DHCP server and relay
A DHCP server provides an address, from a defined address range, to a client on the network that requests it.
You can configure one or more DHCP servers on any FortiSwitch interface. A DHCP server dynamically assigns IP addresses to hosts on the network connected to the interface. The host computers must be configured to obtain their IP addresses using DHCP.
You can configure a FortiSwitch interface as a DHCP relay. The interface forwards DHCP requests from DHCP clients to an external DHCP server and returns the responses to the DHCP clients. The DHCP server must have the appropriate routing so that its response packets to the DHCP clients arrive at the unit.
NOTE:
- DHCP snooping and the DHCP server can be enabled at the same time.
- The DHCP server and DHCP relay cannot be enabled at the same time.
This chapter covers the following topics:
Configuring a DHCP server
NOTE: The 4xx, 5xx, 1xxx, and 3xxx models support configuring DHCP servers. The following table lists the maximum number of clients for the supported FortiSwitch models:
|
FortiSwitch models |
Maximum number of clients |
|---|---|
|
4xx |
15,000 |
|
5xx |
20,000 |
|
1024D, 1048D, 3032D |
30,000 |
|
1048E, 3032E |
50,000 |
Using the GUI:
- Go to System > DHCP.
- Select Add DHCP Server.
- Required. In the ID field, enter a number to identify the entry.
- Select the Enable checkbox to make the DHCP server active.
- Select the Auto-Configuration checkbox if you want the DHCP server to dynamically assign IP addresses to hosts on the network connected to the interface.
- Required. In the Netmask field, enter the netmask of the addresses that the DHCP server assigns.
- In the Interface drop-down list, select an interface. The DHCP server assigns IP configurations to clients connected to this interface.
- Required. In the Lease Time field, enter the lease time in seconds. The lease time determines the length of time an IP address remains assigned to a client.
- Required. In the Conflicted IP Timeout field, enter the number of seconds before a conflicted IP address is removed from the DHCP range and is available to be reused.
- In the Default Gateway field, enter the IP address of the default gateway that the DHCP server assigns to DHCP clients.
- In the Domain field, enter the domain name suffix for the IP addresses that the DHCP server assigns to the clients.
- In the Next Server field, enter the IPv4 address of a server (for example, a TFTP sever) that DHCP clients can download a boot file from.
- In the Filename field, enter the name of the boot file on the TFTP server.
- In the DNS Service Type drop-down list, select how DNS servers are assigned to DHCP clients.
- Select Default for clients to be assigned the FortiSwitch unitʼs configured DNS servers.
- Select Local to use the IP address of the DHCP server interface for the clientʼs DNS server IP address.
- Select Specify to enter IPv4 addresses for up to three DNS servers.
- In the Controller 1, Controller 2, and Controller 3 fields, enter the IPv4 addresses for the WiFi access controllers.
- In the NTP Service Type drop-down list, select how Network Time Protocol (NTP) servers are assigned to DHCP clients.
- Select Default for clients to be assigned the FortiSwitch unitʼs configured NTP servers.
- Select Local to use the IP address of the DHCP server interface for the clientʼs NTP server IP address.
- Select Specify to enter the IPv4 address for up to three NTP servers.
- In the WINS Server section, enter the IPv4 addresses for the Windows Internet Name Service (WINS) servers.
- In the Timezone Mode drop-down list, select how the DHCP server sets the clientʼs time zone.
- Select Default for clients to be assigned the FortiSwitch unitʼs configured time zone.
- Select Disable for the DHCP server to not set the clientʼs time zone.
- Select Specify to choose which time zone is assigned to DHCP clients.
- In the VCI area, select the Enable checkbox to enter the vendor class identifier (VCI) to match. When enabled, only DHCP requests with a matching VCI are served.
- In the IP Ranges section, you can configure the IP address range.
- In the ID field, enter a unique number to identify the entry or use the default value.
- Required. In the Start IP field, enter the start of the DHCP IP address range.
- Required. In the End IP field, enter the end of the DHCP IP address range.
- To add another IP address range, select Add IP Range.
- In the Exclusion Ranges section, you can block a range of addresses that will not be included in the available addresses for the connecting users.
- Select Add Exclusion Range.
- In the ID field, enter a number to identify the entry or use the default value.
- In the Start IP field, enter the start of the IP address range that will not be assigned to clients.
- In the End IP field, enter the end of the IP address range that will not be assigned to clients.
- To add another exclusion range, select Add Exclusion Range.
- In the Reserved Addresses section, you can reserve IP addresses for the DHCP server to use to assign IP addresses to specific MAC addresses.
- Select Add IP.
- In the ID field, enter a number to identify the entry or use the default value.
- In the Type drop-down list, select whether to match the IP address with the MAC address or DHCP option 82.
- In the Action drop-down list, select how the DHCP server configures the client with the reserved MAC address. Select Reserved for the DHCP server to assign the reserved IP address to the client with this MAC address. Select Assign for the DHCP server to configure the client with this MAC address like any other client. Select Block to prevent the DHCP server from assigning IP settings to the client with this MAC address.
- In the Description field, enter a description of this entry.
- In the IP field, enter the IPv4 address to be reserved for the MAC address. This value is required when the action is Reserved and the type is MAC.
- In the MAC field, enter the MAC address of the client that will get the reserved IP address. This value is required when the type is MAC and the action is Assign or Block.
- In the Circuit Type drop-down list, select whether the format of the Circuit ID is hexadecimal or string. This option is only available when the type is Option-82.
- In the Circuit ID field, enter the DHCP option-82 Circuit ID of the client that will get the reserved IP address. The Circuit ID format is controlled by the Circuit Type setting. This value is required when the type is Option-82.
- In the Remote Type drop-down list, select whether the format of the Remote ID is hexadecimal or string. This option is only available when the type is Option-82.
- In the Remote ID field, enter the DHCP option-82 Remote ID of the client that will get the reserved IP address. This value is required when the type is Option-82.
- To add another reserved address, select Add IP.
- In the Options section, you can add up to 30 DHCP custom options.
- Select Add Option.
- In the ID field, enter a number to identify the entry or use the default value.
- In the Type drop-down list, select the format of the DHCP option: fully qualified domain name (FQDN), hexadecimal, IP address, or string.
- In the Code field, select the DHCP option code. The range is 0-255.
- In the Value field, enter the DHCP option value. This value is required when the type is set to FQDN, Hex, or String.
- In the IP field, enter the IP address. This value is required when the type is set to IP.
- To add another DHCP custom option, select Add Option.
- Select Add to save the new DHCP server.
Using the CLI:
config system dhcp server
edit <id>
set auto-configuration {enable | disable}
set conflicted-ip-timeout <integer>
set default-gateway <xxx.xxx.xxx.xxx>
set dns-server1 <xxx.xxx.xxx.xxx>
set dns-server2 <xxx.xxx.xxx.xxx>
set dns-server3 <xxx.xxx.xxx.xxx>
set dns-service {default | local | specify
set domain <string>
set filename <string>
set interface <string>
set lease-time <integer>
set netmask <xxx.xxx.xxx.xxx>
set next-server <xxx.xxx.xxx.xxx>
set ntp-server1 <xxx.xxx.xxx.xxx>
set ntp-server2 <xxx.xxx.xxx.xxx>
set ntp-server3 <xxx.xxx.xxx.xxx>
set ntp-service {default | local | specify}
set status {enable | disable}
set tftp-server <xxx.xxx.xxx.xxx>
set timezone <00-75>
set timezone-option {default | disable | specify}
set vci-match {enable | disable}
set vci-string <VCI_strings>
set wifi-ac1 <xxx.xxx.xxx.xxx>
set wifi-ac2 <xxx.xxx.xxx.xxx>
set wifi-ac3 <xxx.xxx.xxx.xxx>
set wins-server1 <xxx.xxx.xxx.xxx>
set wins-server2 <xxx.xxx.xxx.xxx>
next
end
For example:
config system dhcp server
edit 1
set default-gateway 50.50.50.2
set domain "FortiswitchTest.com"
set filename "text1.conf"
set interface "svi10"
config ip-range
edit 1
set end-ip 50.50.0.10
set start-ip 50.50.0.5
next
end
set lease-time 360
set netmask 255.255.0.0
set next-server 60.60.60.2
config options
edit 1
set value "dddd"
next
end
set tftp-server "1.2.3.4"
set timezone-option specify
set wifi-ac1 5.5.5.1
set wifi-ac2 5.5.5.2
set wifi-ac3 5.5.5.3
set wins-server1 6.6.6.1
set wins-server2 6.6.6.2
set dns-server1 7.7.7.1
set dns-server2 7.7.7.2
set dns-server3 7.7.7.3
set ntp-server1 8.8.8.1
set ntp-server2 8.8.8.2
set ntp-server3 8.8.8.3
next
end
Configuring the IP address range
By default, the FortiSwitch unit assigns an address range based on the address of the interface for the complete scope of the address. For example, if the interface address is 172.20.120.230, the default range created is 172.20.120.231 to 172.20.120.254.
To configure the IP address range:
config system dhcp server
edit <id>
config ip-range
edit <id>
set end-ip <xxx.xxx.xxx.xxx>
set start-ip <xxx.xxx.xxx.xxx>
next
end
next
end
Excluding addresses in DHCP
If you have a large address range for the DHCP server, you can block a range of addresses that will not be included in the available addresses for the connecting users.
To exclude addresses in DHCP:
config system dhcp server
edit <id>
config exclude-range
edit <id>
set end-ip <xxx.xxx.xxx.xxx>
set start-ip <xxx.xxx.xxx.xxx>
next
end
next
end
Assigning IP settings to specific MAC addresses
If you want the DHCP server to assign IP addresses to specific MAC addresses, you need to reserve the IP addresses.
To reserve IP addresses:
config system dhcp server
edit <id>
config reserved-address
edit <id>1
set action {assign | block | reserved}
set circuit-id {<string> | <hex>}
set circuit-id-type {hex | string}
set description <string>
set ip <xxx.xxx.xxx.xxx>
set mac <xx:xx:xx:xx:xx:xx>
set remote-id {<string> | <hex>}
set remote-id-type {hex | string}
set type {mac | option82}
next
end
next
end
Configuring DHCP custom options
The DHCP server maintains a table for the potential options. The FortiSwitch DHCP server supports up to a maximum of 30 custom options.
To configure the DHCP custom options:
config system dhcp server
edit <id>
config options
edit <id>
set code <integer>
set ip <IP_addresses>
set type {fqdn | hex | ip | string}
set value <string>
next
end
next
end
Listing DHCP leases
The lease time determines the length of time an IP address remains assigned to a client. After the lease expires, the address is released for allocation to the next client that requests an IP address. Use one of the following commands to check the DHCP leases:
execute dhcp lease-list
execute dhcp lease-list <interface>
Breaking DHCP leases
If you need to end an IP address lease, you can break the lease. This is useful if you have limited addresses and longer lease times when some leases are no longer necessary, for example, with corporate visitors. Use one of the following commands to break the DHCP leases:
execute dhcp lease-clear all
execute dhcp lease-clear <xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy,...>
Detailed operation of a DHCP relay
A DHCP relay operates as follows:
- DHCP client C broadcasts a DHCP/BOOTP discover message on its subnet.
- The relay agent examines the gateway IP address field in the DHCP/BOOTP message header. If the field has an IP address of 0.0.0.0, the agent fills it with the relay agentʼs or routerʼs IP address and forwards the message to the remote subnet of the DHCP server.
- When DHCP server receives the message, it examines the gateway IP address field for a DHCP scope that can be used by the DHCP server to supply an IP address lease.
- If DHCP server has multiple DHCP scopes, the address in the gateway IP address field (GIADDR) identifies the DHCP scope from which to offer an IP address lease.
- DHCP server sends an IP address lease offer (DHCPOFFER) directly to the relay agent identified in the gateway IP address (GIADDR) field.
- The router then relays the address lease offer (DHCPOFFER) to the DHCP client.
NOTE:
- DHCP relay service supports up to 8 relay targets per interface.
- Each target is sent a copy of the DHCP message.
Configuring a DHCP relay
You can configure a DHCP relay on any layer-3 interface.
Using the GUI:
- Go to System > Network > Interface > Physical.
- Select Edit for an interface.
- Select Enabled under DHCP Relay.
- Enter the IP addresses for the relay servers, separated by a space.
- If you want to include Option-82 data, select Option-82.
- Select Update.
Using the CLI:
config system interface
edit <interface-name>
set dhcp-relay-service (enable | disable)
set dhcp-relay-ip <ip-address1> [<ip-address2> ... <ip-address8>]
set dhcp-relay-option82 (enable | disable)
next
end
In the following example, the DHCP server has address 192.168.23.2:
config system interface
edit "v15-p15"
set dhcp-relay-service enable
set dhcp-relay-ip "192.168.23.2" -> the DHCP server address
set ip 192.168.15.1 255.255.255.0 -> the DHCP client subnet
set allowaccess ping ssh snmp telnet set snmp-index 53
set vlanid 15
set interface "internal"
next
end