Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    New Features

    8.0.0
    8.0.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    DHCP IP assignment based on MAC vendor OUI

    DHCP IP assignment based on MAC vendor OUI

    FortiOS can now assign IP addresses based on the DHCP client's MAC vendor Organizationally Unique Identifier (OUI), enabling administrators to control IP or IP-range allocation for each device vendor for improved identification and segmentation.

    New options are available:

    config system dhcp server
    edit <id>
        config ip-range
            edit <id>
                ...
                set oui-match [disable | enable]
                set oui-string <oui-string1>, <oui-string2>, ...
                ...
                set vendor {string}
            next
        end
    next
end

    Option

    Description

    oui-match [disable | enable]

    Enable/disable organizationally unique identifier (OUI) matching (default = disabled). When enabled, only DHCP requests with a matching OUI are served with this range.

    oui-string <oui-string1>, <oui-string2>, ...

    One or more OUI strings in quotes separated by spaces (in format of xx:xx:xx).

    MAC OUI strings.

    vendor {string}

    Vendor this ip-range will be assigned to.

    Example

    In this example, a DHCP server with OUI matching is configured on FortiGate interface port3. The DHCP server will assign IP addresses to clients when the first three bytes of their MAC address match "00:09:0f".

    To configure:

    1. On FortiGate, configure a DHCP server:

      config system dhcp server
    edit 1
        set dns-service default
        set default-gateway 10.2.2.1
        set netmask 255.255.255.0
        set interface "port3"
        config ip-range
            edit 1
                set start-ip 10.2.2.10
                set end-ip 10.2.2.10
                set oui-match enable              
                set oui-string "00:09:0f"          
                set vendor "FGT-B-test"         
            next
        end
        set timezone-option default
    next
end

    2. On the client, enable DHCP mode to receive an IP address.

    3. On FortiGate, view the assigned IP addresses:

      In this example, a client with MAC address 00:09:0f:09:00:00 received an IP address from the defined range for the vendor because the first three bytes of the client MAC address match the OUI string.

      # execute dhcp lease-list
port3
  IP            MAC-Address             Hostname            VCI                 SSID                AP                  SERVER-ID           Expiry
  10.2.2.10     00:09:0f:09:00:00       FGT_B               FortiGate-201F                                              1                   Mon Apr 27 11:02:15 2026

    4. View events logs to find OUI-based IP assignments in the DHCP lease logs:

      6: date=2026-04-20 time=11:02:16 eventtime=1776708135186349222 tz="-0700" logid="0100026001" type="event" subtype="system" level="information" vd="vdom1" logdesc="DHCP Ack log" interface="port3" dhcp_msg="Ack" mac="00:09:0F:09:00:00" ip=10.2.2.10 lease=604800 hostname="FGT_B" vendor="FGT-B-test" msg="DHCP server sends a DHCPACK"
      7: date=2026-04-20 time=11:02:11 eventtime=1776708130178098624 tz="-0700" logid="0100026001" type="event" subtype="system" level="information" vd="vdom1" logdesc="DHCP Ack log" interface="port3" dhcp_msg="Ack" mac="00:09:0F:09:00:00" ip=10.2.2.10 lease=604800 hostname="FGT_B" vendor="FGT-B-test" msg="DHCP server sends a DHCPACK"
      8: date=2026-04-20 time=11:01:45 eventtime=1776708104950754436 tz="-0700" logid="0100026002" type="event" subtype="system" level="information" vd="vdom1" logdesc="DHCP Release log" interface="port3" dhcp_msg="Release" mac="00:09:0F:09:00:00" ip=10.2.2.10 hostname="FGT_B" msg="DHCP server receives a DHCPRELEASE"
    Previous
    Next

    DHCP IP assignment based on MAC vendor OUI

    DHCP IP assignment based on MAC vendor OUI

    FortiOS can now assign IP addresses based on the DHCP client's MAC vendor Organizationally Unique Identifier (OUI), enabling administrators to control IP or IP-range allocation for each device vendor for improved identification and segmentation.

    New options are available:

    config system dhcp server
    edit <id>
        config ip-range
            edit <id>
                ...
                set oui-match [disable | enable]
                set oui-string <oui-string1>, <oui-string2>, ...
                ...
                set vendor {string}
            next
        end
    next
end

    Option

    Description

    oui-match [disable | enable]

    Enable/disable organizationally unique identifier (OUI) matching (default = disabled). When enabled, only DHCP requests with a matching OUI are served with this range.

    oui-string <oui-string1>, <oui-string2>, ...

    One or more OUI strings in quotes separated by spaces (in format of xx:xx:xx).

    MAC OUI strings.

    vendor {string}

    Vendor this ip-range will be assigned to.

    Example

    In this example, a DHCP server with OUI matching is configured on FortiGate interface port3. The DHCP server will assign IP addresses to clients when the first three bytes of their MAC address match "00:09:0f".

    To configure:

    1. On FortiGate, configure a DHCP server:

      config system dhcp server
    edit 1
        set dns-service default
        set default-gateway 10.2.2.1
        set netmask 255.255.255.0
        set interface "port3"
        config ip-range
            edit 1
                set start-ip 10.2.2.10
                set end-ip 10.2.2.10
                set oui-match enable              
                set oui-string "00:09:0f"          
                set vendor "FGT-B-test"         
            next
        end
        set timezone-option default
    next
end

    2. On the client, enable DHCP mode to receive an IP address.

    3. On FortiGate, view the assigned IP addresses:

      In this example, a client with MAC address 00:09:0f:09:00:00 received an IP address from the defined range for the vendor because the first three bytes of the client MAC address match the OUI string.

      # execute dhcp lease-list
port3
  IP            MAC-Address             Hostname            VCI                 SSID                AP                  SERVER-ID           Expiry
  10.2.2.10     00:09:0f:09:00:00       FGT_B               FortiGate-201F                                              1                   Mon Apr 27 11:02:15 2026

    4. View events logs to find OUI-based IP assignments in the DHCP lease logs:

      6: date=2026-04-20 time=11:02:16 eventtime=1776708135186349222 tz="-0700" logid="0100026001" type="event" subtype="system" level="information" vd="vdom1" logdesc="DHCP Ack log" interface="port3" dhcp_msg="Ack" mac="00:09:0F:09:00:00" ip=10.2.2.10 lease=604800 hostname="FGT_B" vendor="FGT-B-test" msg="DHCP server sends a DHCPACK"
      7: date=2026-04-20 time=11:02:11 eventtime=1776708130178098624 tz="-0700" logid="0100026001" type="event" subtype="system" level="information" vd="vdom1" logdesc="DHCP Ack log" interface="port3" dhcp_msg="Ack" mac="00:09:0F:09:00:00" ip=10.2.2.10 lease=604800 hostname="FGT_B" vendor="FGT-B-test" msg="DHCP server sends a DHCPACK"
      8: date=2026-04-20 time=11:01:45 eventtime=1776708104950754436 tz="-0700" logid="0100026002" type="event" subtype="system" level="information" vd="vdom1" logdesc="DHCP Release log" interface="port3" dhcp_msg="Release" mac="00:09:0F:09:00:00" ip=10.2.2.10 hostname="FGT_B" msg="DHCP server receives a DHCPRELEASE"
    Previous
    Next