Published On: October 21ˢᵗ, 2021 08:40

IP Addressing Services Configuration Guide, Cisco IOS XE Amsterdam 17.3.x (Catalyst 9500 Switches)

Contents

Restrictions for DHCP Options Support

When DHCP snooping is configured on a primary VLAN, you cannot configure snooping with different settings on any of its secondary VLANs. You must configure DHCP snooping for all associated VLANs on the primary VLAN. If DHCP snooping is not configured on the primary VLAN and you try to configure it on the secondary VLAN, for example, VLAN 200, this message appears:


2w5d:%DHCP_SNOOPING-4-DHCP_SNOOPING_PVLAN_WARNING:DHCP Snooping configuration may not take effect 
on secondary vlan 200. DHCP Snooping configuration on secondary vlan is derived from its primary vlan.

You can use the show ip dhcp snooping command to display all VLANs, both primary and secondary, that have DHCP snooping enabled.

Information About DHCP Options Support

DHCP Option 82 Configurable Circuit ID and Remote ID Overview

The DHCP Option 82 Configurable Circuit ID and Remote ID feature enhances validation security by allowing you to determine what information is provided in the Option 82 Remote ID and Option 82 Circuit ID suboptions.

You can enable DHCP snooping on private VLANs. When DHCP snooping is enabled, the configuration is propagated to both a primary VLAN and its associated secondary VLANs. When DHCP snooping is enabled on a primary VLAN, it is also enabled on its secondary VLANs.

The figure below shows the packet format used when DHCP snooping is globally enabled and the ip dhcp snooping information option global configuration command is entered with the Circuit ID suboption.

Figure 1. Suboption Packet Formats, Circuit ID Specified

The figure below shows the packet format used when DHCP snooping is globally enabled and the ip dhcp snooping information option global configuration command is entered with the Remote ID suboption.

Figure 2. Suboption Packet Formats, Remote ID Specified

DHCP Client Option 12

The DHCP Client Option12 feature specifies the hostname of the client. While acquiring an IP address for an interface from the Dynamic Host Configuration Protocol (DHCP) server, if the client device receives the DHCP Hostname option inside the response, the hostname from that option is set. DHCP is used by DHCP clients to obtain configuration information for operation in an IP network.

Configuration parameters and other control information are carried in tagged data items that are stored in the options field of a DHCP message. The DHCP client provides flexibility by allowing Option 12 to be configured for a DHCP client.

Option 12 specifies the name of the client. The name might or might not be qualified with the local domain.

Configuring DHCP Snooping on Private VLANs

Perform these tasks to configure DHCP snooping on private primary and secondary VLANs:

  • Configure a private, primary VLAN.

  • Associate with it an isolated VLAN.

  • Create an SVI interface for the primary VLAN, and associate it with the appropriate loopback IP and helper address.

  • Enable DHCP snooping on the primary VLAN, which also enables it on the associated VLAN.


Note

You must also configure a server to assign the IP address, a DHCP pool, and a relay route so that snooping can be effective.


SUMMARY STEPS

  1. enable
  2. configure terminal
  3. vlan vlan-id
  4. private-vlan primary
  5. private-vlan association secondary-vlan-list
  6. exit
  7. vlan vlan_ID
  8. private-vlan isolated
  9. exit
  10. interface vlan primary-vlan_id
  11. ip unnumbered loopback
  12. private-vlan mapping [secondary-vlan-list | add secondary-vlan-list | remove secondary-vlan-list ]
  13. exit
  14. ip dhcp snooping vlan primary-vlan_id
  15. end

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

vlan vlan-id

Example:


Device(config)# vlan 70

Enters VLAN configuration mode for the named private VLAN.

Step 4

private-vlan primary

Example:


Device(config-vlan)# private-vlan primary

Designates the VLAN as the primary private VLAN.

Step 5

private-vlan association secondary-vlan-list

Example:


Device(config-vlan)# private-vlan association 7

Configures private VLANs (PVLANs) and the association between a PVLAN and a secondary VLAN.

Step 6

exit

Example:


Device(ocnfig-vlan)# exit

Exits VLAN configuration mode and returns to global configuration mode.

Step 7

vlan vlan_ID

Example:


Device(config)# vlan 7

Enters VLAN configuration mode for the named private VLAN.

  • In this example, the associated secondary VLAN is vlan 7.

Step 8

private-vlan isolated

Example:


Device(config-vlan)# private-vlan isolated

Designates the VLAN as an isolated private VLAN.

Step 9

exit

Example:


Device(config-vlan)# exit

Exits VLAN configuration mode and returns to global configuration mode.

Step 10

interface vlan primary-vlan_id

Example:


Device(config)# interface vlan 70

Creates a dynamic Switch Virtual Interface (SVI) on the primary VLAN, and enters interface configuration mode.

Step 11

ip unnumbered loopback

Example:


Device(config-if)# ip unnumbered loopback1

Specifies IP unnumbered loopback.

Step 12

private-vlan mapping [secondary-vlan-list | add secondary-vlan-list | remove secondary-vlan-list ]

Example:


Device(config-if)# private-vlan mapping 7

Creates a mapping between the primary and the secondary VLANs so that they share the same primary VLAN SVI.

Step 13

exit

Example:


Device(config-if)# exit

Exits interface configuration mode and returns to global configuration mode.

Step 14

ip dhcp snooping vlan primary-vlan_id

Example:


Device(config)# ip dhcp snooping vlan 70

Enables DHCP snooping on the primary and associated VLANs.

Step 15

end

Example:


Device(config)# end

Exits global configuration mode and returns to privileged EXEC mode.

Example: Mapping Private-VLAN Associations

The following interface configuration example shows how to map the private-VLAN associations. The user-configurable circuit ID “aabb11” is inserted on the secondary VLAN, vlan 7.

Device> enable
Device# configure terminal
Device(config-if)# interface GigabitEthernet 9/0/1
Device(config-if)# switchport
Device(config-if)# switchport private-vlan host-association 70 7
Device(config-if)# switchport mode private-vlan host
Device(config-if)# no mls qos trust
Device(config-if)# spanning-tree portfast
Device(config-if)# exit
Device(config)# ip dhcp snooping vlan 7 information option format-type circuit-id string aabb11
Device(config)# end


The following example shows how to define a DHCP class “C1” and specify the hex string of the corresponding class at the server by using the hex string that matches the circuit-ID value entered in the interface configuration example. That is, the hex string 00000000000000000000000000000006616162623131 mask fffffffffffffffffffffffffffffff0000000000000 matches the circuit ID aabb11.

Device> enable
Device# configure terminal
Device(config)# ip dhcp class C1
Device(config-dhcp-class)# relay agent information
Device(config-dhcp-class-relayinfo)# relay-information hex 00000000000000000000000000000006616162623131 
mask fffffffffffffffffffffffffffffff0000000000000
Device(config-dhcp-class-relayinfo)# end


Feature History for DHCP Options Support

This table provides release and related information for the features explained in this module.

These features are available in all the releases subsequent to the one they were introduced in, unless noted otherwise.

Release

Feature

Feature Information

Cisco IOS XE Fuji 16.8.1a

DHCP Client Option 12

The DHCP Client Option 12 feature specifies the hostname of the client. While acquiring an IP address for an interface from the Dynamic Host Configuration Protocol (DHCP) server, if the client device receives the DHCP Hostname option inside the response, the hostname from that option is set. DHCP is used by DHCP clients to obtain configuration information for operation in an IP network.

DHCP Option 82 Configurable Circuit ID and Remote ID

Provides naming choices in the Option 82 Remote ID and Option 82 Circuit ID suboptions.

Use the Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.