Fortinet black logo

Administration Guide

DHCP snooping

Copy Link
Copy Doc ID 962fb21b-9bd3-11eb-b70b-00505692583a:335964
Download PDF

DHCP snooping

The DHCP-snooping feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP snooping filters messages on untrusted ports by performing the following activities:

  • Validating DHCP messages received from untrusted sources and filtering out invalid messages. For example, a request to decline an DHCP offer or release a lease is ignored if the request is from a different interface than the one that created the entry.
  • Building and maintaining a DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.

Other security features like dynamic ARP inspection (DAI), a security feature that rejects invalid and malicious ARP packets, also use information stored in the DHCP-snooping binding database.

In the FortiSwitch unit, all ports are untrusted by default, and DHCP snooping is disabled on all untrusted ports. You indicate that a source is trusted by configuring the trust state of its connecting interface.

For additional security, you can specify in the CLI which DHCP servers that DHCP snooping will include in the allowed server list.

Configuring DHCP snooping

DHCP snooping is enabled per VLAN and, by default, DHCP snooping is disabled.

Configuring DHCP snooping consists of the following steps:

  1. Setting the system-wide DHCP-snooping options
  2. Configuring the VLAN settings
  3. Configuring the interface settings

Setting the system-wide DHCP-snooping options

Before you use DHCP snooping, you need to enable the trusted DHCP server list.

NOTE: The maximum number of DHCP servers that can be added to the list is 2,048. This maximum is a global limit and applies across all VLANs.

To set the system-wide DHCP-snooping options:

config system global

set dhcp-server-access-list {enable | disable}

end

For example:

config system global

set dhcp-server-access-list enable

end

Including option-82 data

You can include option-82 data in the DHCP request. (DHCP option 82 provides additional security by enabling a controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources.) You can select a fixed format for the Circuit ID and Remote ID fields or select which values appear in the Circuit ID and Remote ID fields.

The following is the fixed format for the option-82 Circuit ID field

Circuit-ID: vlan-mod-port

vlan - [ 2 bytes ]

mod - [ (1 Byte) -> Snoop - 1 , Relay - 0 ]

port - [ 1 byte ]

The following is the fixed format for the option-82 Remote ID field:

Remote-ID: mac [ 6 byte ]

If you want to select which values appear in the Circuit ID and Remote ID fields:

  • For the Circuit ID field, you can include the interface description, host name, interface name, mode, and VLAN.
  • For the Remote ID field, you can include the host name, IP address, and MAC address.
To configure the option-82 data:

config system global

set dhcp-option-format {ascii | legacy}

set dhcp-client-location {description | hostname | intfname | mode | vlan}

set dhcp-remote-id {hostname | ip | mac}

end

Configuring the VLAN settings

Using the GUI:
  1. Go to Switch > VLAN.
  2. Select Add VLAN.
  3. Enter the VLAN identifier.
  4. Enter a description for the new VLAN.
  5. Under DHCP Snooping, select Enable.
  6. If needed, select Verify Source MAC, Insert Option 82, and Dynamic ARP Inspection.
  7. Under the DHCP Server Whitelist, select + to add the name and IP address of an approved DHCP server.
  8. In the Members by MAC Address section, select Add to add a MAC address.
  9. In the Members by IP Address section, select Add to add an IPv4 address and netmask.
  10. To save your changes, select Add at the bottom of the page.
Using the CLI:

config switch vlan

edit <vlan-id>

set dhcp-snooping enable

set dhcp-snooping-verify-mac {enable | disable>}

set dhcp-snooping-option82 {enable | disable}

set dhcp6-snooping enable

config member-by-mac

edit <id>

set mac XX:XX:XX:XX:XX:XX

set description <128 byte string>

next

end

config member-by-ipv4

edit <id>

set address a.b.c.d/e

set description <128-byte string>

next

end

config dhcp-server-access-list

edit <string>

set server-ip <xxx.xxx.xxx.xxx>

set server-ip6 <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx>

next

end

next

end

NOTE: If you enable dhcp-snooping-verify-mac, the system will verify that the source MAC address in the DHCP request from an untrusted port matches the client hardware address.

NOTE: If you enable dhcp-snooping-option82, the system inserts option-82 data into the DHCP messages for this VLAN.

For example, to configure IPv4 DHCP snooping:

config switch vlan

edit 10

set dhcp-snooping enable

config dhcp-server-access-list

edit "list1"

set server-ip 100.1.0.2

next

end

next

end

For example, to configure IPv6 DHCP snooping:

config switch vlan

edit 10

set dhcp6-snooping enable

config dhcp-server-access-list

edit "list1"

set server-ip6 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234

next

end

next

end

Configuring the interface settings

After you enable DHCP snooping on a VLAN, all interfaces are in an untrusted state by default, and DHCP snooping is disabled on all untrusted interfaces. You must explicitly configure the trusted interfaces and enable DHCP snooping for each interface.

In addition, you can set a limit for how many IP addresses are in the DHCP snooping binding database for each interface by enabling the dhcp-snoop-learning-limit-check and setting the learning-limit. By default, dhcp-snoop-learning-limit-check is disabled, and the number of entries for an untrusted ports is 5. You can set the number of entries to 0. The maximum number of entries depends on which FortiSwitch unit you are using. For example:

S548DN4K16000313 # show switch vlan 1

config switch vlan

edit 1

set learning-limit 100

set dhcp-snooping enable

next

end

NOTE: If the FortiSwitch unit has already learned more IP addresses than the dhcp-snoop-learning-limit before the limit is set, the configuration is rejected because the FortiSwitch unit cannot select which IP addresses should be kept. If the FortiSwitch unit has learned fewer IP address or the same number of IP addresses as the dhcp-snoop-learning-limit before the limit is set, the configuration is accepted.

NOTE: The per-VLAN learning limit is not supported on dual-chip platforms (448 series).

Using the GUI:
  1. Go to Switch > Interface > Physical or Switch > Interface > Trunk.
  2. Select an interface.
  3. Select Edit.
  4. Select a Trusted or Untrusted interface for DHCP snooping.
  5. If you want to accept DHCP messages with option-82 data from an untrusted interface, select the Option-82 Trust check box.
  6. Select OK.
Using the CLI:

config switch {interface | trunk}

edit <interface-name>

set native-vlan <VLAN-ID>

set dhcp-snooping {trusted | untrusted}

set dhcp-snoop-learning-limit-check {enable | disable}

set learning-limit <integer>

set dhcp-snoop-option82-trust {enable | disable}

next

end

For example:

config switch interface

edit "port5"

set native-vlan 10

set dhcp-snooping untrusted

set dhcp-snoop-learning-limit-check enable

set learning-limit 7

set dhcp-snoop-option82-trust enable

set snmp-index 5

next

end

Set dhcp-snooping to reflect the trust state of the interface. Where DHCP servers are located, you must configure interfaces as trusted.

If you enable dhcp-snoop-option82-trust, the system accepts DHCP messages with option-82 data from an untrusted interface.

Checking the DHCP-snooping configuration

Use the following command to view the detailed status of IPv4 and IPv6 DHCP-snooping VLANs and ports:

get switch dhcp-snooping database-summary

An entry in the DHCP snooping binding database that contains an * after the IP address indicates a temporary or incomplete entry. For example:

	08:00:27:13:16:51 2000 100.0.0.159* 10 4 port4

The DHCP server has not acknowledged this entry yet. If the DHCP server does not acknowledge the entry within 10 seconds, the entry is removed from the database. If the DHCP server does acknowledge the entry within 10 seconds, the entry will be considered “complete” (that is, no * after the IP address), and a proper expiration time is assigned to it.

To view the details of the IPv4 and IPv6 DHCP-snooping client and server databases:

get switch dhcp-snooping status

To view the details of the IPv4 DHCP-snooping client database:
  • Enter the following CLI command: get switch dhcp-snooping client-db-details
  • Go to Switch > Monitor > DHCP Snooping > Clients.
To view the details of the IPv6 DHCP-snooping client database:
  • Enter the following CLI command: get switch dhcp-snooping client6-db-details
  • Go to Switch > Monitor > DHCP Snooping > Clients.
To view the details of the IPv4 DHCP-snooping server database:
  • Enter the following CLI command: get switch dhcp-snooping server-db-details
  • Go to Switch > Monitor > DHCP Snooping > Servers.
To view the details of the IPv6 DHCP-snooping server database:
  • Enter the following CLI command: get switch dhcp-snooping server6-db-details
  • Go to Switch > Monitor > DHCP Snooping > Servers.

If the dhcp-server-access-list is enabled globally and the server is configured for the dhcp-server-access-list, the svr-list column displays allowed for that server. If the dhcp-server-access-list is enabled globally and the server is not configured in the dhcp-server-access-list, the svr-list column displays blocked for that server.

Removing an entry from the DHCP-snooping binding database

You can remove an IP address from the DHCP-snooping binding database by specifying the associated VLAN ID and MAC address:

execute dhcp-snooping expire-client <1-4095> <xx:xx:xx:xx:xx:xx>

For example:

execute dhcp-snooping expire-client 100 01:23:45:67:89:01

DHCP snooping

The DHCP-snooping feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP snooping filters messages on untrusted ports by performing the following activities:

  • Validating DHCP messages received from untrusted sources and filtering out invalid messages. For example, a request to decline an DHCP offer or release a lease is ignored if the request is from a different interface than the one that created the entry.
  • Building and maintaining a DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.

Other security features like dynamic ARP inspection (DAI), a security feature that rejects invalid and malicious ARP packets, also use information stored in the DHCP-snooping binding database.

In the FortiSwitch unit, all ports are untrusted by default, and DHCP snooping is disabled on all untrusted ports. You indicate that a source is trusted by configuring the trust state of its connecting interface.

For additional security, you can specify in the CLI which DHCP servers that DHCP snooping will include in the allowed server list.

Configuring DHCP snooping

DHCP snooping is enabled per VLAN and, by default, DHCP snooping is disabled.

Configuring DHCP snooping consists of the following steps:

  1. Setting the system-wide DHCP-snooping options
  2. Configuring the VLAN settings
  3. Configuring the interface settings

Setting the system-wide DHCP-snooping options

Before you use DHCP snooping, you need to enable the trusted DHCP server list.

NOTE: The maximum number of DHCP servers that can be added to the list is 2,048. This maximum is a global limit and applies across all VLANs.

To set the system-wide DHCP-snooping options:

config system global

set dhcp-server-access-list {enable | disable}

end

For example:

config system global

set dhcp-server-access-list enable

end

Including option-82 data

You can include option-82 data in the DHCP request. (DHCP option 82 provides additional security by enabling a controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources.) You can select a fixed format for the Circuit ID and Remote ID fields or select which values appear in the Circuit ID and Remote ID fields.

The following is the fixed format for the option-82 Circuit ID field

Circuit-ID: vlan-mod-port

vlan - [ 2 bytes ]

mod - [ (1 Byte) -> Snoop - 1 , Relay - 0 ]

port - [ 1 byte ]

The following is the fixed format for the option-82 Remote ID field:

Remote-ID: mac [ 6 byte ]

If you want to select which values appear in the Circuit ID and Remote ID fields:

  • For the Circuit ID field, you can include the interface description, host name, interface name, mode, and VLAN.
  • For the Remote ID field, you can include the host name, IP address, and MAC address.
To configure the option-82 data:

config system global

set dhcp-option-format {ascii | legacy}

set dhcp-client-location {description | hostname | intfname | mode | vlan}

set dhcp-remote-id {hostname | ip | mac}

end

Configuring the VLAN settings

Using the GUI:
  1. Go to Switch > VLAN.
  2. Select Add VLAN.
  3. Enter the VLAN identifier.
  4. Enter a description for the new VLAN.
  5. Under DHCP Snooping, select Enable.
  6. If needed, select Verify Source MAC, Insert Option 82, and Dynamic ARP Inspection.
  7. Under the DHCP Server Whitelist, select + to add the name and IP address of an approved DHCP server.
  8. In the Members by MAC Address section, select Add to add a MAC address.
  9. In the Members by IP Address section, select Add to add an IPv4 address and netmask.
  10. To save your changes, select Add at the bottom of the page.
Using the CLI:

config switch vlan

edit <vlan-id>

set dhcp-snooping enable

set dhcp-snooping-verify-mac {enable | disable>}

set dhcp-snooping-option82 {enable | disable}

set dhcp6-snooping enable

config member-by-mac

edit <id>

set mac XX:XX:XX:XX:XX:XX

set description <128 byte string>

next

end

config member-by-ipv4

edit <id>

set address a.b.c.d/e

set description <128-byte string>

next

end

config dhcp-server-access-list

edit <string>

set server-ip <xxx.xxx.xxx.xxx>

set server-ip6 <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx>

next

end

next

end

NOTE: If you enable dhcp-snooping-verify-mac, the system will verify that the source MAC address in the DHCP request from an untrusted port matches the client hardware address.

NOTE: If you enable dhcp-snooping-option82, the system inserts option-82 data into the DHCP messages for this VLAN.

For example, to configure IPv4 DHCP snooping:

config switch vlan

edit 10

set dhcp-snooping enable

config dhcp-server-access-list

edit "list1"

set server-ip 100.1.0.2

next

end

next

end

For example, to configure IPv6 DHCP snooping:

config switch vlan

edit 10

set dhcp6-snooping enable

config dhcp-server-access-list

edit "list1"

set server-ip6 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234

next

end

next

end

Configuring the interface settings

After you enable DHCP snooping on a VLAN, all interfaces are in an untrusted state by default, and DHCP snooping is disabled on all untrusted interfaces. You must explicitly configure the trusted interfaces and enable DHCP snooping for each interface.

In addition, you can set a limit for how many IP addresses are in the DHCP snooping binding database for each interface by enabling the dhcp-snoop-learning-limit-check and setting the learning-limit. By default, dhcp-snoop-learning-limit-check is disabled, and the number of entries for an untrusted ports is 5. You can set the number of entries to 0. The maximum number of entries depends on which FortiSwitch unit you are using. For example:

S548DN4K16000313 # show switch vlan 1

config switch vlan

edit 1

set learning-limit 100

set dhcp-snooping enable

next

end

NOTE: If the FortiSwitch unit has already learned more IP addresses than the dhcp-snoop-learning-limit before the limit is set, the configuration is rejected because the FortiSwitch unit cannot select which IP addresses should be kept. If the FortiSwitch unit has learned fewer IP address or the same number of IP addresses as the dhcp-snoop-learning-limit before the limit is set, the configuration is accepted.

NOTE: The per-VLAN learning limit is not supported on dual-chip platforms (448 series).

Using the GUI:
  1. Go to Switch > Interface > Physical or Switch > Interface > Trunk.
  2. Select an interface.
  3. Select Edit.
  4. Select a Trusted or Untrusted interface for DHCP snooping.
  5. If you want to accept DHCP messages with option-82 data from an untrusted interface, select the Option-82 Trust check box.
  6. Select OK.
Using the CLI:

config switch {interface | trunk}

edit <interface-name>

set native-vlan <VLAN-ID>

set dhcp-snooping {trusted | untrusted}

set dhcp-snoop-learning-limit-check {enable | disable}

set learning-limit <integer>

set dhcp-snoop-option82-trust {enable | disable}

next

end

For example:

config switch interface

edit "port5"

set native-vlan 10

set dhcp-snooping untrusted

set dhcp-snoop-learning-limit-check enable

set learning-limit 7

set dhcp-snoop-option82-trust enable

set snmp-index 5

next

end

Set dhcp-snooping to reflect the trust state of the interface. Where DHCP servers are located, you must configure interfaces as trusted.

If you enable dhcp-snoop-option82-trust, the system accepts DHCP messages with option-82 data from an untrusted interface.

Checking the DHCP-snooping configuration

Use the following command to view the detailed status of IPv4 and IPv6 DHCP-snooping VLANs and ports:

get switch dhcp-snooping database-summary

An entry in the DHCP snooping binding database that contains an * after the IP address indicates a temporary or incomplete entry. For example:

	08:00:27:13:16:51 2000 100.0.0.159* 10 4 port4

The DHCP server has not acknowledged this entry yet. If the DHCP server does not acknowledge the entry within 10 seconds, the entry is removed from the database. If the DHCP server does acknowledge the entry within 10 seconds, the entry will be considered “complete” (that is, no * after the IP address), and a proper expiration time is assigned to it.

To view the details of the IPv4 and IPv6 DHCP-snooping client and server databases:

get switch dhcp-snooping status

To view the details of the IPv4 DHCP-snooping client database:
  • Enter the following CLI command: get switch dhcp-snooping client-db-details
  • Go to Switch > Monitor > DHCP Snooping > Clients.
To view the details of the IPv6 DHCP-snooping client database:
  • Enter the following CLI command: get switch dhcp-snooping client6-db-details
  • Go to Switch > Monitor > DHCP Snooping > Clients.
To view the details of the IPv4 DHCP-snooping server database:
  • Enter the following CLI command: get switch dhcp-snooping server-db-details
  • Go to Switch > Monitor > DHCP Snooping > Servers.
To view the details of the IPv6 DHCP-snooping server database:
  • Enter the following CLI command: get switch dhcp-snooping server6-db-details
  • Go to Switch > Monitor > DHCP Snooping > Servers.

If the dhcp-server-access-list is enabled globally and the server is configured for the dhcp-server-access-list, the svr-list column displays allowed for that server. If the dhcp-server-access-list is enabled globally and the server is not configured in the dhcp-server-access-list, the svr-list column displays blocked for that server.

Removing an entry from the DHCP-snooping binding database

You can remove an IP address from the DHCP-snooping binding database by specifying the associated VLAN ID and MAC address:

execute dhcp-snooping expire-client <1-4095> <xx:xx:xx:xx:xx:xx>

For example:

execute dhcp-snooping expire-client 100 01:23:45:67:89:01