Solved: Configuring DHCP snooping on VSG 2 (1.1)

Piyush Khare · ‎02-24-2014

Hello, I am running 1000v version 4.2(1)SV2(2.1a) with VSG 2 (1.1). I have set my 1000v switch to Advance edition; but VSG does not recognize that and therefore I cannot enable the dhcp snooping/relay feature on VSG. I have already successfully enabled dhcp snooping globally on 1000v switch.

I have 2 tenants; so I completely removed VSG and re-added it to the switch in one of them, thinking that re-addition may cause it to recognize the current edition. Following are some excerpts from 1000v and VSG:

===

nexus-vds# sh switch edition

Switch Edition: Advanced <<<<<<< this is my current edition on 1000v switch

Advanced Features

Feature Name Feature State

-----------------------------

cts disabled

dhcp-snooping enabled <<<<<< this is enabled globally on 1000v switch

vxlan-gateway disabled

Licenses Available: 1016

Licenses In Use: 8

===

nexus-vds# sh run vservice node

!Command: show running-config vservice node

!Time: Mon Feb 24 19:10:08 2014

version 4.2(1)SV2(2.1a)

vservice node tenant1-vsg type vsg

ip address 10.x.x.x

adjacency l2 vlan 410

fail-mode open

vservice node tenant2-vsg type vsg

ip address 10.x.x.y

adjacency l2 vlan 410

fail-mode open

===

tenant1-vsg(config)# feature dhcp

ERROR: DHCP feature can only be enabled when switch edition is Advanced

===

How does VSG know that switch is in Advance edition or not ? why is it not recognizing the current edition ? Any ideas ....?

===

Another point I would like to add is that before we applied configuration for VSG; just with 1000v in place (in essential edition); we were able to fire up VMs and DHCP worked without any issues. Also, I have bootpc and bootps allowed in the VSG policy going outbound from VM and DHCP relay is also configured to point to our Cobbler (DHCP) server.

===

Joe LeBlanc · ‎05-01-2014

Hi Piyush,

All DHCP Snooping configuration is done on the VSM.

You can read more in the SV2(1.1) Security Configuration Guide

HTH,

Joe

View solution in original post

Piyush Khare · ‎02-25-2014

OK I am not sure why this was happening, but I have a theory and that could be wrong so someone from Cisco can please help me out here. My VSM/VSG set up is in layer 2 (thanks to my co-worker Phil Smith who pointed this out and helped me) as shown below:

vservice node tenant2-vsg type vsg

ip address 10.x.x.y

adjacency l2 vlan 410

therefore I did not need to worry about the DHCP via VSM/VSG at all. I moved it back to "Essential" edition (took off all the DHCP related config out of VSM of course before changing the edition back from "Advanced").

Then we had to put in rules in policies that allow the kick-start process to work as follows:

from the VM outbound we added "src= any dst=255.255.255.255" and port "udp/67"

to the VM inbound we added "src=any dst=255.255.255.255" and port "udp/68"

had to allow high udp ports from cobbler back to the VM inbound "udp/1024-65535"

had to allow inbound

"src=L3 switch IP (both 01 and 02 in my case as I have HSRP running-NOT the HSRP IP though) src-port= udp/67

dst= any dst-port= udp/68"

All the above rules are NOT needed in our other environments for the same set up using a multi-context ASA to build VMs with kick-start using cobbler.

As I mentioned earlier, I would really appreciate if someone from Cisco can help me out here to confirm my theory or add/remove to what I think could have been the problem. Thanks !

Joe LeBlanc · ‎05-01-2014

Hi Piyush,

All DHCP Snooping configuration is done on the VSM.

You can read more in the SV2(1.1) Security Configuration Guide

HTH,

Joe