snooping`	Enables DHCP snooping globally. The no option disables DHCP snooping.
Step 3	(Optional) show running-config dhcp Example: `switch(config)# show running-config dhcp`	(Optional) Shows the DHCP snooping configuration.
Step 4	(Optional) copy running-config startup-config Example: `switch(config)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Enabling or Disabling DHCP Snooping on a VLAN

You can enable or disable DHCP snooping on one or more VLANs.

Before you begin

By default, DHCP snooping is disabled on all VLANs.

Ensure that DHCP snooping is enabled.

Note

If a VACL is configured on a VLAN that you are configuring with DHCP snooping, ensure that the VACL permits DHCP traffic between DHCP servers and DHCP hosts.

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	[no] ip dhcp snooping vlan `vlan-list` Example: `switch(config)# ip dhcp snooping vlan 100,200,250-252`	Enables DHCP snooping on the VLANs specified by `vlan-list` . The no option disables DHCP snooping on the VLANs specified.
Step 3	(Optional) show running-config dhcp Example: `switch(config)# show running-config dhcp`	(Optional) Shows the DHCP snooping configuration.
Step 4	(Optional) copy running-config startup-config Example: `switch(config)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Enabling or Disabling Option 82 Data Insertion and Removal

You can enable or disable the insertion and removal of Option 82 information for DHCP packets forwarded without the use of the DHCP relay agent. By default, the device does not include Option 82 information in DHCP packets.

Note

DHCP relay agent support for Option 82 is configured separately.

Before you begin

Ensure that the DHCP feature is enabled.

Procedure

	Command or Action	Purpose
Step 1	config t Example: `switch# config t switch(config)#`	Enters global configuration mode.
Step 2	[no] ip dhcp snooping information option Example: `switch(config)# ip dhcp snooping information option`	Enables the insertion and removal of Option 82 information for DHCP packets. The no option disables the insertion and removal of Option 82 information.
Step 3	(Optional) [no] ip dhcp snooping sub-option circuit-id format-type string format Example: `switch(config)# ip dhcp snooping sub-option circuit-id format-type string format`	(Optional) Configures Option 82 to use encoded string format of either ingress ifindex name or host name or a combination of both hostname and ifindex name. [“%h” for hostname, “%p” for ifindex and combination of %h and %p for both hostname and ifindex name.
Step 4	(Optional) show running-config dhcp Example: `switch(config)# show running-config dhcp`	(Optional) Displays the DHCP configuration.
Step 5	(Optional) copy running-config startup-config Example: `switch(config)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Enabling or Disabling Option 82 User Defined Data Insertion and Removal

You can enable or disable the insertion and removal of Option 82 user-defined information for DHCP packets forwarded to server. The configuration is applicable per port and overrides option82 global configuration that uses encoded string format of ingress ifindex name. When DHCP Relay is configured on SVI, the user defined string from the ingress physical ifindex is appended to the DHCP Packet being relayed.

By default, the device does not include option 82 information in DHCP packets.

Note

The user-defined option82 configuration applies to both DHCP Relay and DHCP Snooping.

Before you begin

Ensure that the DHCP feature is enabled.

Procedure

	Command or Action	Purpose
Step 1	config t	Enters global configuration mode.
Step 2	[no] ip dhcp snooping information option	Enables the insertion and removal of Option 82 information for DHCP packets. The no option disables the insertion and removal of Option 82 information.
Step 3	interface ethernet `slot`/`port`	Enters interface configuration mode, where slot/port is the Layer 2 Ethernet ingress interface where you want to configure the option 82 string.
Step 4	ip dhcp option82 suboption circuit-id `user-defined-circuit-id` Example: switch(config-if)# ip dhcp option82 suboption circuit-id po5-option82-string	Enters user defined option82 string on port channel5. The string po5-option82-string is appended to the DHCP Packet being ingress on port channel 5. The same is configured on Ethernet interface.
Step 5	(Optional) show ip dhcp option82 suboption info interface po5	(Optional) Displays the DHCP option 82 information and statistics.
Step 6	(Optional) copy running-config startup-config	(Optional) Copies the running configuration to the startup configuration.

Enabling or Disabling Strict DHCP Packet Validation

You can enable or disable the strict validation of DHCP packets by the DHCP snooping feature. By default, strict validation of DHCP packets is disabled.

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	[no] ip dhcp packet strict-validation Example: `switch(config)# ip dhcp packet strict-validation`	Enables the strict validation of DHCP packets by the DHCP snooping feature. The no option disables strict DHCP packet validation.
Step 3	(Optional) show running-config dhcp Example: `switch(config)# show running-config dhcp`	(Optional) Shows the DHCP snooping configuration.
Step 4	(Optional) copy running-config startup-config Example: `switch(config)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Configuring an Interface as Trusted or Untrusted

You can configure whether an interface is a trusted or untrusted source of DHCP messages. You can configure DHCP trust on the following types of interfaces:

Layer 2 Ethernet interfaces
Layer 2 port-channel interfaces

Before you begin

By default, all interfaces are untrusted.

Ensure that DHCP snooping is enabled.

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	Enter one of the following commands: interface ethernet `port`/`slot` interface port-channel `channel-number` Example: `switch(config)# interface ethernet 2/1 switch(config-if)#`	Enters interface configuration mode, where `port` / `slot` is the Layer 2 Ethernet interface that you want to configure as trusted or untrusted for DHCP snooping. Enters interface configuration mode, where `port` / `slot` is the Layer 2 port-channel interface that you want to configure as trusted or untrusted for DHCP snooping.
Step 3	[no] ip dhcp snooping trust Example: `switch(config-if)# ip dhcp snooping trust`	Configures the interface as a trusted interface for DHCP snooping. The no option configures the port as an untrusted interface.
Step 4	(Optional) show running-config dhcp Example: `switch(config-if)# show running-config dhcp`	(Optional) Shows the DHCP snooping configuration.
Step 5	(Optional) copy running-config startup-config Example: `switch(config-if)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Enabling or Disabling the DHCP Relay Agent

You can enable or disable the DHCP relay agent. By default, the DHCP relay agent is enabled.

Before you begin

Ensure that the DHCP feature is enabled.

Procedure

	Command or Action	Purpose
Step 1	config t Example: `switch# config t switch(config)#`	Enters global configuration mode.
Step 2	[no] ip dhcp relay Example: `switch(config)# ip dhcp relay`	Enables the DHCP relay agent. The no option disables the relay agent.
Step 3	(Optional) show ip dhcp relay Example: `switch(config)# show ip dhcp relay`	(Optional) Displays the DHCP relay configuration.
Step 4	(Optional) show running-config dhcp Example: `switch(config)# show running-config dhcp`	(Optional) Displays the DHCP configuration.
Step 5	(Optional) copy running-config startup-config Example: `switch(config)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Enabling or Disabling Option 82 for the DHCP Relay Agent

You can enable or disable the device to insert and remove Option 82 information on DHCP packets forwarded by the relay agent.

By default, the DHCP relay agent does not include Option 82 information in DHCP packets.

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	[no] ip dhcp relay Example: `switch(config)# ip dhcp relay`	Enables the DHCP relay feature. The no option disables this behavior.
Step 3	[no] ip dhcp relay information option Example: `switch(config)# ip dhcp relay information option`	Enables the DHCP relay agent to insert and remove Option 82 information on the packets that it forwards. The Option 82 information is in binary ifindex format by default. The no option disables this behavior.
Step 4	(Optional) show ip dhcp relay Example: `switch(config)# show ip dhcp relay`	(Optional) Displays the DHCP relay configuration.
Step 5	(Optional) show running-config dhcp Example: `switch(config)# show running-config dhcp`	(Optional) Displays the DHCP configuration.
Step 6	(Optional) copy running-config startup-config Example: `switch(config)# copy running-config startup-config`	(Optional) Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Enabling or Disabling VRF Support for the DHCP Relay Agent

You can configure the device to support the relaying of DHCP requests that arrive on an interface in one VRF to a DHCP server in a different VRF instance.

Before you begin

You must enable Option 82 for the DHCP relay agent.

Procedure

	Command or Action	Purpose
Step 1	config t Example: `switch# config t switch(config)#`	Enters global configuration mode.
Step 2	[no] ip dhcp relay information option vpn Example: `switch(config)# ip dhcp relay information option vpn`	Enables VRF support for the DHCP relay agent. The no option disables this behavior.
Step 3	[no] ip dhcp relay sub-option type cisco Example: `switch(config)# ip dhcp relay sub-option type cisco`	Enables DHCP to use Cisco proprietary numbers 150, 152, and 151 when filling the link selection, server ID override, and VRF name/VPN ID relay agent Option 82 suboptions. The no option causes DHCP to use RFC numbers 5, 11, and 151 for the link selection, server ID override, and VRF name/VPN ID suboptions.
Step 4	(Optional) show ip dhcp relay Example: `switch(config)# show ip dhcp relay`	(Optional) Displays the DHCP relay configuration.
Step 5	(Optional) show running-config dhcp Example: `switch(config)# show running-config dhcp`	(Optional) Displays the DHCP configuration.
Step 6	(Optional) copy running-config startup-config Example: `switch(config)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Enabling or Disabling Subnet Broadcast Support for the DHCP Relay Agent on a Layer 3 Interface

You can configure the device to support the relaying of DHCP packets from clients to a subnet broadcast IP address. When this feature is enabled, the VLAN ACLs (VACLs) accept IP broadcast packets and all subnet broadcast (primary subnet broadcast as well as secondary subnet broadcast) packets.

Before you begin

Ensure that the DHCP feature is enabled.

Ensure that the DHCP relay agent is enabled.

Procedure

	Command or Action	Purpose
Step 1	config t Example: `switch# config t switch(config)#`	Enters global configuration mode.
Step 2	interface `interface` `slot`/`port` Example: `switch(config)# interface ethernet 2/2 switch(config-if)#`	Enters interface configuration mode, where `slot`/`port` is the interface for which you want to enable or disable subnet broadcast support for the DHCP relay agent.
Step 3	[no] ip dhcp relay subnet-broadcast Example: `switch(config-if)# ip dhcp relay subnet-broadcast`	Enables subnet broadcast support for the DHCP relay agent. The no option disables this behavior.
Step 4	exit Example: `switch(config-if)# exit switch(config)#`	Exits interface configuration mode.
Step 5	exit Example: `switch(config)# exit switch#`	Exits global configuration mode.
Step 6	(Optional) show ip dhcp relay Example: `switch# show ip dhcp relay`	(Optional) Displays the DHCP relay configuration.
Step 7	(Optional) show running-config dhcp Example: `switch# show running-config dhcp`	(Optional) Displays the DHCP configuration.
Step 8	(Optional) copy running-config startup-config Example: `switch# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Configuring DHCP Server Addresses on an Interface

You can configure DHCP server IP addresses on an interface. When an inbound DHCP BOOTREQUEST packet arrives on the interface, the relay agent forwards the packet to all DHCP server IP addresses specified. The relay agent forwards replies from all DHCP servers to the host that sent the request.

Before you begin

Ensure that the DHCP feature is enabled.

Ensure that the DHCP server is correctly configured.

Determine the IP address for each DHCP server that you want to configure on the interface.

If the DHCP server is in a different VRF instance than the interface, ensure that you have enabled VRF support.

Note

If an ingress router ACL is configured on an interface that you are configuring with a DHCP server address, ensure that the router ACL permits DHCP traffic between DHCP servers and DHCP hosts.

Procedure

	Command or Action	Purpose
Step 1	config t Example: `switch# config t switch(config)#`	Enters global configuration mode.
Step 2	Do one of the following options: interface ethernet `slot`/`port`[. `number`] interface vlan `vlan-id` interface port-channel `channel-id`[.`subchannel-id`] Example: `switch(config)# interface ethernet 2/3 switch(config-if)#`	Enters interface configuration mode, where `slot` /`port` is the physical Ethernet interface that you want to configure with a DHCP server IP address. If you want to configure a subinterface, include the number argument to specify the subinterface number. Enters interface configuration mode, where `vlan-id` is the ID of the VLAN that you want to configure with a DHCP server IP address. Enters interface configuration mode, where `channel-id` is the ID of the port channel that you want to configure with a DHCP server IP address. If you want to configure a subchannel, include the subchannel-id argument to specify the subchannel ID.
Step 3	ip dhcp relay address `IP-address` [use-vrf `vrf-name`] Example: `switch(config-if)# ip dhcp relay address 10.132.7.120 use-vrf red`	Configures an IP address for a DHCP server to which the relay agent forwards BOOTREQUEST packets received on this interface. To configure more than one IP address, use the ip dhcp relay address command once per address.
Step 4	(Optional) show ip dhcp relay address Example: `switch(config-if)# show ip dhcp relay address`	(Optional) Displays all the configured DHCP server addresses.
Step 5	(Optional) show running-config dhcp Example: `switch(config-if)# show running-config dhcp`	(Optional) Displays the DHCP configuration.
Step 6	(Optional) copy running-config startup-config Example: `switch(config-if)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Creating a DHCP Static Binding

You can create a static DHCP source binding to a Layer 2 interface.

Before you begin

Ensure that you have enabled the DHCP snooping feature.

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	ip source binding `IP-address MAC-address` vlan `vlan-id` {interface ethernet `slot/port` \| port-channel `channel-no`} Example: `switch(config)# ip source binding 10.5.22.7 001f.28bd.0013 vlan 100 interface ethernet 2/3`	Binds the static source address to the Layer 2 Ethernet interface.
Step 3	(Optional) show ip dhcp snooping binding Example: `switch(config)# ip dhcp snooping binding`	(Optional) Shows the DHCP snooping static and dynamic bindings.
Step 4	(Optional) show ip dhcp snooping binding dynamic Example: `switch(config)# ip dhcp snooping binding dynamic`	(Optional) Shows the DHCP snooping dynamic bindings.
Step 5	(Optional) copy running-config startup-config Example: `switch(config)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Example

The following example shows how to create a static IP source entry associated with VLAN 100 on Ethernet interface 2/3:

switch# configure terminal
switch(config)# ip source binding 10.5.22.7 001f.28bd.0013 vlan 100 interface ethernet 2/3
switch(config)#

Verifying the DHCP Snooping Configuration

To display DHCP snooping configuration information, perform one of the following tasks. For detailed information about the fields in the output from these commands, see the System Management Configuration Guide for your Cisco Nexus device.


Command	Purpose
show running-config dhcp	Displays the DHCP snooping configuration.
show ip dhcp relay	Displays the DHCP relay configuration.
show ip dhcp snooping	Displays general information about DHCP snooping.

Displaying DHCP Bindings

Use the show ip dhcp snooping binding command to display the DHCP static and dynamic binding table. Use the show ip dhcp snooping binding dynamic to display the DHCP dynamic binding table.

For detailed information about the fields in the output from this command, see the System Management Configuration Guide for your Cisco Nexus device.

This example shows how to create a static DHCP binding and then verify the binding using the show ip dhcp snooping binding command.

switch# configuration terminal
switch(config)# ip source binding 10.20.30.40 0000.1111.2222 vlan 400 interface port-channel 500

switch(config)# show ip dhcp snooping binding
MacAddress         IpAddress        LeaseSec  Type        VLAN  Interface
-----------------  ---------------  --------  ----------  ----  -------------
00:00:11:11:22:22  10.20.30.40      infinite  static      400   port-channel500

Clearing the DHCP Snooping Binding Database

You can remove entries from the DHCP snooping binding database, including a single entry, all entries associated with an interface, or all entries in the database.

Before you begin

Ensure that DHCP snooping is enabled.

Procedure

	Command or Action	Purpose
Step 1	(Optional) clear ip dhcp snooping binding Example: `switch# clear ip dhcp snooping binding`	(Optional) Clears all entries from the DHCP snooping binding database.
Step 2	(Optional) clear ip dhcp snooping binding interface ethernet `slot`/`port`[.`subinterface-number`] Example: `switch# clear ip dhcp snooping binding interface ethernet 1/4`	(Optional) Clears entries associated with a specific Ethernet interface from the DHCP snooping binding database.
Step 3	(Optional) clear ip dhcp snooping binding interface port-channel `channel-number`[.`subchannel-number`] Example: `switch# clear ip dhcp snooping binding interface port-channel 72`	(Optional) Clears entries associated with a specific port-channel interface from the DHCP snooping binding database.
Step 4	(Optional) clear ip dhcp snooping binding vlan `vlan-id` mac `mac-address` ip `ip-address` interface {ethernet `slot`/`port`[.`subinterface-number` \| port-channel `channel-number`[.`subchannel-number`] } Example: `switch# clear ip dhcp snooping binding vlan 23 mac 0060.3aeb.54f0 ip 10.34.54.9 interface ethernet 2/11`	(Optional) Clears a single, specific entry from the DHCP snooping binding database.
Step 5	(Optional) show ip dhcp snooping binding Example: `switch# show ip dhcp snooping binding`	(Optional) Displays the DHCP snooping binding database.

Clearing DHCP Relay Statistics

Use the clear ip dhcp relay statistics command to clear the global DHCP relay statistics.

Use the clear ip dhcp relay statistics interface interface command to clear the DHCP relay statistics for a particular interface.

Use the clear ip dhcp relay statistics interface interface serverip ip-address [use-vrf vrf-name] command to clear the DHCP relay statistics at the server level for a particular interface.

Monitoring DHCP

Use the show ip dhcp snooping statistics command to monitor DHCP snooping.

Use the show ip dhcp relay statistics [interface interface [serverip ip-address [use-vrf vrf-name]]] command to monitor DHCP relay statistics at the global, server, or interface level.

Use the (Optional) show ip dhcp snooping statistics vlan [vlan-id] interface [ethernet|port-channel][id] command to know the exact statistics about snooping statistics per interface under a vlan.

Configuration Examples for DHCP Snooping

The following example shows how to enable DHCP snooping on two VLANs, with Option 82 support enabled and Ethernet interface 2/5 trusted because the DHCP server is connected to that interface:

feature dhcp 
ip dhcp snooping 
ip dhcp snooping info option

interface Ethernet 2/5
  ip dhcp snooping trust 
ip dhcp snooping vlan 1 
ip dhcp snooping vlan 50

Bias-Free Language

Results

Chapter: Configuring DHCP Snooping

Configuring DHCP Snooping

About DHCP Snooping

Feature Enabled and Globally Enabled

Feature Enablement

Global Enablement

Trusted and Untrusted Sources

DHCP Snooping Binding Database

Information About the DHCP Relay Agent

DHCP Relay Agent

VRF Support for the DHCP Relay Agent

DHCP Relay Binding Database

Prerequisites for DHCP Snooping

Guidelines and Limitations for DHCP Snooping

Default Settings for DHCP Snooping

Minimum DHCP Snooping Configuration

Procedure

Enabling or Disabling the DHCP Snooping Feature

Before you begin

Procedure

Example:

Example:

Example:

Example:

Enabling or Disabling DHCP Snooping Globally

Before you begin

Procedure

Example:

Example:

Example:

Example:

Enabling or Disabling DHCP Snooping on a VLAN

Before you begin

Procedure

Example:

Example:

Example:

Example:

Enabling or Disabling Option 82 Data Insertion and Removal

Before you begin

Procedure

Example:

Example:

Example:

Example:

Example:

Enabling or Disabling Option 82 User Defined Data Insertion and Removal

Before you begin

Procedure

Example:

Enabling or Disabling Strict DHCP Packet Validation

Procedure

Example:

Example:

Example:

Example:

Configuring an Interface as Trusted or Untrusted

Before you begin

Procedure

Example:

Example:

Example:

Example:

Example:

Enabling or Disabling the DHCP Relay Agent

Before you begin

Procedure

Example:

Example:

Example:

Example:

Example:

Enabling or Disabling Option 82 for the DHCP Relay Agent

Procedure

Example:

Example:

Example: