Configuring DHCP
Dynamic ARP inspection (DAI) and IP Source Guard also use information stored in the DHCP snooping
binding database.
You can remove entries from the binding database by using the clear ip dhcp snooping binding command.
DHCP Snooping in a vPC Environment
A virtual port channel (vPC) allows two Cisco NX-OS switches to appear as a single logical port channel to
a third device. The third device can be a switch, a server, or any other networking device that supports port
channels.
In a typical vPC environment, DHCP requests can reach one vPC peer switch, and the responses can reach
the other vPC peer switch, resulting in a partial DHCP (IP-MAC) binding entry in one switch and no binding
entry in the other switch. As a result, DHCP snooping and associated features such as dynamic ARP inspection
(DAI) and IP Source Guard are disrupted. This issue is addressed by using Cisco Fabric Service over Ethernet
(CFSoE) distribution to ensure that all DHCP packets (requests and responses) appear on both switches, which
helps in creating and maintaining the same binding entry on both switches for all clients behind the vPC link.
CFSoE distribution also allows only one switch to forward the DHCP requests and responses on the vPC link.
In non-vPC environments, both switches forward the DHCP packets.
Synchronizing DHCP Snooping Binding Entries
The dynamic DHCP binding entries should be synchronized in the following scenarios:
• When the remote vPC is online, all the binding entries for that vPC link should be synchronized with the
• When DHCP snooping is enabled on the peer switch, the dynamic binding entries for all vPC links should
Packet Validation
The device validates DHCP packets received on the untrusted interfaces of VLANs that have DHCP snooping
enabled. The device forwards the DHCP packet unless any of the following conditions occur (in which case,
the packet is dropped):
• The device receives a DHCP response packet (such as a DHCPACK, DHCPNAK, or DHCPOFFER
• The device receives a packet on an untrusted interface, and the source MAC address and the DHCP client
• The device receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an
In addition, you can enable strict validation of DHCP packets, which checks the options field of DHCP packets,
including the "magic cookie" value in the first four bytes of the options field. By default, strict validation is
disabled. When you enable it, by using the ip dhcp packet strict-validation command, if DHCP snooping
processes a packet that has an invalid options field, it drops the packet.
peer.
be synchronized with the peer.
packet) on an untrusted interface.
hardware address do not match. This check is performed only if the DHCP snooping MAC address
verification option is turned on.
entry in the DHCP snooping binding table, and the interface information in the binding table does not
match the interface on which the message was received.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
DHCP Snooping in a vPC Environment
329