Configuring DHCP Snooping
This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping, and includes the following sections:
•Information About DHCP Snooping
•Prerequisites for DHCP Snooping
•Guidelines and Limitations
•Configuring DHCP Snooping
•Verifying DHCP Snooping Configuration
•Monitoring DHCP Snooping
•Example Configuration for DHCP Snooping
•Default Settings
•Additional References
•Feature History for DHCP Snooping
Information About DHCP Snooping
DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP servers by doing the following:
•Validates DHCP messages received from untrusted sources and filters out invalid response messages from DHCP servers.
•Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
•Uses the DHCP snooping binding database to validate subsequent requests from untrusted hosts.
Dynamic ARP inspection (DAI) and IP Source Guard also use information stored in the DHCP snooping binding database. For more information about these features, see Chapter 13, "Configuring Dynamic ARP Inspection" and Chapter 14, "Configuring IP Source Guard."
DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.
This section includes the following topics:
•Trusted and Untrusted Sources
•DHCP Snooping Binding Database
Trusted and Untrusted Sources
DHCP snooping identifyies ports as trusted or untrusted. When the feature is enabled, by default all vEthernet ports are untrusted and all ethernet ports (uplinks), port channels, special vEthernet ports (used by other features, such as VSD, for their operation) are trusted.You can configure whether DHCP trusts traffic sources.
In an enterprise network, a trusted source is a device that is under your administrative control. Any device beyond the firewall or outside the network is an untrusted source. Generally, host ports are treated as untrusted sources.
In a service provider environment, any device that is not in the service provider network is an untrusted source (such as a customer switch). Host ports are untrusted sources.
In the Cisco Nexus 1000V, you indicate that a source is trusted by configuring the trust state of its connecting interface. Uplink ports, as defined with the uplink capability on port profiles, are trusted and cannot be configured to be untrusted. This restriction prevents the uplink from being shut down for not conforming to rate limits or DHCP responses.
You can also configure other interfaces as trusted if they connect to devices (such as switches or routers) inside your network or if the administrator is running the DHCP server in a VM. You usually do not configure host port interfaces as trusted.
Note For DHCP snooping to function properly, all DHCP servers must be connected to the device through trusted interfaces.
DHCP Snooping Binding Database
Using information extracted from intercepted DHCP messages, DHCP snooping dynamically builds and maintains a database on each VEM. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces.
Note The DHCP snooping binding database is also referred to as the DHCP snooping binding table.
DHCP snooping updates the database when the device receives specific DHCP messages. For example, the feature adds an entry to the database when the device receives a DHCPACK message from the server. The feature removes the entry in the database when the IP address lease expires or the device receives a DHCPRELEASE or DHCP DECLINE from the DHCP client or a DHCPNACK from the DHCP server.
Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host.
You can remove dynamically added entries from the binding database by using the clear ip dhcp snooping binding command. For more information, see the "Clearing the DHCP Snooping Binding Database" section.
High Availability
The DHCP snooping binding table and all database entries created on the VEM are exported to the VSM and are persistent across VSM reboots.
Prerequisites for DHCP Snooping
DHCP snooping has the following prerequisites:
•You must be familiar with DHCP to configure DHCP snooping.
Guidelines and Limitations
DHCP snooping has the following configuration guidelines and limitations:
•A DHCP snooping database is stored on each VEM and can contain up to 1024 bindings.
•For seamless DHCP snooping, Virtual Service Domain (VSD) service VM ports are trusted ports by default. If you configure these ports as untrusted, this setting is ignored.
•If the VSM uses the VEM for connectivity (that is, the VSM has its VSM AIPC, management, and inband ports on a particular VEM), these virtual Ethernet interfaces must be configured as trusted interfaces.
•The connecting interfaces on a device upstream from the Cisco Nexus 1000V must be configured as trusted if DHCP snooping is enabled on the device.
Configuring DHCP Snooping
This section includes the following topics:
•Minimum DHCP Snooping Configuration
•Enabling or Disabling DHCP Snooping Globally
•Enabling or Disabling DHCP Snooping on a VLAN
•Enabling or Disabling DHCP Snooping MAC Address Verification
•Configuring an Interface as Trusted or Untrusted
•Configuring the Rate Limit for DHCP Packets
•Enabling or Disabling DHCP Error-Disabled Detection
•Enabling or Disabling DHCP Error-Disabled Recovery
•Clearing the DHCP Snooping Binding Database
•Verifying DHCP Snooping Configuration
Minimum DHCP Snooping Configuration
The minimum configuration for DHCP snooping is as follows:
Step 1 Enable DHCP snooping globally. For more information, see the "Enabling or Disabling DHCP Snooping Globally" section.
Step 2 Enable DHCP snooping on at least one VLAN. For more information, see the "Enabling or Disabling DHCP Snooping on a VLAN" section.
By default, DHCP snooping is disabled on all VLANs.
Step 3 Ensure that the DHCP server is connected to the device using a trusted interface. For more information, see the "Configuring an Interface as Trusted or Untrusted" section.
Enabling or Disabling DHCP Snooping Globally
Use this procedure to globally enable or disable the DHCP snooping.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•By default, DHCP snooping is globally disabled.
•If DHCP snooping is globally disabled, all DHCP snooping stops and no DHCP messages are relayed.
•If you configure DHCP snooping and then globally disable it, the remaining configuration is preserved.
SUMMARY STEPS
1. config t
2. [no] ip dhcp snooping
3. show running-config dhcp
4. copy running-config startup-config
DETAILED STEPS
|
|
|
Step 1 |
config t
Example: n1000v# config t n1000v(config)# |
Enters global configuration mode. |
Step 2 |
[no] ip dhcp snooping
Example: n1000v(config)# ip dhcp snooping |
Enables DHCP snooping globally. The no option disables DHCP snooping but preserves an existing DHCP snooping configuration. |
Step 3 |
show running-config dhcp
Example: n1000v(config)# show running-config dhcp |
Shows the DHCP snooping configuration. |
Step 4 |
copy running-config startup-config
Example: n1000v(config)# copy running-config startup-config |
(Optional) Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration. |
Enabling or Disabling DHCP Snooping on a VLAN
Use this procedure to enable or disable DHCP snooping on one or more VLANs.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•By default, DHCP snooping is disabled on all VLANs.
SUMMARY STEPS
1. config t
2. [no] ip dhcp snooping vlan vlan-list
3. show running-config dhcp
4. copy running-config startup-config
DETAILED STEPS
|
|
|
Step 1 |
config t
Example: n1000v# config t n1000v(config)# |
Enters global configuration mode. |
Step 2 |
[no] ip dhcp snooping vlan vlan-list
Example: n1000v(config)# ip dhcp snooping vlan 100,200,250-252 |
Enables DHCP snooping on the VLANs specified by vlan-list. The no option disables DHCP snooping on the VLANs specified. |
Step 3 |
show running-config dhcp
Example: n1000v(config)# show running-config dhcp |
Shows the DHCP snooping configuration. |
Step 4 |
copy running-config startup-config
Example: n1000v(config)# copy running-config startup-config |
(Optional) Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration. |
Enabling or Disabling DHCP Snooping MAC Address Verification
Use this procedure to enable or disable DHCP snooping MAC address verification. If the device receives a packet on an untrusted interface and the source MAC address and the DHCP client hardware address do not match, address verification causes the device to drop the packet.
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•MAC address verification is enabled by default.
SUMMARY STEPS
1. config t
2. [no] ip dhcp snooping verify mac-address
3. show running-config dhcp
4. copy running-config startup-config
DETAILED STEPS
|
|
|
Step 1 |
config t
Example: n1000v# config t n1000v(config)# |
Enters global configuration mode. |
Step 2 |
[no] ip dhcp snooping verify mac-address
Example: n1000v(config)# ip dhcp snooping verify mac-address |
Enables DHCP snooping MAC address verification. The no option disables MAC address verification. |
Step 3 |
show running-config dhcp
Example: n1000v(config)# show running-config dhcp |
Shows the DHCP snooping configuration. |
Step 4 |
copy running-config startup-config
Example: n1000v(config)# copy running-config startup-config |
(Optional) Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration. |
Configuring an Interface as Trusted or Untrusted
Use this procedure to configure whether a virtual interface is a trusted or untrusted source of DHCP messages. You can configure DHCP trust on the following:
•Layer 2 vEthernet interfaces
•Port Profiles for Layer 2 vEthernet interfaces
BEFORE YOU BEGIN
Before beginning this procedure, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•By default, vEthernet interfaces are untrusted. The only exception is the special vEthernet ports used by other features such as VSD which are trusted
•Ensure that the vEthernet interface is configured as a Layer 2 interface.
•DAI, and IP Source Guard, Virtual Service Domain (VSD) service VM ports are trusted ports by default. If you configure these ports as untrusted, this setting is ignored.
SUMMARY STEPS
1. config t
2. interface vethernet interface-number
port-profile profilename
3. [no] ip dhcp snooping trust
4. show running-config dhcp
5. copy running-config startup-config
DETAILED STEPS
|
|
|
Step 1 |
config t
Example: n1000v# config t n1000v(config)# |
Enters global configuration mode. |
Step 2 |
interface vethernet interface-number
Example: n1000v(config)# interface vethernet 3 n1000v(config-if)# |
Enters interface configuration mode, where interface-number is the vEthernet interface that you want to configure as trusted or untrusted for DHCP snooping. |
port-profile profilename
Example: n1000v(config)# port-profile vm-data n1000v(config-port-prof)# |
Enters port profile configuration mode for the specified port profile, where profilename is a unique name of up to 80 characters. |
Step 3 |
[no] ip dhcp snooping trust
Example: n1000v(config-if)# ip dhcp snooping trust |
Configures the interface as a trusted interface for DHCP snooping. The no option configures the port as an untrusted interface. |
Step 4 |
show running-config dhcp
Example: n1000v(config-if)# show running-config dhcp |
Shows the DHCP snooping configuration. |
Step 5 |
copy running-config startup-config
Example: n1000v(config-if)# copy running-config startup-config |
(Optional) Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration. |
Configuring the Rate Limit for DHCP Packets
Use this procedure to configure a rate limit for DHCP packets received on each port.
BEFORE YOU BEGIN
Before beginning this procedures, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•Ports that exceed the rate limit you configure here are put into an errdisable state.
SUMMARY STEPS
1. config t
2. interface vethernet interface-number
port-profile profilename
3. [no] ip dhcp snooping limit rate rate
4. show running-config dhcp
5. copy running-config startup-config
DETAILED STEPS
|
|
|
Step 1 |
config t
Example: n1000v# config t n1000v(config)# |
Enters global configuration mode. |
Step 2 |
interface vethernet interface-number
Example: n1000v(config)# interface vethernet 3 n1000v(config-if)# |
Enters interface configuration mode, where interface-number is the vEthernet interface that you want to configure as trusted or untrusted for DHCP snooping. |
port-profile profilename
Example: n1000v(config)# port-profile vm-data n1000v(config-port-prof)# |
Enters port profile configuration mode for the specified port profile, where profilename is a unique name of up to 80 characters. |
Step 3 |
[no] ip dhcp snooping limit rate rate
Example: n1000v(config-if)# ip dhcp snooping limit rate 30 |
Configures the DHCP limit rate. The no option removes this configuration. |
Step 4 |
show running-config dhcp
Example: n1000v(config-if)# show running-config dhcp |
Shows the DHCP snooping configuration. |
Step 5 |
copy running-config startup-config
Example: n1000v(config-if)# copy running-config startup-config |
(Optional) Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration. |
Enabling or Disabling DHCP Error-Disabled Detection
Use this procedure to enable or disable error-disabled detection for ports exceeding the DHCP rate limit.
BEFORE YOU BEGIN
Before beginning this procedures, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•Ports that exceed the configured rate limit are put into an errdisable state.
•You must enter the shutdown command and then the no shutdown command to recover an interface manually from the error-disabled state.
SUMMARY STEPS
1. config t
2. [no] errdisable detect cause dhcp-rate-limit
3. show running-config dhcp
4. copy running-config startup-config
DETAILED STEPS
|
|
|
Step 1 |
config t
Example: n1000v# config t n1000v(config)# |
Enters global configuration mode. |
Step 2 |
[no] errdisable detect cause dhcp-rate-limit
Example: n1000v(config)# errdisable detect cause dhcp-rate-limit |
Enables DHCP error-disabled detection. The no option disables DHCP error-disabled detection. |
Step 3 |
show running-config dhcp
Example: n1000v(config)# show running-config dhcp |
Shows the DHCP snooping configuration. |
Step 4 |
copy running-config startup-config
Example: n1000v(config)# copy running-config startup-config |
(Optional) Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration. |
Enabling or Disabling DHCP Error-Disabled Recovery
Use this procedure to enable or disable error-disabled recovery for ports exceeding the DHCP rate limit.
BEFORE YOU BEGIN
Before beginning this procedures, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
•Ports that exceed the configured rate limit are put into an errdisable state.
•You must enter the shutdown command and then the no shutdown command to recover an interface manually from the error-disabled state.
SUMMARY STEPS
1. config t
2. [no] errdisable recovery cause dhcp-rate-limit
3. errdisable recovery interval timer-interval
4. show running-config dhcp
5. copy running-config startup-config
DETAILED STEPS
|
|
|
Step 1 |
config t
Example: n1000v# config t n1000v(config)# |
Enters global configuration mode. |
Step 2 |
[no] errdisable recovery cause dhcp-rate-limit
Example: n1000v(config)# errdisable detect cause dhcp-rate-limit |
Enables DHCP error-disabled recovery. The no option disables DHCP error-recovery. |
Step 3 |
errdisable recovery interval timer-interval
Example: n1000v(config)# errdisable recovery interval 30 |
Sets the DHCP error-disabled recovery interval, where timer-interval is the number of seconds (30-65535). |
Step 4 |
show running-config dhcp
Example: n1000v(config)# show running-config dhcp |
Shows the DHCP snooping configuration. |
Step 5 |
copy running-config startup-config
Example: n1000v(config)# copy running-config startup-config |
(Optional) Saves the running configuration persistently through reboots and restarts by copying it to the startup configuration. |
Clearing the DHCP Snooping Binding Database
Use this procedure to remove all entries from the DHCP snooping binding database.
BEFORE YOU BEGIN
Before beginning this procedures, you must know or do the following:
•You are logged in to the CLI in EXEC mode.
SUMMARY STEPS
1. clear ip dhcp snooping binding
2. show ip dhcp snooping binding
DETAILED STEPS
|
|
|
Step 1 |
clear ip dhcp snooping binding
Example: n1000v# clear ip dhcp snooping binding |
Clears dynamically added entries from the DHCP snooping binding database. |
Step 2 |
show ip dhcp snooping binding
Example: n1000v# show ip dhcp snooping binding |
Displays the DHCP snooping binding database. |
Verifying DHCP Snooping Configuration
To display DHCP snooping configuration information, use the following commands:
|
|
show running-config dhcp |
Displays the DHCP snooping configuration |
show ip dhcp snooping |
Displays general information about DHCP snooping. |
show ip dhcp snooping binding |
Displays the DHCP snooping binding database. |
For detailed information about the fields in the output from these commands, see the Cisco Nexus 1000V Command Reference, Release 4.0(4)SV1(2).
Monitoring DHCP Snooping
Use the show ip dhcp snooping statistics command to display DHCP snooping statistics. For detailed information about the fields in the output from this command, see the Cisco Nexus 1000V Command Reference, Release 4.0(4)SV1(2).
Example Configuration for DHCP Snooping
This example shows how to enable DHCP snooping on two VLANs, with vEthernet interface 5 trusted because the DHCP server is connected to that interface:
Default Settings
Table 12-1 lists the defaults for DHCP snooping.
Table 12-1 Default DHCP Snooping Parameters
|
|
DHCP snooping globally enabled |
No |
DHCP snooping VLAN |
Disabled |
DHCP snooping MAC address verification |
Enabled |
DHCP snooping trust |
Trusted for Ethernet interfaces, vEthernet interfaces, and port channels, in the VSD feature. Untrusted for vEthernet interfaces not participating in the VSD feature. |
Additional References
For additional information related to implementing DHCP snooping, see the following sections:
•Related Documents
•Standards
Related Documents
|
|
IP Source Guard |
Cisco Nexus 1000V Security Configuration Guide, Release 4.0(4)SV1(2), Chapter 14, "Configuring IP Source Guard" |
Dynamic ARP Inspection |
Cisco Nexus 1000V Security Configuration Guide, Release 4.0(4)SV1(2), Chapter 13, "Configuring Dynamic ARP Inspection" |
DHCP snooping commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples |
Cisco Nexus 1000V Command Reference, Release 4.0(4)SV1(2) |
Standards
Feature History for DHCP Snooping
Table 12-2 lists the release history for this feature.
Table 12-2 Feature History for DHCP Snooping
|
|
|
DHCP snooping |
4.0(4)SV1(2) |
This feature was introduced. |