Cisco Nexus 5500 Series NX-OS Security Configuration Guide, Release 6.x

Information About DHCP Snooping

DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP servers. DHCP snooping performs the following activities:

Validates DHCP messages received from untrusted sources and filters out invalid messages.
Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
Uses the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.

Feature Enabled and Globally Enabled

When you are configuring DHCP snooping, it is important that you understand the difference between enabling the DHCP snooping feature and globally enabling DHCP snooping.

Feature Enablement

The DHCP snooping feature is disabled by default. When the DHCP snooping feature is disabled, you cannot configure it or any of the features that depend on DHCP snooping. The commands to configure DHCP snooping and its dependent features are unavailable when DHCP snooping is disabled.

When you enable the DHCP snooping feature, the switch begins building and maintaining the DHCP snooping binding database. Features dependent on the DHCP snooping binding database can now make use of it and can therefore also be configured.

Enabling the DHCP snooping feature does not globally enable it. You must separately enable DHCP snooping globally.

Disabling the DHCP snooping feature removes all DHCP snooping configuration from the switch. If you want to disable DHCP snooping and preserve the configuration, globally disable DHCP snooping but do not disable the DHCP snooping feature.

Global Enablement

After DHCP snooping is enabled, DHCP snooping is globally disabled by default. Global enablement is a second level of enablement that allows you to have separate control of whether the switch is actively performing DHCP snooping that is independent from enabling the DHCP snooping binding database.

When you globally enable DHCP snooping, on each untrusted interface of VLANs that have DHCP snooping enabled, the switch begins validating DHCP messages that are received and used the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

When you globally disable DHCP snooping, the switch stops validating DHCP messages and validating subsequent requests from untrusted hosts. It also removes the DHCP snooping binding database. Globally disabling DHCP snooping does not remove any DHCP snooping configuration or the configuration of other features that are dependent upon the DHCP snooping feature.

Trusted and Untrusted Sources

You can configure whether DHCP snooping trusts traffic sources. An untrusted source might initiate traffic attacks or other hostile actions. To prevent such attacks, DHCP snooping filters messages from untrusted sources.

In an enterprise network, a trusted source is a switch that is under your administrative control. These switches include the switches, routers, and servers in the network. Any switch beyond the firewall or outside the network is an untrusted source. Generally, host ports are treated as untrusted sources.

In a service provider environment, any switch that is not in the service provider network is an untrusted source (such as a customer switch). Host ports are untrusted sources.

In a Cisco Nexus device, you indicate that a source is trusted by configuring the trust state of its connecting interface.

The default trust state of all interfaces is untrusted. You must configure DHCP server interfaces as trusted. You can also configure other interfaces as trusted if they connect to switches (such as switches or routers) inside your network. You usually do not configure host port interfaces as trusted.

Note

For DHCP snooping to function properly, you must connect all DHCP servers to the switch through trusted interfaces.

DHCP Snooping Binding Database

Using information extracted from intercepted DHCP messages, DHCP snooping dynamically builds and maintains a database. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts that are connected through trusted interfaces.

Note

The DHCP snooping binding database is also referred to as the DHCP snooping binding table.

DHCP snooping updates the database when the switch receives specific DHCP messages. For example, the feature adds an entry to the database when the switch receives a DHCPACK message from the server. The feature removes the entry in the database when the IP address lease expires or the switch receives a DHCPRELEASE message from the host.

Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host.

You can remove entries from the binding database by using the clear ip dhcp snooping binding command.

DHCP Snooping Option 82 Data Insertion

DHCP can centrally manage the IP address assignments for a large number of subscribers. When you enable Option 82, the device identifies a subscriber device that connects to the network (in addition to its MAC address). Multiple hosts on the subscriber LAN can connect to the same port on the access device and are uniquely identified.

When you enable Option 82 on the Cisco NX-OS device, the following sequence of events occurs:

The host (DHCP client) generates a DHCP request and broadcasts it on the network.

When the Cisco NX-OS device receives the DHCP request, it adds the Option 82 information in the packet. The Option 82 information contains the device MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (the circuit ID suboption). For hosts behind the port channel, the circuit ID is filled with the if_index of the port channel.

Note

For vPC peer switches, the remote ID suboption contains the vPC switch MAC address, which is unique in both switches. This MAC address is computed with the vPC domain ID. The Option 82 information is inserted at the switch where the DHCP request is first received before it is forwarded to the other vPC peer switch.

The device forwards the DHCP request that includes the Option 82 field to the DHCP server.
The DHCP server receives the packet. If the server is Option 82 capable, it can use the remote ID, the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID. The DHCP server echoes the Option 82 field in the DHCP reply.
The DHCP server sends the reply to the Cisco NX-OS device. The Cisco NX-OS device verifies that it originally inserted the Option 82 data by inspecting the remote ID and possibly the circuit ID fields. The Cisco NX-OS device removes the Option 82 field and forwards the packet to the interface that connects to the DHCP client that sent the DHCP request.

If the previously described sequence of events occurs, the following values do not change:

Circuit ID suboption fields
- Suboption type
- Length of the suboption type
- Circuit ID type
- Length of the circuit ID type
Remote ID suboption fields
- Suboption type
- Length of the suboption type
- Remote ID type
- Length of the circuit ID type

Figure 1. Suboption Packet Formats.
This figure shows the packet formats for the remote ID suboption and the circuit ID suboption. The Cisco NX-OS device uses the packet formats when you globally enable DHCP snooping and when you enable Option 82 data insertion and removal. For the circuit ID suboption, the module field is the slot number of the module.

Figure 2. Circuit ID Suboption Frame Format for Regular and vPC Interfaces.
Beginning with Cisco NX-OS Release 6.0(2)N1(2), Option 82 information is used to support a higher DHCP pps scale. These figures show the new default circuit ID format that is used for regular interfaces and vPC interfaces when Option 82 is enabled for DHCP snooping.

DHCP Snooping in a vPC Environment

A virtual port channel (vPC) allows two Cisco NX-OS switches to appear as a single logical port channel to a third switch. The third switch can be a switch, server, or any other networking switch that supports port channels.

In a typical vPC environment, DHCP requests can reach one vPC peer switch and the responses can reach the other vPC peer switch, resulting in a partial DHCP (IP-MAC) binding entry in one switch and no binding entry in the other switch. This issue is addressed by using Cisco Fabric Service over Ethernet (CFSoE) distribution to ensure that all DHCP packets (requests and responses) appear on both switches, which helps in creating and maintaining the same binding entry on both switches for all clients behind the vPC link.

CFSoE distribution also allows only one switch to forward the DHCP requests and responses on the vPC link. In non-vPC environments, both switches forward the DHCP packets.

Synchronizing DHCP Snooping Binding Entries

The dynamic DHCP binding entries should be in sync in the following scenarios:

When the remote vPC is online, all the binding entries for that vPC link should be in sync with the peer.
When DHCP snooping is enabled on the peer switch, the dynamic binding entries for all vPC links that are up remotely should be in sync with the peer.

Packet Validation

The switch validates DHCP packets received on the untrusted interfaces of VLANs that have DHCP snooping enabled. The switch forwards the DHCP packet unless any of the following conditions occur (in which case, the packet is dropped):

The switch receives a DHCP response packet (such as a DHCPACK, DHCPNAK, or DHCPOFFER packet) on an untrusted interface.
The switch receives a packet on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match. This check is performed only if the DHCP snooping MAC address verification option is turned on.
The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.
The switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0.

In addition, you can enable strict validation of DHCP packets, which checks the options field of DHCP packets, including the “magic cookie” value in the first four bytes of the options field. By default, strict validation is disabled. When you enable it, by using the ip dhcp packet strict-validation command, if DHCP snooping processes a packet that has an invalid options field, it drops the packet.

Information About the DHCP Relay Agent

DHCP Relay Agent

You can configure the device to run a DHCP relay agent, which forwards DHCP packets between clients and servers. This feature is useful when clients and servers are not on the same physical subnet. Relay agents receive DHCP messages and then generate a new DHCP message to send out on another interface. The relay agent sets the gateway address (giaddr field of the DHCP packet) and, if configured, adds the relay agent information option (Option 82) in the packet and forwards it to the DHCP server. The reply from the server is forwarded back to the client after removing Option 82.

After you enable Option 82, the device uses the binary ifindex format by default. When a device acts as a relay agent and is configured to insert Option 82, the circuit ID is same for all hosts even when they are connected to different ports. You can use the ip dhcp relay sub-option circuit-id customized command to retain the unique circuit ID that is inserted by a client.

Note

When the device relays a DHCP request that already includes Option 82 information, the device forwards the request with the original Option 82 information without altering it.

Note

When you enable the fabric forwarding feature, DHCP relay feature is suspended if the ip dhcp relay information option and ip dhcp relay information option vpn commands are not configured.
In a DFA environment with DHCP Relay, configuring the vpn option is mandatory. After configuring the vpn option, the DHCP server may be placed within the same or different VRF (default or management).

VRF Support for the DHCP Relay Agent

You can configure the DHCP relay agent to forward DHCP broadcast messages from clients in a virtual routing and forwarding (VRF) instance to DHCP servers in a different VRF. By using a single DHCP server to provide DHCP support to clients in multiple VRFs, you can conserve IP addresses by using a single IP address pool rather than one for each VRF.

Enabling VRF support for the DHCP relay agent requires that you enable Option 82 for the DHCP relay agent.

If a DHCP request arrives on an interface that you have configured with a DHCP relay address and VRF information, and the address of the DCHP server belongs to a network on an interface that is a member of a different VRF, the device inserts Option 82 information in the request and forwards it to the DHCP server in the server VRF. The Option 82 information includes the following:

VPN identifier: Name of the VRF that the interface that receives the DHCP request is a member of.
Link selection: Subnet address of the interface that receives the DHCP request.
Server identifier override: IP address of the interface that receives the DHCP request.

Note

The DHCP server must support the VPN identifier, link selection, and server identifier override options.

When the device receives the DHCP response message, it strips off the Option 82 information and forwards the response to the DHCP client in the client VRF.

DHCP Relay Binding Database

A relay binding is an entity that associates a DHCP or BOOTP client with a relay agent address and its subnet. Each relay binding stores the client MAC address, active relay agent address, active relay agent address mask, logical and physical interfaces to which the client is connected, giaddr retry count, and total retry count. The giaddr retry count is the number of request packets transmitted with that relay agent address, and the total retry count is the total number of request packets transmitted by the relay agent. One relay binding entry is maintained for each DHCP or BOOTP client.

Note

When DHCP smart relay is enabled globally or at the interface level on any switch, the relay bindings on all switches should be synchronized with the vPC peer.

DHCPv6 Relay Agent

You can configure the device to run a DHCPv6 relay agent, which forwards DHCPv6 packets between clients and servers. This feature is useful when clients and servers are not on the same physical subnet. Relay agents receive DHCPv6 messages and then generate a new DHCPv6 message to send out on another interface. The relay agent sets the gateway address (giaddr field of the DHCPv6 packet) and forwards it to the DHCPv6 server.

VRF Support for the DHCPv6 Relay Agent

You can configure the DHCPv6 relay agent to forward DHCPv6 broadcast messages from clients in a virtual routing and forwarding (VRF) instance to DHCPv6 servers in a different VRF. By using a single DHCPv6 server to provide DHCPv6 support to clients in multiple VRFs, you can conserve IP addresses by using a single IP address pool rather than one for each VRF.

Information About the Lightweight DHCPv6 Relay Agent

Lightweight DHCPv6 Relay Agent

A variety of different link-layer network topologies exist for the aggregation of IPv6 nodes into one or more routers. In Layer 2 aggregation networks (IEEE 802.1D bridging or similar) that have many nodes on a single link, a DHCP Version 6 (DHCPv6) server or DHCP relay agent normally does not recognize how a DHCP client is attached to a network. From Cisco NX-OS Release 7.3(0)N1(1), you can configure the interface of a device to run Lightweight DHCPv6 Relay Agent (LDRA), which forwards DHCPv6 messages between clients and servers.

The LDRA feature is used to insert relay agent options in DHCPv6 message exchanges primarily to identify client-facing interfaces. LDRA resides on the same IPv6 link as the client and a DHCPv6 relay agent or server.

LDRA for VLANs and Interfaces

You can configure LDRA on VLANs and interfaces. LDRA is not enabled by default. To enable LDRA, it should be enabled globally and at the interface level. You should configure the interfaces as client-facing trusted, client-facing untrusted, or server-facing. All client-facing interfaces must be configured as trusted or untrusted. By default, all the client-facing interfaces in LDRA are configured as untrusted. When a client-facing interface is deemed untrusted, LDRA will discard messages of type RELAY-FORWARD, which are received from the client-facing interface.

The LDRA configuration on a VLAN should be configured as client-facing trusted or client-facing untrusted. When you configure LDRA functionality on a VLAN, the functionality is configured on all the ports or interfaces within the VLAN. However, if you configure an interface in a VLAN as client-facing untrusted, and configure the VLAN as client-facing trusted, the configuration of an interface takes precedence over the configuration of a VLAN. At least one interface in a VLAN should be configured as server-facing interface.

Guidelines and Limitations for Lightweight DHCPv6 Relay Agent

Access nodes implementing LDRA do not support IPv6 control or routing.
An interface or port cannot be configured as both client facing and server facing at the same time.
To support virtual port channel, LDRA configuration should be symmetric on the vPC peers.
LDRA supports Cisco Fabricpath.

vIP HSRP Enhancement

The vIP HSRP enhancement provides support for an HSRP VIP configuration to be in a different subnet than that of the interface subnet. This feature is applicable only for IPv4 and not for IPv6. The following are the enhancements:

Enhance ARP to source with VIP from SUP for hosts when hosts in VIP subnet are referenced by static route to VLAN configuration.
Periodic ARP sync support to VPC peer if this feature enabled.
Allow use of the VIP address as L3 source address and gateway address for all communications with DHCP server.
Enhance DHCP relay agent to relay DHCP packets with source as VIP instead of SVI IP when the feature is enabled.

Guidelines and Limitations for DHCP Snooping

Consider the following guidelines and limitations when configuring DHCP snooping:

The DHCP snooping database can store 2000 bindings.
DHCP snooping is not active until you enable the feature, enable DHCP snooping globally, and enable DHCP snooping on at least one VLAN.
Before globally enabling DHCP snooping on the switch, make sure that the switches that act as the DHCP server and the DHCP relay agent are configured and enabled.
If a VLAN ACL (VACL) is configured on a VLAN that you are configuring with DHCP snooping, ensure that the VACL permits DHCP traffic between DHCP servers and DHCP hosts.
DHCP snooping does not work with DHCP relay configured on the same nexus device.
By default, DHCP bindings are not saved persistently across switch reboots. To maintain persistent bindings across switch reboots, use the copy r s command. When the copy r s command is issued, all bindings that exist at that time are made persistent across switch reboots.
Make sure that the DHCP configuration is synchronized across the switches in a vPC link. Otherwise, a run-time error can occur, resulting in dropped packets.
To use both remote and local DHCP servers, you must configure the DHCP relay feature and either define the unicast address of the local DHCP server or configure a local broadcast address for the subnet where the local DHCP server resides. If you do not define the unicast address of the DHCP server or configure a local broadcast address for the subnet, local DHCP packets cannot be delivered. For example, this situation can occur when you apply an IP DHCP address to an SVI.
When you configure DHCPv6 server addresses on an interface, a destination interface cannot be used with global IPv6 addresses.
In release 6.0(2)N2(1) and later, for DHCPv6 Relay, up to 32 DHCPv6 server addresses can be configured on an interface. However, before downgrading to any release earlier than 6.0(2)N2(1), ensure that the number of server addresses on any interface is less than or equal to 16.
In release 6.0(2)N2(1) and later, for DHCPv4 Relay, up to 32 DHCPv4 server addresses can be configured on an interface. However, before downgrading to any release earlier than 6.0(2)N2(1), ensure that the number of server addresses on any interface is less than or equal to 16.

The following additional guidelines and limitations apply to implementations that include FabricPath:

DHCP snooping should be enabled on CE-Fabric boundary switches.
DHCP snooping is enabled on all access layer switches to secure the network at the access layer.
DHCP does not learn which binding entries are on ports configured in FabricPath mode. DHCP snooping must be manually enabled on all access layer switches.
When Dynamic ARP Inspection (DAI) is enabled, ARP packets received on FabricPath ports are allowed.
IPSG cannot be enabled on ports in FabricPath mode.
All FabricPath ports in the system must be configured as trusted ports.
DHCP snooping with Fabric Path has to be enabled on all of the configured VLANs for a switch. If you do not enable FabricPath for all of the VLANs on the switch, DHCP packets will drop for the VLANs where DHCP has not been enabled.

To ensure that DHCP packets are not dropped, you must complete all of the following configurations:
- Enable the DHCP feature using the feature dhcp command.
- Install the FabricPath feature set using the install feature-set fabricpath and feature-set fabricpath commands
- Globally enable DHCP snooping using the ip dhcp snooping command.
- Enable DHCP snooping for each of the configured VLANs on the switch using the ip dhcp snooping vlan vlan command.

Guidelines and Limitations for the vIP HSRP Enhancement

This feature will work only for HSRP in combination with VPC topologies. In scenarios where HSRP standby is not a VPC pair, this feature will not work, as there will not be periodic adjacency sync support for non-VPC cases.
This feature is applicable only for IPv4 and not for IPv6.
Support for this feature is only for Regular HSRP and not for Anycast HSRP, so this feature will not work if Anycast HSRP is enabled.
SUP generated IP traffic (for example, ping/traceroute/ICMP Error packets) destined for VIP subnets originated from the HSRP Active/Standby box will continue to source with IPv4 SVI interface IP and not the vIP. If you want to explicitly source using the loopback IP for ping/traceroute, you can specify the loopback IP along with the source keyword.
Static ARP configuration for creating entries in VIP subnets is not supported.
DHCP relay agent will always use primary VIP address to communicate with DHCP server. DHCP relay agent does not consider use of secondary VIP addresses as long as primary VIP is available.
DHCP relay agent behavior in case inter-vrf is different and requires use of Option-82 information in DHCP packets. DHCP server and clients will be in the same VRF and use of VIP is not supported for inter-vrf relay.

Default Settings for DHCP Snooping

This table lists the default settings for DHCP snooping parameters.

Table 1. Default DHCP Snooping Parameters
Parameters	Default
DHCP snooping feature	Disabled
DHCP snooping globally enabled	No
DHCP snooping VLAN	None
DHCP snooping Option 82 support	Disabled
DHCP snooping trust	Untrusted
VRF support for the DHCP relay agent	Disabled
VRF support for the DHCPv6 relay agent	Disabled
DHCP relay agent	Disabled
DHCPv6 relay agent	Disabled
DHCPv6 relay option type cisco	Disabled

Minimum DHCP Snooping Configuration

Enable the DHCP snooping feature.

Procedure

	Command or Action	Purpose
Step 1	Enable the DHCP snooping feature.	When the DHCP snooping feature is disabled, you cannot configure DHCP snooping. For details, see Enabling or Disabling the DHCP Snooping Feature.
Step 2	Enable DHCP snooping globally.	For details, see Enabling or Disabling DHCP Snooping Globally.
Step 3	Enable DHCP snooping on at least one VLAN.	By default, DHCP snooping is disabled on all VLANs. For details, see Enabling or Disabling DHCP Snooping on a VLAN.
Step 4	Ensure that the DHCP server is connected to the switch using a trusted interface.	For details, see Configuring an Interface as Trusted or Untrusted.

Enabling or Disabling the DHCP Snooping Feature

You can enable or disable the DHCP snooping feature on the switch. By default, DHCP snooping is disabled.

Before you begin

If you disable the DHCP snooping feature, all DHCP snooping configuration is lost. If you want to turn off DHCP snooping and preserve the DHCP snooping configuration, disable DHCP globally.

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	[no ] feature dhcp Example: `switch(config)# feature dhcp`	Enables the DHCP snooping feature. The no option disables the DHCP snooping feature and erases all DHCP snooping configuration.
Step 3	(Optional) show running-config dhcp Example: `switch(config)# show running-config dhcp`	(Optional) Shows the DHCP snooping configuration.
Step 4	(Optional) copy running-config startup-config Example: `switch(config)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Enabling or Disabling DHCP Snooping Globally

You can enable or disable the DHCP snooping globally on the switch. Globally disabling DHCP snooping stops the switch from performing any DHCP snooping or relaying DHCP messages but preserves DCHP snooping configuration.

Before you begin

Ensure that you have enabled the DHCP snooping feature. By default, DHCP snooping is globally disabled.

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	[no ] ip dhcp snooping Example: `switch(config)# ip dhcp snooping`	Enables DHCP snooping globally. The no option disables DHCP snooping.
Step 3	(Optional) show running-config dhcp Example: `switch(config)# show running-config dhcp`	(Optional) Shows the DHCP snooping configuration.
Step 4	(Optional) copy running-config startup-config Example: `switch(config)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Enabling or Disabling DHCP Snooping on a VLAN

You can enable or disable DHCP snooping on one or more VLANs.

Before you begin

By default, DHCP snooping is disabled on all VLANs.

Ensure that DHCP snooping is enabled.

Note

If a VACL is configured on a VLAN that you are configuring with DHCP snooping, ensure that the VACL permits DHCP traffic between DHCP servers and DHCP hosts.

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	[no ] ip dhcp snooping vlan `vlan-list` Example: `switch(config)# ip dhcp snooping vlan 100,200,250-252`	Enables DHCP snooping on the VLANs specified by `vlan-list` . The no option disables DHCP snooping on the VLANs specified.
Step 3	(Optional) show running-config dhcp Example: `switch(config)# show running-config dhcp`	(Optional) Shows the DHCP snooping configuration.
Step 4	(Optional) copy running-config startup-config Example: `switch(config)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Enabling or Disabling Option 82 Data Insertion and Removal

You can enable or disable the insertion and removal of Option 82 information for DHCP packets forwarded without the use of the DHCP relay agent.

Before you begin

By default, the switch does not include Option 82 information in DHCP packets.

Ensure that DHCP snooping is enabled.

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	[no ] ip dhcp snooping information option Example: `switch(config)# ip dhcp snooping information option`	Enables the insertion and removal of Option 82 information from DHCP packets. The no option disables the insertion and removal of Option 82 information.
Step 3	show running-config dhcp Example: `switch(config)# show running-config dhcp`	Shows the DHCP snooping configuration.
Step 4	(Optional) copy running-config startup-config Example: `switch(config)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Enabling or Disabling Strict DHCP Packet Validation

You can enable or disable the strict validation of DHCP packets by the DHCP snooping feature. By default, strict validation of DHCP packets is disabled.

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	[no ] ip dhcp packet strict-validation Example: `switch(config)# ip dhcp packet strict-validation`	Enables the strict validation of DHCP packets by the DHCP snooping feature. The no option disables strict DHCP packet validation.
Step 3	(Optional) show running-config dhcp Example: `switch(config)# show running-config dhcp`	(Optional) Shows the DHCP snooping configuration.
Step 4	(Optional) copy running-config startup-config Example: `switch(config)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Configuring an Interface as Trusted or Untrusted

You can configure whether an interface is a trusted or untrusted source of DHCP messages. You can configure DHCP trust on the following types of interfaces:

Layer 2 Ethernet interfaces
Layer 2 port-channel interfaces

Before you begin

By default, all interfaces are untrusted.

Ensure that DHCP snooping is enabled.

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	Enter one of the following commands: interface ethernet `port`/`slot` interface port-channel `channel-number` Example: `switch(config)# interface ethernet 2/1 switch(config-if)#`	Enters interface configuration mode, where `port` / `slot` is the Layer 2 Ethernet interface that you want to configure as trusted or untrusted for DHCP snooping. Enters interface configuration mode, where `port` / `slot` is the Layer 2 port-channel interface that you want to configure as trusted or untrusted for DHCP snooping.
Step 3	[no ] ip dhcp snooping trust Example: `switch(config-if)# ip dhcp snooping trust`	Configures the interface as a trusted interface for DHCP snooping. The no option configures the port as an untrusted interface.
Step 4	(Optional) show running-config dhcp Example: `switch(config-if)# show running-config dhcp`	(Optional) Shows the DHCP snooping configuration.
Step 5	(Optional) copy running-config startup-config Example: `switch(config-if)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Enabling or Disabling the DHCP Relay Agent

You can enable or disable the DHCP relay agent. By default, the DHCP relay agent is enabled.

Before you begin

Ensure that the DHCP feature is enabled.

Procedure

	Command or Action	Purpose
Step 1	config t Example: `switch# config t switch(config)#`	Enters global configuration mode.
Step 2	[no ] ip dhcp relay Example: `switch(config)# ip dhcp relay`	Enables the DHCP relay agent. The no option disables the relay agent.
Step 3	(Optional) show ip dhcp relay Example: `switch(config)# show ip dhcp relay`	(Optional) Displays the DHCP relay configuration.
Step 4	(Optional) show running-config dhcp Example: `switch(config)# show running-config dhcp`	(Optional) Displays the DHCP configuration.
Step 5	(Optional) copy running-config startup-config Example: `switch(config)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Enabling or Disabling Option 82 for the DHCP Relay Agent

You can enable or disable the device to insert and remove Option 82 information on DHCP packets forwarded by the relay agent.

By default, the DHCP relay agent does not include Option 82 information in DHCP packets.

Procedure

Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

[no ] ip dhcp relay

Example:

switch(config)# ip dhcp relay

Enables the DHCP relay feature. The no option disables this behavior.

Step 3

[no ] ip dhcp relay information option

Example:

switch(config)# ip dhcp relay information option

Enables the DHCP relay agent to insert and remove Option 82 information on the packets that it forwards. The Option 82 information is in binary ifindex format by default. The no option disables this behavior.

Step 4

(Optional) [no ] ip dhcp relay sub-option circuit-id customized

Example:

switch(config)# ip dhcp relay sub-option circuit-id customized

(Optional)

Enables retention of the unique circuit ID that is inserted by a client. The no option disables this behavior.

Note

By default, the circuit ID is same for all hosts even when they are connected to different ports.

Step 5

(Optional) show ip dhcp relay

Example:

switch(config)# show ip dhcp relay

(Optional)

Displays the DHCP relay configuration.

Step 6

(Optional) show running-config dhcp

Example:

switch(config)# show running-config dhcp

(Optional)

Displays the DHCP configuration.

Step 7

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config

(Optional)

Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

Enabling or Disabling VRF Support for the DHCP Relay Agent

You can configure the device to support the relaying of DHCP requests that arrive on an interface in one VRF to a DHCP server in a different VRF instance.

In case of the inter-VRF relay, the DHCPv6 relay agent sends the VSS option in the DHCP relay forward packet to the server. When the server sends the reply packet, make sure that the server sends the VSS option in the reply packet. Otherwise, the DHCPv6 relay agent drops the reply packet received from the server.

Before you begin

You must enable Option 82 for the DHCP relay agent.

Procedure

	Command or Action	Purpose
Step 1	config t Example: `switch# config t switch(config)#`	Enters global configuration mode.
Step 2	[no ] ip dhcp relay information option vpn Example: `switch(config)# ip dhcp relay information option vpn`	Enables VRF support for the DHCP relay agent. The no option disables this behavior.
Step 3	[no ] ip dhcp relay sub-option type cisco Example: `switch(config)# ip dhcp relay sub-option type cisco`	Enables DHCP to use Cisco proprietary numbers 150, 152, and 151 when filling the link selection, server ID override, and VRF name/VPN ID relay agent Option 82 suboptions. The no option causes DHCP to use RFC numbers 5, 11, and 151 for the link selection, server ID override, and VRF name/VPN ID suboptions.
Step 4	(Optional) show ip dhcp relay Example: `switch(config)# show ip dhcp relay`	(Optional) Displays the DHCP relay configuration.
Step 5	(Optional) show running-config dhcp Example: `switch(config)# show running-config dhcp`	(Optional) Displays the DHCP configuration.
Step 6	(Optional) copy running-config startup-config Example: `switch(config)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Enabling or Disabling Subnet Broadcast Support for the DHCP Relay Agent on a Layer 3 Interface

You can configure the device to support the relaying of DHCP packets from clients to a subnet broadcast IP address. When this feature is enabled, the VLAN ACLs (VACLs) accept IP broadcast packets and all subnet broadcast (primary subnet broadcast as well as secondary subnet broadcast) packets.

Before you begin

Ensure that the DHCP feature is enabled.

Ensure that the DHCP relay agent is enabled.

Procedure

	Command or Action	Purpose
Step 1	config t Example: `switch# config t switch(config)#`	Enters global configuration mode.
Step 2	interface `interface` `slot`/`port` Example: `switch(config)# interface ethernet 2/2 switch(config-if)#`	Enters interface configuration mode, where `slot`/`port` is the interface for which you want to enable or disable subnet broadcast support for the DHCP relay agent.
Step 3	[no ] ip dhcp relay subnet-broadcast Example: `switch(config-if)# ip dhcp relay subnet-broadcast`	Enables subnet broadcast support for the DHCP relay agent. The no option disables this behavior.
Step 4	exit Example: `switch(config-if)# exit switch(config)#`	Exits interface configuration mode.
Step 5	exit Example: `switch(config)# exit switch#`	Exits global configuration mode.
Step 6	(Optional) show ip dhcp relay Example: `switch# show ip dhcp relay`	(Optional) Displays the DHCP relay configuration.
Step 7	(Optional) show running-config dhcp Example: `switch# show running-config dhcp`	(Optional) Displays the DHCP configuration.
Step 8	(Optional) copy running-config startup-config Example: `switch# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Creating a DHCP Static Binding

You can create a static DHCP source binding to a Layer 2 interface.

Before you begin

Ensure that you have enabled the DHCP snooping feature.

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	ip source binding `IP-address MAC-address` vlan `vlan-id` {interface ethernet `slot/port` \| port-channel `channel-no`} Example: `switch(config)# ip source binding 10.5.22.7 001f.28bd.0013 vlan 100 interface ethernet 2/3`	Binds the static source address to the Layer 2 Ethernet interface.
Step 3	(Optional) show ip dhcp snooping binding Example: `switch(config)# ip dhcp snooping binding`	(Optional) Shows the DHCP snooping static and dynamic bindings.
Step 4	(Optional) show ip dhcp snooping binding dynamic Example: `switch(config)# ip dhcp snooping binding dynamic`	(Optional) Shows the DHCP snooping dynamic bindings.
Step 5	(Optional) copy running-config startup-config Example: `switch(config)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Example

The following example shows how to create a static IP source entry associated with VLAN 100 on Ethernet interface 2/3:

switch# configure terminal
switch(config)# ip source binding 10.5.22.7 001f.28bd.0013 vlan 100 interface ethernet 2/3
switch(config)#

Enabling or Disabling the DHCPv6 Relay Agent

You can enable or disable the DHCPv6 relay agent. By default, the DHCPv6 relay agent is disabled.

Before you begin

Ensure that the DHCP feature is enabled.

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	[no ] ipv6 dhcp relay Example: `switch(config)# ipv6 dhcp relay`	Enables the DHCPv6 relay agent. The no option disables the relay agent.
Step 3	(Optional) show ipv6 dhcp relay [interface `interface`] Example: `switch(config)# show ipv6 dhcp relay`	(Optional) Displays the DHCPv6 relay configuration.
Step 4	(Optional) show running-config dhcp Example: `switch(config)# show running-config dhcp`	(Optional) Displays the DHCP configuration.
Step 5	(Optional) copy running-config startup-config Example: `switch(config)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Enabling or Disabling VRF Support for the DHCPv6 Relay Agent

You can configure the device to support the relaying of DHCPv6 requests that arrive on an interface in one VRF to a DHCPv6 server in a different VRF.

Before you begin

Ensure that the DHCP feature is enabled.

Ensure that the DHCPv6 relay agent is enabled.

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `switch# configure terminal switch(config)#`	Enters global configuration mode.
Step 2	[no ] ipv6 dhcp relay option vpn Example: `switch(config)# ipv6 dhcp relay option vpn`	Enables VRF support for the DHCPv6 relay agent. The no option disables this behavior.
Step 3	(Optional) show ipv6 dhcp relay [interface `interface`] Example: `switch(config)# show ipv6 dhcp relay`	(Optional) Displays the DHCPv6 relay configuration.
Step 4	(Optional) show running-config dhcp Example: `switch(config)# show running-config dhcp`	(Optional) Displays the DHCP configuration.
Step 5	(Optional) copy running-config startup-config Example: `switch(config)# copy running-config startup-config`	(Optional) Copies the running configuration to the startup configuration.

Configuring the DHCPv6 Relay Source Interface

You can configure the source interface for the DHCPv6 relay agent. By default, the DHCPv6 relay agent uses the relay agent address as the source address of the outgoing packet. Configuring the source interface enables you to use a more stable address (such as the loopback interface address) as the source address of relayed messages.

Before you begin

Ensure that the DHCP feature is enabled.

Ensure that the DHCPv6 relay agent is enabled.

Procedure

Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal
switch(config)#

Enters global configuration mode.

Step 2

[no ] ipv6 dhcp relay source-interface interface

Example:

switch(config)# ipv6 dhcp relay source-interface loopback 2

Configures the source interface for the DHCPv6 relay agent.

Note

The DHCPv6 relay source interface can be configured globally, per interface, or both. When both the global and interface levels are configured, the interface-level configuration overrides the global configuration.

Step 3

(Optional) show ipv6 dhcp relay [interface interface]

Example:

switch(config)# show ipv6 dhcp relay

(Optional)

Displays the DHCPv6 relay configuration.

Step 4

(Optional) show running-config dhcp

Example:

switch(config)# show running-config dhcp

(Optional)

Displays the DHCP configuration.

Step 5

(Optional) copy running-config startup-config

Example:

switch(config)# copy running-config startup-config

(Optional)

Copies the running configuration to the startup configuration.

Configuring Lightweight DHCPv6 Relay Agent

Configuring Lightweight DHCPv6 Relay Agent for an Interface

Perform this task to configure Lightweight DHCPv6 Relay Agent (LDRA) for an interface.

Procedure

Command or Action Purpose

Step 1

configure terminal

Example:


switch# configure terminal

Enters global configuration mode.

Step 2

[no] ipv6 dhcp ldra

Example:


switch(config)# ipv6 dhcp ldra

Enables the LDRA functionality globally.

Step 3

interface slot/port

Example:


switch(config)# interface ethernet 0/0

Specifies an interface type and number, and enters interface configuration mode.

Step 4

switchport

Example:


switch(config-if)# switchport

Switches an interface that is in Layer 3 mode to Layer 2 mode for Layer 2 configuration.

Step 5

[no] ipv6 dhcp-ldra {client-facing-trusted | client-facing-untrusted | client-facing-disable | server-facing}

Example:


switch(config-if)# ipv6 dhcp-ldra server-facing

Enables LDRA functionality on a specified interface or port. The no option disables the LDRA functionality.

Note

The client-facing-trusted specifies client-facing interfaces or ports as trusted. The trusted port allows the DHCPv6 packets and they are encapsulated as per LDRA options. The client-facing-untrusted specifies client-facing interfaces or ports as untrusted. The untrusted ports perform LDRA functionality, but drop only the relay forward packets received on it. The client-facing-disable keyword disables LDRA functionality on an interface or port. Disabled port performs the Layer-2 forwarding of DHCPv6 packets. The server-facing keyword specifies an interface or port as server facing. Server facing port allows the reply packets from server.

Configuring Lightweight DHCPv6 Relay Agent for a VLAN

Perform this task to configure Lightweight DHCPv6 Relay Agent (LDRA) for a VLAN.

Before you begin

Ensure that the VLAN is not assigned an IP address.

Procedure

Command or Action Purpose

Step 1

configure terminal

Example:


switch# configure terminal

Enters global configuration mode.

Step 2

[no] ipv6 dhcp ldra

Example:


switch(config)# ipv6 dhcp ldra

Enables the LDRA functionality globally.

Step 3

[no] ipv6 dhcp-ldra attach–policy vlan vlan-id {client-facing-trusted | client-facing-untrusted}

Example:


switch(config)# ipv6 dhcp-ldra attach-policy vlan 25 client-facing-trusted

Enables LDRA functionality on the specified VLAN. The no option disables the LDRA functionality.

Note

The client-facing-trusted keyword configures all the ports or interfaces associated with the VLAN as client-facing, trusted ports. The client-facing-untrusted keyword configures all the ports or interfaces associated with the VLAN as client-facing, untrusted ports.

Enabling DHCP Relay Agent using VIP Address

Procedure

	Command or Action	Purpose
Step 1	switch# configure terminal	Enters global configuration mode
Step 2	switch(config)# [no] ip dhcp relay source-address hsrp	Enables/Disables DHCP relay agent to use VIP globally.
Step 3	switch(config)# interface `type number`	Enters interface configuration mode.
Step 4	switch(config-if)# [no] ip dhcp relay source-address hsrp	Enables/Disables DHCP relay agent to use VIP at L3 interface level.
Step 5	switch(config-if)# end	Returns to privileged EXEC mode.
Step 6	(Optional) switch# show ip dhcp relay	Displays the DHCP relay configuration.
Step 7	(Optional) switch# show hsrp brief	Displays the summary of Hot Standby Router Protocol (HSRP) information.

Example

The following example enables DHCP relay agent using VIP address:


interface vlan 500
ip address 5.5.5.5/24
ip dhcp relay source-address hsrp
ip dhcp relay address 100.100.100.100
hsrp 10
ip 17.17.17.17/28
ip 15.15.15.20/28 secondary

Verifying the DHCP Snooping Configuration

To display DHCP snooping configuration information, perform one of the following tasks. For detailed information about the fields in the output from these commands, see the System Management Configuration Guide for your Cisco Nexus device.


Command	Purpose
show running-config dhcp	Displays the DHCP snooping configuration.
show ip dhcp relay	Displays the DHCP relay configuration.
show ipv6 dhcp relay [interface `interface`]	Displays the DHCPv6 relay global or interface-level configuration.
show ip dhcp snooping	Displays general information about DHCP snooping.

Displaying DHCP Bindings

Use the show ip dhcp snooping binding command to display the DHCP static and dynamic binding table. Use the show ip dhcp snooping binding dynamic to display the DHCP dynamic binding table.

For detailed information about the fields in the output from this command, see the System Management Configuration Guide for your Cisco Nexus device.

This example shows how to create a static DHCP binding and then verify the binding using the show ip dhcp snooping binding command.

switch# configuration terminal
switch(config)# ip source binding 10.20.30.40 0000.1111.2222 vlan 400 interface port-channel 500

switch(config)# show ip dhcp snooping binding
MacAddress         IpAddress        LeaseSec  Type        VLAN  Interface
-----------------  ---------------  --------  ----------  ----  -------------
00:00:11:11:22:22  10.20.30.40      infinite  static      400   port-channel500

Displaying and Clearing LDRA Information

To display Lightweight DHCPv6 Relay Agent (LDRA) information, use one of the commands in this table.


Command	Purpose
show ipv6 dhcp-ldra	Displays the LDRA configuration details.
show ipv6 dhcp-ldra statistics	Displays LDRA configuration statistics before and after initiating a DHCP session.
show ipv6 dhcp-ldra statistics vlan `vlan-id`	Displays LDRA configuration statistics for the specified VLAN.
show ipv6 dhcp-ldra statistics interface `interface-id`	Displays LDRA configuration statistics for the specified interface.

To clear the DHCPv6 LDRA-specific statistics, use the clear ipv6 dhcp-ldra statistics command.

Displaying LDRA Configuration Details

The following example shows the LDRA configuration details for a switch:

switch(config)# show ipv6 dhcp-ldra

DHCPv6 LDRA is Enabled.


DHCPv6 LDRA policy: client-facing-trusted
Target: Ethernet1/1

DHCPv6 LDRA policy: client-facing-untrusted
Target: vlan 102 vlan 103

DHCPv6 LDRA policy: server-facing
Target: port-channel101

Displaying the LDRA Statistics

The following example displays the LDRA statistics:

switch(config)# show ipv6 dhcp-ldra statistics

PACKET STATS:
---------------------------------------------------------
Message Type                    Rx        Tx     Drops  |
---------------------------------------------------------
SOLICIT                          0         0         0  |
ADVERTISE                        0         0         0  |
REQUEST                          0         0         0  |
CONFIRM                          0         0         0  |
RENEW                            0         0         0  |
REBIND                           0         0         0  |
REPLY                            0         0         0  |
RELEASE                          0         0         0  |
DECLINE                          0         0         0  |
RECONFIGURE                      0         0         0  |
INFORMATION_REQUEST              0         0         0  |
RELAY_FORWARD                    0         0         0  |
RELAY_REPLY                      0         0         0  |
---------------------------------------------------------
Total                            0         0         0  |
---------------------------------------------------------

CFS STATS:
---------------------------------------------------------
Message Type                    Rx        Tx     Drops  |
---------------------------------------------------------
SOLICIT                          0         0         0  |
ADVERTISE                        0         0         0  |
REQUEST                          0         0         0  |
CONFIRM                          0         0         0  |
RENEW                            0         0         0  |
REBIND                           0         0         0  |
REPLY                            0         0         0  |
RELEASE                          0         0         0  |
DECLINE                          0         0         0  |
RECONFIGURE                      0         0         0  |
INFORMATION_REQUEST              0         0         0  |
RELAY_FORWARD                    0         0         0  |
RELAY_REPLY                      0         0         0  |
---------------------------------------------------------
Total                            0         0         0  |
---------------------------------------------------------
Non-DHCPv6 LDRA Packets:
---------------------------------------------------------
Total Packets Received:                              0
Total Packets Forwarded:                             0
Total Packets Dropped:                               0

---------------------------------------------------------
DHCPv6 LDRA DROPS
---------------------------------------------------------
Invalid Message Type:                                0
Max hops exceeded:                                   0
Relay Forward Received on Untrusted port:            0
Packet received over MCT:                            0
Invalid Message Type on Client facing port:          0
No Server Port Present:                              0

The following example displays the LDRA statistics for the interface Ethernet1/1:

SWITCH(config)# show ipv6 dhcp-ldra statistics interface e1/1
INTERFACE: Ethernet1/1

PACKET STATS:
---------------------------------------------------------
Message Type                    Rx        Tx     Drops  |
---------------------------------------------------------
SOLICIT                          0         0         0  |
ADVERTISE                        0         0         0  |
REQUEST                          0         0         0  |
CONFIRM                          0         0         0  |
RENEW                            0         0         0  |
REBIND                           0         0         0  |
REPLY                            0         0         0  |
RELEASE                          0         0         0  |
DECLINE                          0         0         0  |
RECONFIGURE                      0         0         0  |
INFORMATION_REQUEST              0         0         0  |
RELAY_FORWARD                    0         0         0  |
RELAY_REPLY                      0         0         0  |
---------------------------------------------------------
Total                            0         0         0  |
---------------------------------------------------------

CFS STATS:
---------------------------------------------------------
Message Type                    Rx        Tx     Drops  |
---------------------------------------------------------
SOLICIT                          0         0         0  |
ADVERTISE                        0         0         0  |
REQUEST                          0         0         0  |
CONFIRM                          0         0         0  |
RENEW                            0         0         0  |
REBIND                           0         0         0  |
REPLY                            0         0         0  |
RELEASE                          0         0         0  |
DECLINE                          0         0         0  |
RECONFIGURE                      0         0         0  |
INFORMATION_REQUEST              0         0         0  |
RELAY_FORWARD                    0         0         0  |
RELAY_REPLY                      0         0         0  |
---------------------------------------------------------
Total                            0         0         0  |
---------------------------------------------------------
Non-DHCPv6 LDRA Packets:
---------------------------------------------------------
Total Packets Received:                              0
Total Packets Forwarded:                             0
Total Packets Dropped:                               0

---------------------------------------------------------
DHCPv6 LDRA DROPS
---------------------------------------------------------
Invalid Message Type:                                0
Max hops exceeded:                                   0
Relay Forward Received on Untrusted port:            0
Packet received over MCT:                            0
Invalid Message Type on Client facing port:          0
No Server Port Present:                              0

The following example displays the LDRA statistics for the VLAN 101:

SWITCH(config)# show ipv6 dhcp-ldra statistics vlan 101
VLAN: 101

PACKET STATS:
---------------------------------------------------------
Message Type                    Rx        Tx     Drops  |
---------------------------------------------------------
SOLICIT                          0         0         0  |
ADVERTISE                        0         0         0  |
REQUEST                          0         0         0  |
CONFIRM                          0         0         0  |
RENEW                            0         0         0  |
REBIND                           0         0         0  |
REPLY                            0         0         0  |
RELEASE                          0         0         0  |
DECLINE                          0         0         0  |
RECONFIGURE                      0         0         0  |
INFORMATION_REQUEST              0         0         0  |
RELAY_FORWARD                    0         0         0  |
RELAY_REPLY                      0         0         0  |
---------------------------------------------------------
Total                            0         0         0  |
---------------------------------------------------------

CFS STATS:
---------------------------------------------------------
Message Type                    Rx        Tx     Drops  |
---------------------------------------------------------
SOLICIT                          0         0         0  |
ADVERTISE                        0         0         0  |
REQUEST                          0         0         0  |
CONFIRM                          0         0         0  |
RENEW                            0         0         0  |
REBIND                           0         0         0  |
REPLY                            0         0         0  |
RELEASE                          0         0         0  |
DECLINE                          0         0         0  |
RECONFIGURE                      0         0         0  |
INFORMATION_REQUEST              0         0         0  |
RELAY_FORWARD                    0         0         0  |
RELAY_REPLY                      0         0         0  |
---------------------------------------------------------
Total                            0         0         0  |
---------------------------------------------------------
Non-DHCPv6 LDRA Packets:
---------------------------------------------------------
Total Packets Received:                              0
Total Packets Forwarded:                             0
Total Packets Dropped:                               0

---------------------------------------------------------
DHCPv6 LDRA DROPS
---------------------------------------------------------
Invalid Message Type:                                0
Max hops exceeded:                                   0
Relay Forward Received on Untrusted port:            0
Packet received over MCT:                            0
Invalid Message Type on Client facing port:          0
No Server Port Present:                              0

Clearing the DHCP Snooping Binding Database

You can remove entries from the DHCP snooping binding database, including a single entry, all entries associated with an interface, or all entries in the database.

Before you begin

Ensure that DHCP snooping is enabled.

Procedure

	Command or Action	Purpose
Step 1	(Optional) clear ip dhcp snooping binding Example: `switch# clear ip dhcp snooping binding`	(Optional) Clears all entries from the DHCP snooping binding database.
Step 2	(Optional) clear ip dhcp snooping binding interface ethernet `slot`/`port`[.`subinterface-number`] Example: `switch# clear ip dhcp snooping binding interface ethernet 1/4`	(Optional) Clears entries associated with a specific Ethernet interface from the DHCP snooping binding database.
Step 3	(Optional) clear ip dhcp snooping binding interface port-channel `channel-number`[.`subchannel-number`] Example: `switch# clear ip dhcp snooping binding interface port-channel 72`	(Optional) Clears entries associated with a specific port-channel interface from the DHCP snooping binding database.
Step 4	(Optional) clear ip dhcp snooping binding vlan `vlan-id` mac `mac-address` ip `ip-address` interface {ethernet `slot`/`port`[.`subinterface-number` \| port-channel `channel-number`[.`subchannel-number`] } Example: `switch# clear ip dhcp snooping binding vlan 23 mac 0060.3aeb.54f0 ip 10.34.54.9 interface ethernet 2/11`	(Optional) Clears a single, specific entry from the DHCP snooping binding database.
Step 5	(Optional) show ip dhcp snooping binding Example: `switch# show ip dhcp snooping binding`	(Optional) Displays the DHCP snooping binding database.

Clearing DHCP Relay Statistics

Use the clear ip dhcp relay statistics command to clear the global DHCP relay statistics.

Use the clear ip dhcp relay statistics interface interface command to clear the DHCP relay statistics for a particular interface.

Use the clear ip dhcp relay statistics interface interface serverip ip-address [use-vrf vrf-name] command to clear the DHCP relay statistics at the server level for a particular interface.

Clearing DHCPv6 Relay Statistics

Use the clear ipv6 dhcp relay statistics command to clear the global DHCPv6 relay statistics.

Use the clear ipv6 dhcp relay statistics interface interface command to clear the DHCPv6 relay statistics for a particular interface.

Use the clear ipv6 dhcp relay statistics interface interface server-ip ip-address [use-vrf vrf-name] command to clear the DHCPv6 relay statistics at the server level for a particular interface.

Monitoring DHCP

Use the show ip dhcp snooping statistics command to monitor DHCP snooping.

Use the show ip dhcp relay statistics [interface interface [serverip ip-address [use-vrf vrf-name]]] command to monitor DHCP relay statistics at the global, server, or interface level.

Use the (Optional) show ip dhcp snooping statistics vlan [vlan-id] interface [ethernet |port-channel][id] command to know the exact statistics about snooping statistics per interface under a vlan.

Configuration Examples for DHCP Snooping

The following example shows how to enable DHCP snooping on two VLANs, with Option 82 support enabled and Ethernet interface 2/5 trusted because the DHCP server is connected to that interface:

feature dhcp 
ip dhcp snooping 
ip dhcp snooping info option

interface Ethernet 2/5
  ip dhcp snooping trust 
ip dhcp snooping vlan 1 
ip dhcp snooping vlan 50

Configuration Examples for LDRA

Configuring LDRA for an Interface

The following example shows how to enable LDRA and configure interface Ethernet 1/1 as client-facing and trusted:


switch# configure terminal
switch(config)# ipv6 dhcp ldra
switch(config)# interface ethernet 1/1
switch(config-if)# switchport
switch(config-if)# ipv6 dhcp-ldra client-facing-trusted
switch(config-if)# exit
switch(config)# interface ethernet 1/0
switch(config-if)# switchport
switch(config-if)# ipv6 dhcp-ldra attach-policy server-facing
switch(config-if)# exit

The following example shows how to enable LDRA and configure VLAN with VLAN ID 25 as client-facing and trusted:


switch# configure terminal
switch(config)# ipv6 dhcp ldra
switch(config)# ipv6 dhcp-ldra attach-policy vlan 25 client-facing-trusted

Bias-Free Language

Results

Chapter: Configuring DHCP Snooping

Configuring DHCP Snooping

Information About DHCP Snooping

Feature Enabled and Globally Enabled

Feature Enablement

Global Enablement

Trusted and Untrusted Sources

DHCP Snooping Binding Database

DHCP Snooping Option 82 Data Insertion

DHCP Snooping in a vPC Environment

Synchronizing DHCP Snooping Binding Entries

Packet Validation

Information About the DHCP Relay Agent

DHCP Relay Agent

VRF Support for the DHCP Relay Agent

DHCP Relay Binding Database

DHCPv6 Relay Agent

VRF Support for the DHCPv6 Relay Agent

Information About the Lightweight DHCPv6 Relay Agent

Lightweight DHCPv6 Relay Agent

LDRA for VLANs and Interfaces

Guidelines and Limitations for Lightweight DHCPv6 Relay Agent

vIP HSRP Enhancement

Guidelines and Limitations for DHCP Snooping

Guidelines and Limitations for the vIP HSRP Enhancement

Default Settings for DHCP Snooping

Minimum DHCP Snooping Configuration

Procedure

Enabling or Disabling the DHCP Snooping Feature

Before you begin

Procedure

Example:

Example:

Example:

Example:

Enabling or Disabling DHCP Snooping Globally

Before you begin

Procedure

Example:

Example:

Example:

Example:

Enabling or Disabling DHCP Snooping on a VLAN

Before you begin

Procedure

Example:

Example:

Example:

Example:

Enabling or Disabling Option 82 Data Insertion and Removal

Before you begin

Procedure

Example:

Example:

Example:

Example:

Enabling or Disabling Strict DHCP Packet Validation

Procedure

Example:

Example:

Example:

Example:

Configuring an Interface as Trusted or Untrusted

Before you begin

Procedure

Example:

Example:

Example:

Example:

Example:

Enabling or Disabling the DHCP Relay Agent

Before you begin

Procedure

Example:

Example:

Example:

Example: