DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP servers. DHCP snooping performs the following activities:

• Validates DHCP messages received from untrusted sources and filters out invalid messages.

• Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.

• Uses the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

DHCP snooping can be enabled globally and on a per-VLAN basis. By default, the feature is disabled globally and on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.

You can configure the device to run a DHCPv6 relay agent, which forwards DHCPv6 packets between clients and servers. This feature is useful when clients and servers are not on the same physical subnet. Relay agents receive DHCPv6 messages and then generate a new DHCPv6 message to send out on another interface. The relay agent sets the gateway address (giaddr field of the DHCPv6 packet) and forwards it to the DHCPv6 server.

You can configure the DHCPv6 relay agent to forward DHCPv6 broadcast messages from clients in a virtual routing and forwarding (VRF) instance to DHCPv6 servers in a different VRF. By using a single DHCPv6 server to provide DHCP support to clients in multiple VRFs, you can conserve IP addresses by using a single IP address pool rather than one for each VRF. For general information about VRFs, see the Cisco Nexus 9000 Series NX-OS Unicast Routing Configuration Guide.

DHCPv6 Prefix Delegation (DHCPv6-PD) feature is aimed at assigning complete subnets and other network and interface parameters from a DHCPv6-PD server to a DHCPv6-PD client. It is an extension to DHCPv6 relay agent as defined in RFC3633.

Note	Prefix delegation does not interwork with First Hop Security (FHS). DHCPv6 does not support prefix delegation with relay chaining.

The relay agent forwards the network address requests received in solicit packets to DHCPv6 server using an IANA option. If the client requires a Prefix address as well, then it adds an IAPD option in the request. DHCPv6 server delegates the requested Prefix, if it is available in its pool.

If CLI is enabled, the DHCPv6-PD adds a static route on the Switch for Delegated Prefix so that the prefix is routable from the Switch. DHCPv6-PD binding will be created for each client along with IPv6 route created for delegated prefix.

The added static routes are distributed to neighbors through an OSPFv3 routing protocol.

Note	Currently the DHCPv6-PD routes distributions are not supported for other routing protocols like IS-IS, BGP. For more information, refer to the "Configuring Redistribution" section of Cisco Nexus 9000 Series NX-OS Unicast Routing Configuration Guide.

When the DHCPv6 smart relay agent receives solicit packets from a host, it sets link address to the address of the inbound interface and forwards the packets to the server. The server allocates IP addresses from the link address subnet pool until the pool is exhausted and ignores further requests.

You can configure the DHCPv6 smart relay agent to allocate IP addresses from the secondary IP address subnet pool if the first subnet pool is exhausted or the server ignores further requests. This enhancement is useful if the number of hosts is greater than the number of IP addresses in the pool or if multiple subnets are configured on an interface using secondary addresses. You can allocate IP address from any address subnet pool.

DHCPv6 Smart Relay has the following configuration guidelines and limitations:

• In a vPC environment it is recommended that the subnet of the Ipv6 address(s) of an interface should be same on both the switches.

• The number of hosts that use DHCPv6 smart relay at an instance is restricted to 10000.

• It is supported on cloud-based platforms.

The DHCP client feature enables the configuration of an IPv4 or IPv6 address on an interface. Interfaces can include routed ports, the management port, and switch virtual interfaces (SVIs).

DHCP has the following prerequisite:

• You should be familiar with DHCP before you configure DHCP snooping or the DHCP relay agent.

DHCP has the following configuration guidelines and limitations:

• For secure POAP, make sure that DHCP snooping is enabled and firewall rules are set to block unintended or malicious DHCP servers.

• Cisco Nexus 9000 Series switches do not support the relaying of bootp packets. However, the switches do support bootp packets that are Layer 2 switched.

• DHCP subnet broadcast is not supported.

• You must enable the insertion of Option 82 information for DHCP packets to support the highest DHCP snooping scale.

• Before you globally enable DHCP snooping on the device, make sure that the devices acting as the DHCP server and the DHCP relay agent are configured and enabled.

• DHCP snooping should not be followed by DHCP relay in the network (DHCP snooping does not work when the DHCP relay is configured on the same Cisco Nexus device).

• The DHCP snooping, DAI, and FHS are not supported on Cisco Nexus 9500 platform switches with -R/-RX/-R2 line cards.

• DHCP snooping is not supported on VXLAN VLANs.

• DHCP snooping supports multiple IP addresses with the same MAC address and VLAN in static binding entries.

• VXLAN supports DHCP relay when the DHCP server is reachable through a default VRF.

• If a VLAN ACL (VACL) is configured on a VLAN that you are configuring with DHCP snooping, make sure that the VACL permits DHCP traffic between DHCP servers and DHCP hosts. When both DHCP snooping and DHCP relay are enabled on a VLAN and the SVI of that VLAN, DHCP relay takes precedence.

• If an ingress router ACL is configured on a Layer 3 interface that you are configuring with a DHCP server address, make sure that the router ACL permits DHCP traffic between DHCP servers and DHCP hosts.

• If you use DHCP relay where DHCP clients and servers are in different VRFs, use only one DHCP server within a VRF.

• Access-control list (ACL) statistics are not supported if the DHCP snooping feature is enabled.

• Make sure that the DHCP configuration is synchronized across the switches in a vPC link. Otherwise, a run-time error can occur, resulting in dropped packets.

• DHCP Smart Relay is limited to the first 100 IP addresses of the interface on which it is enabled.

• You must configure a helper address on the interface in order to use DHCP smart relay.

• If DHCP Smart Relay is enabled in a vPC environment, primary interface IP addresses should share a subnet between the peers. Secondary interface IP addresses should also share a subnet between the peers.

• When you configure DHCPv6 server addresses on an interface, a destination interface cannot be used with global IPv6 addresses.

• DHCPv6-PD Routes will not be generated when a DHCPv6 client initiates a Rebind. Existing IAPD entries for the client will be refreshed, but not created. For IAPD route creation, a full Solicit, Advertise, Request, Reply must be seen by the DHCPv6 Relay agent.

• If you use DHCP relay on an unnumbered interface, you must configure the switch to insert option 82.

• DHCPv6 Prefix Delegation Routes are not generated when Option 14 Rapid Commit is present. A full Solicit, Advertise, Request, Reply sequence is needed to generate an IAPD route.

• The following guidelines and limitations apply to the DHCP client feature:

  • You can configure multiple SVIs, but each interface VLAN should be in a different subnet. The DHCP client feature cannot configure different IP addresses with the same subnet on different interface VLANs on the same device.

  • DHCP client and DHCP relay are not supported on the same switch.

  • DHCP client is not supported for Layer 3 subinterfaces.

  • DHCP client is supported on the Cisco Nexus 9300 Series switches and the Cisco Nexus 9500 Series switches.

  • DHCP client is not supported on Cisco Nexus 9500 platform switches with N9K-X9636C-R, N9K-X9636C-RX, N9K-X9636Q-R, and N9K-X96136YC-R line cards.

• Beginning with Cisco NX-OS Release 9.3(3), DHCP snooping and DHCP relay is supported on Cisco Nexus 9364C-GX, Cisco Nexus 9316D-GX, and Cisco Nexus 93600CD-GX switches.

• Beginning with Cisco NX-OS Release 10.3(1)F, DHCP relay is supported on Cisco Nexus X9836DM-A line card of the Cisco Nexus 9808 switches.

• Beginning with Cisco NX-OS Release 10.4(1)F, DHCP relay is supported on Cisco Nexus X98900CD-A line card of Cisco Nexus 9808 switches.

• Beginning with Cisco NX-OS Release 10.4(1)F, DHCP relay is supported on Cisco Nexus 9804 switches, and Cisco Nexus X98900CD-A and X9836DM-A line cards.

Note	For DHCP configuration limits, see the Cisco Nexus 9000 Series NX-OS Verified Scalability Guide.

This table lists the default settings for DHCP parameters.

To display DHCP configuration information, perform one of the following tasks:

To display IPv6 RA guard statistics, perform one of the following tasks:

The following example shows sample statistics:

switch# show ipv6 raguard statistics
-------------------------------------
Interface     Rx         Drops
------------- ---------- ------------
Ethernet1/53  4561102    4561102

Use the show ip dhcp snooping binding [ip-address | mac-address | dynamic | static | vlan vlan-id | interface interface-type interface-number] command to display all entries from the DHCP snooping binding database.

MacAddress        IpAddress LeaseSec Type   VLAN Interface 
----------------- --------- -------- ------ ---- ------------ 
0f:00:60:b3:23:33 10.3.2.2  infinite static 13   Ethernet2/46 
0f:00:60:b3:23:35 10.2.2.2  infinite static 100  Ethernet2/10 

Use the clear ip dhcp snooping binding command to clear all entries from the DHCP snooping binding database.

Use the clear ip dhcp snooping binding interface ethernet slot/port command to clear entries associated with a specific Ethernet interface from the DHCP snooping binding database.

Use the clear ip dhcp snooping binding interface port-channel channel-number command to clear entries associated with a specific port-channel interface from the DHCP snooping binding database.

Use the clear ip dhcp snooping binding vlan vlan-id [mac mac-address ip ip-address interface {ethernet slot /port | port-channel channel-number}] command to clear a single specific VLAN entry from the DHCP snooping binding database.

Use the show ip dhcp snooping statistics command to monitor DHCP snooping.

Use the show ip dhcp relay statistics [interface interface] command to monitor DHCP relay statistics at the global or interface level.

Use the show ipv6 dhcp relay statistics [interface interface] command to monitor DHCPv6 relay statistics at the global or interface level.

Use the clear ip dhcp snooping statistics [vlan vlan-id] command to clear the DHCP snooping statistics.

Use the clear ip dhcp relay statistics command to clear the global DHCP relay statistics.

Use the clear ip dhcp relay statistics interface interface command to clear the DHCP relay statistics for a particular interface.

Use the clear ip dhcp global statistics command to clear the DHCP statistics globally.

Use the clear ipv6 dhcp relay statistics command to clear the global DHCPv6 relay statistics.

Use the clear ipv6 dhcp relay statistics interface interface command to clear the DHCPv6 relay statistics for a particular interface.

The following clear commands clears binding and corresponding IPv6 route as well.

In typical vPC environment, clearing DHCPv6-PD binding at vPC peer switch will clear binding along with corresponding IPv6 route at other vPC peer switch.

Use the clear ipv6 dhcp relay prefix-delegation all command to clear all entries in the DHCPv6-PD binding.

Use the clear ipv6 dhcp relay prefix-delegation client command to clear Client's IPv6 address entries in the DHCPv6-PD binding.

Use the clear ipv6 dhcp relay prefix-delegation interface command to clear entries associated with a specific interface in the DHCPv6-PD binding.

Note	Post valid PD entry clearing through CLI, no further PD entry and route learning with Renew/Rebind packet.

This example shows how to enable DHCP snooping on two VLANs, with Option 82 support enabled and Ethernet interface 2/5 trusted because the DHCP server is connected to that interface:

feature dhcp 
ip dhcp snooping 
ip dhcp snooping information option

interface ethernet 2/5
  ip dhcp snooping trust 
ip dhcp snooping vlan 1 
ip dhcp snooping vlan 50

This example shows how to enable the DHCP relay agent and configure the DHCP server IP address for Ethernet interface 2/3, where the DHCP server IP address is 10.132.7.120 and the DHCP server is in the VRF instance named red:

feature dhcp
ip dhcp relay 
ip dhcp relay information option
ip dhcp relay information option vpn

interface ethernet 2/3
  ip dhcp relay address 10.132.7.120 use-vrf red

This example shows how to enable and use the DHCP smart relay agent. In this example, the device forwards the DHCP broadcast packets received on Ethernet interface 2/2 to the DHCP server (10.55.11.3), inserting 192.168.100.1 in the giaddr field. If the DHCP server has a pool configured for the 192.168.100.0/24 network, it responds. If the server does not respond, the device sends two more requests using 192.168.100.1 in the giaddr field. If the device still does not receive a response, it starts using 172.16.31.254 in the giaddr field instead.

feature dhcp
ip dhcp relay
ip dhcp smart-relay global

interface ethernet 2/2
		ip address 192.168.100.1/24
		ip address 172.16.31.254/24 secondary
		ip dhcp relay address 10.55.11.3

The following example shows how the DHCP client feature can be used to assign an IPv4 address to a VLAN interface:

switch# configure terminal
switch(config)# interface vlan 7
switch(config-if)# no shutdown
switch(config-if)# ip address dhcp
switch(config-if)# show running-config interface vlan 7
interface Vlan7
no shutdown
ip address dhcp