Fortinet black logo

New Features

Support of the DHCP server access list 7.0.1

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:992275
Download PDF

Support of the DHCP server access list 7.0.1

You can now configure in FortiOS which DHCP servers that DHCP snooping includes in the server access list. These servers on the list are allowed to respond to DHCP requests.

NOTE: You can add 255 servers per table. The maximum number of DHCP servers that can be added to all instances of the table is 2,048. This maximum is a global limit and applies across all VLANs.

Configuring the DHCP server access list consists of the following steps:

  1. Enable the DHCP server access list on a VDOM level or switch-wide level.

    By default, the server access list is disabled, which means that all DHCP servers are allowed. When the server access list is enabled, only the DHCP servers in the server access list are allowed.

  2. Configure the VLAN settings for the managed switch port.

    You can set the DHCP server access list to global to use the VDOM or system-wide setting, or you can set the DHCP server access list to enable to override the global settings and enable the DHCP server access list.

    In the managed FortiSwitch unit, all ports are untrusted by default, and DHCP snooping is disabled on all untrusted ports. You must set the managed switch port to be trusted to allow DHCP snooping.

  3. Configure DHCP snooping and the DHCP access list for the managed FortiSwitch interface.

    By default, DHCP snooping is disabled on the managed FortiSwitch interface.

To enable the DHCP sever access list on a global level:

config switch-controller global

set dhcp-server-access-list enable

end

For example:

FGT_A (vdom1) # config switch-controller global

FGT_A (global) # set dhcp-server-access-list enable

FGT_A (global) # end

To configure the VLAN settings:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

set dhcp-server-access-list {global | enable | disable}

config ports

edit <port_name>

set vlan <VLAN_name>

set dhcp-snooping trusted

next

end

next

end

For example:

config switch-controller managed-switch

edit "S524DN4K16000116"

set fsw-wan1-peer "port11"

set fsw-wan1-admin enable

set dhcp-server-access-list enable

config ports

edit "port19"

set vlan "_default.13"

set allowed-vlans "quarantine.13"

set untagged-vlans "quarantine.13"

set dhcp-snooping trusted

set export-to "vdom1"

next

end

next

end

To configure the interface settings:

config system interface

edit <VLAN_name>

set switch-controller-dhcp-snooping enable

config dhcp-snooping-server-list

edit <DHCP_server_name>

set server-ip <IPv4_address_of_DHCP_server>

next

end

next

end

For example:

config system interface

edit "_default.13"

set vdom "vdom1"

set ip 5.4.4.1 255.255.255.0

set allowaccess ping https ssh http fabric

set alias "_default.port11"

set snmp-index 30

set switch-controller-dhcp-snooping enable

config dhcp-snooping-server-list

edit "server1"

set server-ip 10.20.20.1

next

end

set switch-controller-feature default-vlan

set interface "port11"

set vlanid 1

next

end

Support of the DHCP server access list 7.0.1

You can now configure in FortiOS which DHCP servers that DHCP snooping includes in the server access list. These servers on the list are allowed to respond to DHCP requests.

NOTE: You can add 255 servers per table. The maximum number of DHCP servers that can be added to all instances of the table is 2,048. This maximum is a global limit and applies across all VLANs.

Configuring the DHCP server access list consists of the following steps:

  1. Enable the DHCP server access list on a VDOM level or switch-wide level.

    By default, the server access list is disabled, which means that all DHCP servers are allowed. When the server access list is enabled, only the DHCP servers in the server access list are allowed.

  2. Configure the VLAN settings for the managed switch port.

    You can set the DHCP server access list to global to use the VDOM or system-wide setting, or you can set the DHCP server access list to enable to override the global settings and enable the DHCP server access list.

    In the managed FortiSwitch unit, all ports are untrusted by default, and DHCP snooping is disabled on all untrusted ports. You must set the managed switch port to be trusted to allow DHCP snooping.

  3. Configure DHCP snooping and the DHCP access list for the managed FortiSwitch interface.

    By default, DHCP snooping is disabled on the managed FortiSwitch interface.

To enable the DHCP sever access list on a global level:

config switch-controller global

set dhcp-server-access-list enable

end

For example:

FGT_A (vdom1) # config switch-controller global

FGT_A (global) # set dhcp-server-access-list enable

FGT_A (global) # end

To configure the VLAN settings:

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

set dhcp-server-access-list {global | enable | disable}

config ports

edit <port_name>

set vlan <VLAN_name>

set dhcp-snooping trusted

next

end

next

end

For example:

config switch-controller managed-switch

edit "S524DN4K16000116"

set fsw-wan1-peer "port11"

set fsw-wan1-admin enable

set dhcp-server-access-list enable

config ports

edit "port19"

set vlan "_default.13"

set allowed-vlans "quarantine.13"

set untagged-vlans "quarantine.13"

set dhcp-snooping trusted

set export-to "vdom1"

next

end

next

end

To configure the interface settings:

config system interface

edit <VLAN_name>

set switch-controller-dhcp-snooping enable

config dhcp-snooping-server-list

edit <DHCP_server_name>

set server-ip <IPv4_address_of_DHCP_server>

next

end

next

end

For example:

config system interface

edit "_default.13"

set vdom "vdom1"

set ip 5.4.4.1 255.255.255.0

set allowaccess ping https ssh http fabric

set alias "_default.port11"

set snmp-index 30

set switch-controller-dhcp-snooping enable

config dhcp-snooping-server-list

edit "server1"

set server-ip 10.20.20.1

next

end

set switch-controller-feature default-vlan

set interface "port11"

set vlanid 1

next

end