Fortinet Document Library

Version:

Version:


Table of Contents

Cookbook

Download PDF
Copy Link

DHCP relay agent information option

Option 82 (DHCP relay information option) helps protect the FortiGate against attacks such as spoofing (or forging) of IP and MAC addresses, and DHCP IP address starvation.

The following CLI variables are included in the config system dhcp server > config reserved-address command:

circuit-id-type {hex | string}

DHCP option type; hex or string (default).

circuit-id <value>

Option 82 circuit ID of the client that will get the reserved IP address.

Format: vlan-mod-port

  • vlan: VLAN ID (2 bytes)
  • mod: 1 = snoop, 0 = relay (1 byte)
  • port: port number (1 byte)

remote-id-type {hex | string}

DHCP option type; hex or string (default).

remote-id <value>

Option 82 remote ID of the client that will get the reserved IP address.

Format: the MAC address of the client.

type {mac | option82}

The DHCP reserved address type; mac (default) or option82.

To create an IP address assignment rule using option 82 in the GUI:
  1. Go to Network > Interfaces.
  2. Edit an existing port, or create a new one.
    Note

    The port Role must be LAN or Undefined.

  3. Enable DHCP Server.
  4. Configure the address ranges and other settings as needed.
  5. Click + to expand the Advanced options.
  6. In the IP Address Assignment Rules table, click Create New.

    The Create New IP Address Assignment Rule pane opens.

  7. Configure the new rule:
    1. For the Type, select DHCP Relay Agent.
    2. Enter the Circuit ID and Remote ID.
    3. Enter the IP address that will be reserved.
  8. Click OK.

To create an IP address assignment rule using option 82 with the CLI:
config system dhcp server
    edit 1
        set netmask 255.255.255.0
        set interface "port4"
        config ip-range
            edit 1
                set start-ip 100.100.100.1
                set end-ip 100.100.100.99
            next
            edit 2
                set start-ip 100.100.100.101
                set end-ip 100.100.100.254
            next
        end
        config reserved-address
            edit 1
                set type option82
                set ip 100.100.100.12
                set circuit-id-type hex
                set circuit-id "00010102"
                set remote-id-type hex
                set remote-id "704ca5e477d6"
            next
        end
    next
end

DHCP relay agent information option

Option 82 (DHCP relay information option) helps protect the FortiGate against attacks such as spoofing (or forging) of IP and MAC addresses, and DHCP IP address starvation.

The following CLI variables are included in the config system dhcp server > config reserved-address command:

circuit-id-type {hex | string}

DHCP option type; hex or string (default).

circuit-id <value>

Option 82 circuit ID of the client that will get the reserved IP address.

Format: vlan-mod-port

  • vlan: VLAN ID (2 bytes)
  • mod: 1 = snoop, 0 = relay (1 byte)
  • port: port number (1 byte)

remote-id-type {hex | string}

DHCP option type; hex or string (default).

remote-id <value>

Option 82 remote ID of the client that will get the reserved IP address.

Format: the MAC address of the client.

type {mac | option82}

The DHCP reserved address type; mac (default) or option82.

To create an IP address assignment rule using option 82 in the GUI:
  1. Go to Network > Interfaces.
  2. Edit an existing port, or create a new one.
    Note

    The port Role must be LAN or Undefined.

  3. Enable DHCP Server.
  4. Configure the address ranges and other settings as needed.
  5. Click + to expand the Advanced options.
  6. In the IP Address Assignment Rules table, click Create New.

    The Create New IP Address Assignment Rule pane opens.

  7. Configure the new rule:
    1. For the Type, select DHCP Relay Agent.
    2. Enter the Circuit ID and Remote ID.
    3. Enter the IP address that will be reserved.
  8. Click OK.

To create an IP address assignment rule using option 82 with the CLI:
config system dhcp server
    edit 1
        set netmask 255.255.255.0
        set interface "port4"
        config ip-range
            edit 1
                set start-ip 100.100.100.1
                set end-ip 100.100.100.99
            next
            edit 2
                set start-ip 100.100.100.101
                set end-ip 100.100.100.254
            next
        end
        config reserved-address
            edit 1
                set type option82
                set ip 100.100.100.12
                set circuit-id-type hex
                set circuit-id "00010102"
                set remote-id-type hex
                set remote-id "704ca5e477d6"
            next
        end
    next
end