Fortinet black logo

FortiLink Guide

Home FortiSwitch 7.2.4 FortiLink Guide
7.2.4
7.4.2
7.4.1
7.4.0
7.2.6
7.2.4
7.2.1
7.2.0

Configuring the DHCP server access list

Configuring the DHCP server access list

Starting in FortiOS 7.0.1, you can configure which DHCP servers that DHCP snooping includes in the server access list. These servers on the list are allowed to respond to DHCP requests.

NOTE: You can add 255 servers per table. The maximum number of DHCP servers that can be added to all instances of the table is 2,048. This maximum is a global limit and applies across all VLANs.

Configuring the DHCP server access list consists of the following steps:

  1. Enable the DHCP server access list on a VDOM level or switch-wide level.

    By default, the server access list is disabled, which means that all DHCP servers are allowed. When the server access list is enabled, only the DHCP servers in the server access list are allowed.

  2. Configure the VLAN settings for the managed switch port.

    You can set the DHCP server access list to global to use the VDOM or system-wide setting, or you can set the DHCP server access list to enable to override the global settings and enable the DHCP server access list.

    In the managed FortiSwitch unit, all ports are untrusted by default, and DHCP snooping is disabled on all untrusted ports. You must set the managed switch port to be trusted to allow DHCP snooping.

  3. Configure DHCP snooping and the DHCP access list for the managed FortiSwitch interface.

    By default, DHCP snooping is disabled on the managed FortiSwitch interface.

To enable the DHCP sever access list on a global level:

config switch-controller global

set dhcp-server-access-list enable

end

For example:

FGT_A (vdom1) # config switch-controller global

FGT_A (global) # set dhcp-server-access-list enable

FGT_A (global) # end

To configure the VLAN settings:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

set dhcp-server-access-list {global | enable | disable}

config ports

edit <port_name>

set vlan <VLAN_name>

set dhcp-snooping trusted

next

end

next

end

For example:

config switch-controller managed-switch

edit "S524DN4K16000116"

set fsw-wan1-peer "port11"

set fsw-wan1-admin enable

set dhcp-server-access-list enable

config ports

edit "port19"

set vlan "_default.13"

set allowed-vlans "quarantine.13"

set untagged-vlans "quarantine.13"

set dhcp-snooping trusted

set export-to "vdom1"

next

end

next

end

To configure the interface settings:

config system interface

edit <VLAN_name>

set switch-controller-dhcp-snooping enable

config dhcp-snooping-server-list

edit <DHCP_server_name>

set server-ip <IPv4_address_of_DHCP_server>

next

end

next

end

For example:

config system interface

edit "_default.13"

set vdom "vdom1"

set ip 5.4.4.1 255.255.255.0

set allowaccess ping https ssh http fabric

set alias "_default.port11"

set snmp-index 30

set switch-controller-dhcp-snooping enable

config dhcp-snooping-server-list

edit "server1"

set server-ip 10.20.20.1

next

end

set switch-controller-feature default-vlan

set interface "port11"

set vlanid 1

next

end

Including option-82 data

You can include option-82 data in the DHCP request. (DHCP option 82 provides additional security by enabling a controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources.) You can select a fixed format for the Circuit ID and Remote ID fields or select which values appear in the Circuit ID and Remote ID fields.

The following is the fixed format for the option-82 Circuit ID field:

Circuit-ID: vlan-mod-port

vlan - [ 2 bytes ]

mod - [ (1 Byte) -> Snoop - 1 , Relay - 0 ]

port - [ 1 byte ]

The following is the fixed format for the option-82 Remote ID field:

Remote-ID: mac [ 6 byte ]

If you want to select which values appear in the Circuit ID and Remote ID fields:

  • For the Circuit ID field, you can include the interface description, host name, interface name, mode, and VLAN.

  • For the Remote ID field, you can include the host name, IP address, and MAC address.

For example:

config system interface

edit "user"

set vdom "root"

set ip 192.168.101.1 255.255.255.0

set allowaccess ping

set device-identification enable

set role lan

set snmp-index 42

set switch-controller-dhcp-snooping enable

set switch-controller-dhcp-snooping-option82 enable

set interface "fortilink"

set vlanid 101

next

end

config system dhcp server

edit 7

set dns-service default

set default-gateway 192.168.101.1

set netmask 255.255.255.0

set interface "user"

config ip-range

edit 1

set start-ip 192.168.101.2

set end-ip 192.168.101.254

next

end

config reserved-address

edit 1

set type option82

set ip 192.168.101.201

set circuit-id "706F7274312C3130312C646863702D73"

set remote-id "39303a36433a41433a35463a30413a4142"

next

edit 2

set type option82

set ip 192.168.101.202

set circuit-id "706F7274322C3130312C646863702D73"

set remote-id "39303a36433a41433a35463a30413a4142"

next

end

next

end

Previous
Next

Configuring the DHCP server access list

Starting in FortiOS 7.0.1, you can configure which DHCP servers that DHCP snooping includes in the server access list. These servers on the list are allowed to respond to DHCP requests.

NOTE: You can add 255 servers per table. The maximum number of DHCP servers that can be added to all instances of the table is 2,048. This maximum is a global limit and applies across all VLANs.

Configuring the DHCP server access list consists of the following steps:

  1. Enable the DHCP server access list on a VDOM level or switch-wide level.

    By default, the server access list is disabled, which means that all DHCP servers are allowed. When the server access list is enabled, only the DHCP servers in the server access list are allowed.

  2. Configure the VLAN settings for the managed switch port.

    You can set the DHCP server access list to global to use the VDOM or system-wide setting, or you can set the DHCP server access list to enable to override the global settings and enable the DHCP server access list.

    In the managed FortiSwitch unit, all ports are untrusted by default, and DHCP snooping is disabled on all untrusted ports. You must set the managed switch port to be trusted to allow DHCP snooping.

  3. Configure DHCP snooping and the DHCP access list for the managed FortiSwitch interface.

    By default, DHCP snooping is disabled on the managed FortiSwitch interface.

To enable the DHCP sever access list on a global level:

config switch-controller global

set dhcp-server-access-list enable

end

For example:

FGT_A (vdom1) # config switch-controller global

FGT_A (global) # set dhcp-server-access-list enable

FGT_A (global) # end

To configure the VLAN settings:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

set dhcp-server-access-list {global | enable | disable}

config ports

edit <port_name>

set vlan <VLAN_name>

set dhcp-snooping trusted

next

end

next

end

For example:

config switch-controller managed-switch

edit "S524DN4K16000116"

set fsw-wan1-peer "port11"

set fsw-wan1-admin enable

set dhcp-server-access-list enable

config ports

edit "port19"

set vlan "_default.13"

set allowed-vlans "quarantine.13"

set untagged-vlans "quarantine.13"

set dhcp-snooping trusted

set export-to "vdom1"

next

end

next

end

To configure the interface settings:

config system interface

edit <VLAN_name>

set switch-controller-dhcp-snooping enable

config dhcp-snooping-server-list

edit <DHCP_server_name>

set server-ip <IPv4_address_of_DHCP_server>

next

end

next

end

For example:

config system interface

edit "_default.13"

set vdom "vdom1"

set ip 5.4.4.1 255.255.255.0

set allowaccess ping https ssh http fabric

set alias "_default.port11"

set snmp-index 30

set switch-controller-dhcp-snooping enable

config dhcp-snooping-server-list

edit "server1"

set server-ip 10.20.20.1

next

end

set switch-controller-feature default-vlan

set interface "port11"

set vlanid 1

next

end

Including option-82 data

You can include option-82 data in the DHCP request. (DHCP option 82 provides additional security by enabling a controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources.) You can select a fixed format for the Circuit ID and Remote ID fields or select which values appear in the Circuit ID and Remote ID fields.

The following is the fixed format for the option-82 Circuit ID field:

Circuit-ID: vlan-mod-port

vlan - [ 2 bytes ]

mod - [ (1 Byte) -> Snoop - 1 , Relay - 0 ]

port - [ 1 byte ]

The following is the fixed format for the option-82 Remote ID field:

Remote-ID: mac [ 6 byte ]

If you want to select which values appear in the Circuit ID and Remote ID fields:

  • For the Circuit ID field, you can include the interface description, host name, interface name, mode, and VLAN.

  • For the Remote ID field, you can include the host name, IP address, and MAC address.

For example:

config system interface

edit "user"

set vdom "root"

set ip 192.168.101.1 255.255.255.0

set allowaccess ping

set device-identification enable

set role lan

set snmp-index 42

set switch-controller-dhcp-snooping enable

set switch-controller-dhcp-snooping-option82 enable

set interface "fortilink"

set vlanid 101

next

end

config system dhcp server

edit 7

set dns-service default

set default-gateway 192.168.101.1

set netmask 255.255.255.0

set interface "user"

config ip-range

edit 1

set start-ip 192.168.101.2

set end-ip 192.168.101.254

next

end

config reserved-address

edit 1

set type option82

set ip 192.168.101.201

set circuit-id "706F7274312C3130312C646863702D73"

set remote-id "39303a36433a41433a35463a30413a4142"

next

edit 2

set type option82

set ip 192.168.101.202

set circuit-id "706F7274322C3130312C646863702D73"

set remote-id "39303a36433a41433a35463a30413a4142"

next

end

next

end

Previous
Next