02-24-2014 11:13 AM
Hello, I am running 1000v version 4.2(1)SV2(2.1a) with VSG 2 (1.1). I have set my 1000v switch to Advance edition; but VSG does not recognize that and therefore I cannot enable the dhcp snooping/relay feature on VSG. I have already successfully enabled dhcp snooping globally on 1000v switch.
I have 2 tenants; so I completely removed VSG and re-added it to the switch in one of them, thinking that re-addition may cause it to recognize the current edition. Following are some excerpts from 1000v and VSG:
===
nexus-vds# sh switch edition
Switch Edition: Advanced <<<<<<< this is my current edition on 1000v switch
Advanced Features
Feature Name Feature State
-----------------------------
cts disabled
dhcp-snooping enabled <<<<<< this is enabled globally on 1000v switch
vxlan-gateway disabled
Licenses Available: 1016
Licenses In Use: 8
===
nexus-vds# sh run vservice node
!Command: show running-config vservice node
!Time: Mon Feb 24 19:10:08 2014
version 4.2(1)SV2(2.1a)
vservice node tenant1-vsg type vsg
ip address 10.x.x.x
adjacency l2 vlan 410
fail-mode open
vservice node tenant2-vsg type vsg
ip address 10.x.x.y
adjacency l2 vlan 410
fail-mode open
===
tenant1-vsg(config)# feature dhcp
ERROR: DHCP feature can only be enabled when switch edition is Advanced
===
How does VSG know that switch is in Advance edition or not ? why is it not recognizing the current edition ? Any ideas ....?
===
Another point I would like to add is that before we applied configuration for VSG; just with 1000v in place (in essential edition); we were able to fire up VMs and DHCP worked without any issues. Also, I have bootpc and bootps allowed in the VSG policy going outbound from VM and DHCP relay is also configured to point to our Cobbler (DHCP) server.
===
Solved! Go to Solution.
05-01-2014 11:31 AM
Hi Piyush,
All DHCP Snooping configuration is done on the VSM.
You can read more in the SV2(1.1) Security Configuration Guide
HTH,
Joe
02-25-2014 03:41 PM
OK I am not sure why this was happening, but I have a theory and that could be wrong so someone from Cisco can please help me out here. My VSM/VSG set up is in layer 2 (thanks to my co-worker Phil Smith who pointed this out and helped me) as shown below:
vservice node tenant2-vsg type vsg
ip address 10.x.x.y
adjacency l2 vlan 410
therefore I did not need to worry about the DHCP via VSM/VSG at all. I moved it back to "Essential" edition (took off all the DHCP related config out of VSM of course before changing the edition back from "Advanced").
Then we had to put in rules in policies that allow the kick-start process to work as follows:
from the VM outbound we added "src= any dst=255.255.255.255" and port "udp/67"
to the VM inbound we added "src=any dst=255.255.255.255" and port "udp/68"
had to allow high udp ports from cobbler back to the VM inbound "udp/1024-65535"
had to allow inbound
"src=L3 switch IP (both 01 and 02 in my case as I have HSRP running-NOT the HSRP IP though) src-port= udp/67
dst= any dst-port= udp/68"
All the above rules are NOT needed in our other environments for the same set up using a multi-context ASA to build VMs with kick-start using cobbler.
As I mentioned earlier, I would really appreciate if someone from Cisco can help me out here to confirm my theory or add/remove to what I think could have been the problem. Thanks !
05-01-2014 11:31 AM
Hi Piyush,
All DHCP Snooping configuration is done on the VSM.
You can read more in the SV2(1.1) Security Configuration Guide
HTH,
Joe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide