Cisco Nexus 1000V Security: DHCP Snooping

Later this year, I’ll be taking the Cisco Certified Internetwork Expert (CCIE) Data Center Lab Exam.  As I study the exam blueprint, I’ll be posting about some of the items that I am studying.  The first of these posts is about DHCP Snooping on Nexus 1000V.

I have not spent a great deal of time configuring the Nexus 1000V’s advanced security features like Dynamic ARP Inspection (DAI) or DHCP Snooping, but they include pretty cool functionality to help protect your virtual environments.  A popular application of DHCP Snooping is for protecting VDI environments against malicious DHCP servers on your network.

Since DHCP is an advanced feature, the free Essentials license will not be sufficient.  You need to have the Advanced license.

Before I explore DHCP Snooping configuration any further, I just want to remind you of the standard disclaimer:

Do not deploy DHCP Snooping or any other of the Nexus 1000V’s advanced features in production.  The steps listed below are provided for educational purposes only without any guarantee of technical support.

OK, let’s get into the fun stuff:

1. Verify the feature is installed on your Nexus 1000V instance:

feature dhcp

2. Enable DHCP Snooping globally (Required, but don’t worry; none of your interfaces will be trusted for DHCP until you specifically enable them for it: see Step 6)

ip dhcp snooping

3. Enable DHCP Snooping for a specific VLAN that you want to monitor

ip dhcp snooping vlan 180

4. Check your DHCP Snooping statistics

show ip dhcp snooping statistics

5. Determine which Nexus 1000V Vethernet Interface belongs to your DHCP’s NIC
First, get your DVPort number from the vSphere Client (Currently, PowerCLI 5.1 does not have cmdlets for this kind of info):

Get your DHCP Server's DVPort
Get your DHCP Server’s DVPort

Then, query the 1000V for the corresponding Vethernet Interface using the DVPort reported in the vSphere Client (417)

show running-config | incl 417 prev 4

The output will include the Vethernet number. For example:

interface Vethernet4
  inherit port-profile VM_Network
  description Win2k3-02, Network Adapter 1
  vmware dvport 417 dvswitch uuid "e8 20 2b 50 94 0f b6 6d-bf 9c 05 84 55 55 2e ca"

If your 1000V Interfaces have a lot of custom settings, you may need to change the prev value to a larger number than 4

6. Enable your DHCP Server’s Vethernet Interface as a trusted source

interface Vethernet4
ip dhcp snooping trust

Here are the Vethernet Interface’s parameters before enabling trust

interface Vethernet4
  inherit port-profile VM_Network
  description Win2k3-02, Network Adapter 1
  vmware dvport 417 dvswitch uuid "e8 20 2b 50 94 0f b6 6d-bf 9c 05 84 55 55 2e ca"
  vmware vm mac 0050.56AB.5DC1

After enabling trust on the interface, you will see the trust command after another show run on the interface

interface Vethernet4
  inherit port-profile VM_Network
  description Win2k3-02, Network Adapter 1
  vmware dvport 417 dvswitch uuid "e8 20 2b 50 94 0f b6 6d-bf 9c 05 84 55 55 2e ca"
  vmware vm mac 0050.56AB.5DC1
  ip dhcp snooping trust

7. You can check the statistics for rejected vs accepted DHCP traffic using the following command

show ip dhcp snooping statistics

8. If the interface is no longer trusted as a DHCP source, use the following command to disable trust:

no ip dhcp snooping trust

This is just scratching the surface of DHCP Snooping functionality. You can further filter DHCP Server traffic based on its IP address or IP-MAC address pair. Also, it is possible to use limit rate and option keywords to control the number of DHCP packets per second and the option types that are permitted on an interface.

Any adventures in DHCP Snooping that you would like to share? Enter them in the comments field below.

Leave a Reply

Your email address will not be published. Required fields are marked *