Cisco Nexus 9000 Series NX-OS VXLAN Configuration Guide, Release 10.5(x)
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
First Hop Security (FHS) is an access security feature that provides security to the network at the access (where the host
attaches to the first switch in the network). The Dot1x, port-security and DHCP Snooping are examples of access security features.
Together, these security features authorize and authenticate the host and thereby protect the network by ensuring that only
legitimate hosts are allowed to use the network.
DHCP Snooping on VXLAN Topology
In a VXLAN fabric, the host can be attached to an interface on one VTEP, while the DHCP server can be attached to an interface
on a different VTEP.
As shown in the figure, the host H1 is attached to VTEP1, while the DHCP server is attached to VTEP3.
The host and the DHCP server exchange a set of messages as part of this host IP assignment procedure. These are popularly
known as Discover-Offer-Request-Ack (DORA) exchange messages.
The DORA exchange, for a particular host (H1), must now be sent over the VXLAN fabric to reach remote DHCP servers (VTEP3).
VTEP3 checks that the “Offer” and “Ack” messages (that are part of a DORA sequence) and coming from the DHCP server, are received
on a Trusted Interface on VTEP3.
Upon completion of the DORA exchange, the VTEP1 creates a “DHCP snooping DB” entry. This DB contains the MAC-address of the
host, the IP-address assigned to the host by the DHCP server, VLAN, and other details like the “lease time”. The major driving
part of this feature is that the snooping DB entry created on VTEP1 for host (H1) as a "Local snooping DB entry" is also propagated
to remote VTEPs using BGP-EVPN and will be seen as "Remote snooping DB entry" for host (H1). Thus this DHCP snooping DB will
be seen as a "Distributed DB" across the VTEPs and the snooping entries will be in sync with all VTEPs.
For use-cases where the IP address assignment to the host is predefined, the snooping DB entry can be configured using the
ip source bindingip addressvlanvlan-idinterfaceinterface command. Snooping entries added through this command are referred as static entries and even these are also distributed across
all VTEPs.
The Distributed DHCP Snooping DB is used as follows:
To validate ARPs/GARPs sent from the host using DAI - This ensures that any spoofing of the ARP/GARP using different host
credentials, and consequent malicious-ARP-storm in the network, is prevented.
In a VXLAN environment, we must account for host-move. Since the DHCP Snooping DB is replicated across the fabric, DAI can
now work across the fabric after the host-move also. Thus, the control plane is protected in a VXLAN environment.
Note
If there is no matching entry in the DB, the ARP/GARP will be dropped.
To validate the data-plane traffic from the host using IPSG. This validates the data-traffic and prevents malicious hosts
from sending data traffic to the network.
The DHCP snooping entry is replicated across the fabric. Only local DHCP clients for that VTEP are programmed in the IPSG.
The local DHCP clients are identified with anchor flag set to true in the DHCP snooping table. If a host moves to a different
VTEP and settles down, IPSG has to reprogram the client behind the new VTEP to validate the data-traffic. On the old VTEP,
IPSG has to remove this DHCP client. The anchor flag will change accordingly. The host move is triggered by the receipt of
an ARP request from the host which is received on the new VTEP that the host moved to.
Guidelines and Limitations for DHCP Snooping on VXLAN
DHCP Snooping on VXLAN feature has the following configuration guidelines and limitations:
Beginning with Cisco NX-OS Release 10.4(1)F, DHCP snooping and associated features such as Dynamic ARP Inspection (DAI) and
IP Source Guard (IPSG) support is extended to VXLAN fabric on Cisco Nexus 9300-EX/FX/FX2/FX3/GX/GX2 platform switches and
Cisco Nexus 9500 switches with 9700-EX/FX/GX line cards.
Beginning with Cisco NX-OS Release 10.4(2)F, First Hop Security feature is supported on Cisco Nexus 9332D-H2R, and 93400LD-H1
switches.
Beginning with Cisco NX-OS Release 10.4(3)F, First Hop Security feature is supported on Cisco Nexus 9364C-H1 switches.
Beginning with Cisco NX-OS Release 10.5(2)F, First Hop Security feature is supported on Cisco Nexus 9500 Series switches with
N9K-X9736C-FX3 line card.
Ensure that the DHCP snooping, DAI and IPSG together are enabled on all VTEPs.
Note
DAI and IPSG depend on DHCP snooping. DHCP snooping creates the snooping DB and this DB is used by DAI and IPSG.
Only IPv4 multicast underlay is supported. However, IPv4 ingress replication underlay, IPv6 ingress replication underlay and
IPv6 multicast underlay are not supported.
Only IPv4 DHCP hosts is supported.
The host-move is indicated by ARP/GARP/RARP receipt. In case of RARP (which contains MAC info alone), VTEPs start ARP Refreshes
for the IPs learned against MAC. Hence, essentially, ARP-GARP is the trigger for host-move and not any other data packet.
For vPC VTEPs, only physical MCT is supported.
This feature cannot coexist with FabricPath to VXLAN migration feature and counter ACL (CNT ACL) feature.
In the ingress SUP region, the TCAM must be carved out to 768 entries instead of the default 512 entries to set up the ingress
ACLs using the hardware access-list tcam region ing-sup command. Reload of a switch is required for the TCAM carving changes to reflect.
If an I/O module lacks the resources required for an atomic update, you can disable atomic updates by using the no hardware access-list update atomic command; however, during the brief time required for the device to remove the preexisting ACL and implement the updated ACL,
traffic that the ACL applies to is dropped by default.
If you want to permit all traffic that an ACL applies to while it receives a nonatomic update, use the hardware access-list update default-result permit command.
In case of multisite and with vPC BGW, if DHCP snooping is enabled on the vPC BGW, ensure that DHCP clients and DHCP servers
are on same sites.
Note
DHCP snooping needs to be enabled (on a VTEP) for the VLAN belonging to the DHCP host that must avail the DHCP service.
All the VLANs serviced by the DHCP server in the fabric should be enabled with DHCP snooping on all the VTEPs of the fabric.
The DHCP server cannot be deployed behind the EoR.
On vPC nodes, static DHCP snooping is supported only with vPC port-channel ports and not with orphan ports.
Prerequisites for DHCP Snooping
DHCP has the following prerequisites:
You should be familiar with DHCP before you configure DHCP snooping or the DHCP relay agent.
Make sure that the DHCP Snooping, DAI and IPSG features are enabled together on a leaf VTEP.
Enabling DHCP Snooping on VXLAN
You can enable or disable DHCP snooping on a single-box feature or enable this feature for a VLAN for the entire fabric. By
default, DHCP snooping is disabled on all VLANs.
Before you begin
Make sure that the DHCP feature is enabled.
Make sure that the nv overlay evpn command is configured.
Make sure that the DHCP Snooping, DAI and IPSG features are enabled. For more information see Prerequisites for DHCP Snooping section.
Make sure that DHCP snooping and DAI are enabled on all the VXLAN nodes. For more information on configuration, see Configuring DHCP Snooping section of Cisco Nexus 9000 Series NX-OS Security Configuration Guide.
Make sure that DHCP snooping trust and ARP inspection trust are enabled on interfaces connected to the DHCP server nodes.
For more information on configuration, see Configuring DHCP Snooping section of Cisco Nexus 9000 Series NX-OS Security Configuration Guide.
Make sure that IP Source Guard is enabled on the interfaces connected to the DHCP client nodes. For more information on configuration,
see Configuring DHCP Snooping section of Cisco Nexus 9000 Series NX-OS Security Configuration Guide.
SUMMARY STEPS
configure terminal
[no] ipdhcp snooping vlanvlan-listevpn
(Optional)
showrunning-config dhcp
(Optional)
copy running-config startup-config
DETAILED STEPS
Command or Action
Purpose
Step 1
configure terminal
Example:
switch# configure terminal
switch(config)#
Enters global configuration mode.
Step 2
[no] ipdhcp snooping vlanvlan-listevpn
Example:
switch(config)# ip dhcp snooping vlan 100,200,250-252 evpn
Enables DHCP snooping on the VLANs specified by vlan-list.
Beginning with Cisco NX-OS Release 10.4(1)F, the evpn option is provided to support host move to other interfaces on the same VTEP or other VTEPs
Note
When we enable this feature with the evpn option, the nve will be implicitly added as a trusted interface.
We can have one vlan-list-1 with evpn keyword and another vlan-list-2 with no evpn keyword.
The no form of this command disables DHCP snooping on the VLANs specified.
Copies the running configuration to the startup configuration.
Clearing the Duplicate Host After Permanent Freeze
The mobility and duplicate detection logic for DHCP clients in FHS enabled VTEPs is same as BGP EVPN mobility and duplicate
detection logic. However duplicate detection may happen in any of the VTEPs in non-FHS deployments. In the FHS deployments,
the host duplicate will be detected always on a VTEP where DHCP binding entry is remote.
Once the MAC or MAC-IP is permanently frozen, there is no auto recovery mechanism to re-initiate mobility or duplicate check
sequences. To clear MAC and MAC-IP permanent freeze state, use the following commands:
For MAC:
clear l2route evpn mac [mac-address] [topo] permanently-frozen-list
The following example shows sample output for the show l2route fhs command:
switch(config)# show l2route fhs all
Flags - (Stt):Static (Dyn):Dynamic (R):Remote
Topo ID Mac Address Host IP Prod Flags Seq No Next-Hops
---- -- ---- ----------- ------------------ ---------- ----------- ------------ -------------
2001 0015.0600.0001 100.1.150.156 DHCP_DYNAMIC Dyn, 0 Eth1/31
2001 0017.0600.0001 100.1.150.155 BGP Dyn,R, 0 1.13.13.13 (Label: 0)
switch(config)#
The following example shows DHCP configurations for a VTEP with DHCP clients:
feature dhcp
service dhcp
ip dhcp snooping
ip dhcp snooping vlan 2001-2002 evpn
ip arp inspection vlan 2001-2002
interface Ethernet1/31
ip verify source dhcp-snooping-vlan
The following example shows DHCP configurations for a VTEP with DHCP server:
feature dhcp
service dhcp
ip dhcp snooping
ip dhcp snooping vlan 2001-2002 evpn
ip arp inspection vlan 2001-2002
interface Ethernet1/47
ip dhcp snooping trust
ip arp inspection trust