DHCP snooping
The DHCP-snooping feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP snooping filters messages on untrusted ports by performing the following activities:
- Validating DHCP messages received from untrusted sources and filtering out invalid messages. For example, a request to decline an DHCP offer or release a lease is ignored if the request is from a different interface than the one that created the entry.
- Building and maintaining a DHCP-snooping binding database, which contains information about untrusted hosts with leased IP addresses.
Other security features like dynamic ARP inspection (DAI), a security feature that rejects invalid and malicious ARP packets, also use information stored in the DHCP-snooping binding database.
In the FortiSwitch unit, all ports are untrusted by default, and DHCP snooping is disabled on all untrusted ports. You indicate that a source is trusted by configuring the trust state of its connecting interface.
When DHCP snooping is enabled and a DHCP server is detected on an untrusted interface, a log entry is generated, either “A rogue DHCPv6 server has been detected on the interface” or “A rogue DHCP server has been detected on the interface.” NOTE: FortiSwitchOS logs only the first DHCPv4 or DHCPv6 server packet that arrives from an untrusted switch interface and is added to the server database.
For additional security, you can specify which DHCP servers that DHCP snooping will include in the allowed server list.
Static IP address are not included as DHCP-snooping entries, so DAI does not analyze them. Starting in FortiSwitchOS 7.2.2, you can specify static entries for DHCP snooping and DAI by manually associating a single IPv4 address with a single MAC address.
Configuring DHCP snooping
DHCP snooping is enabled per VLAN and, by default, DHCP snooping is disabled.
Configuring DHCP snooping consists of the following steps:
- Setting the system-wide DHCP-snooping options
- Configuring the VLAN settings
- Specify any DHCP-snooping static entries
- Configuring the interface settings
Setting the system-wide DHCP-snooping options
Before you use DHCP snooping, you need to enable the trusted DHCP server list.
NOTE: The maximum number of DHCP servers that can be added to the list is 2,048. This maximum is a global limit and applies across all VLANs.
Using the GUI:
-
Go to Switch > DHCP Snooping.
-
Enable Only Allow DHCP from Whitelisted Servers.
Using the CLI:
config system global
set dhcp-server-access-list {enable | disable}
end
For example:
config system global
set dhcp-server-access-list enable
end
Including option-82 data
You can include option-82 data in the DHCP request. (DHCP option 82 provides additional security by enabling a controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources.) You can select a fixed format for the Circuit ID and Remote ID fields or select which values appear in the Circuit ID and Remote ID fields.
The following is the fixed format for the option-82 Circuit ID field:
Circuit-ID: vlan-mod-port
-
vlan—[ 2 bytes ]
-
mod—[ (1 Byte) -> Snoop - 1 , Relay - 0 ]
-
port—[ 1 byte ]
The following is the fixed format for the option-82 Remote ID field:
Remote-ID: mac [ 6 bytes ]
If you want to select which values appear in the Circuit ID and Remote ID fields:
- For the Circuit ID field, you can include the interface description, host name, interface name, mode, and VLAN.
- For the Remote ID field, you can include the host name, IP address, and MAC address.
To configure the option-82 data:
config system global
set dhcp-option-format {ascii | legacy}
set dhcp-client-location {description | hostname | intfname | mode | vlan}
set dhcp-remote-id {hostname | ip | mac}
end
Overriding the option-82 settings for a specific VLAN on a port
If you have included option-82 data in the DHCP request, it applies globally. Starting in FortiSwitchOS 7.2.2, you can override the global option-82 setting to specify plain text strings for the Circuit ID field and the Remote ID field for a specific VLAN on a port. If dhcp-snoop-option82-override is not configured for the incoming VLAN and switch interface, the settings for the Circuit ID and Remote ID fields are taken from the global option-82 configuration.
NOTE: The values for the Circuit ID and Remote ID field are either both taken from the global option-82 configuration or both taken from the dhcp-snoop-option82-override settings. The system cannot take one value at the global level and the other value from the override settings.
Each plain text string can be a maximum of 256 characters long. Together, the combined length of both plain text strings can be a maximum of 256 characters long.
You can only select a VLAN that was configured with the config switch vlan command. To include option-82 data in the DHCP request, you must enable dhcp-snooping and dhcp-snooping-option82 under the config switch vlan command. The syntax is shown in Configuring the VLAN settings.
NOTE: You can override the option-82 settings for DHCP snooping but not for DHCP relay.
To override the option-82 global settings:
config switch interface
edit <interface-name>
config dhcp-snoop-option82-override
edit <VLAN_ID>
set remote-id <string>
set circuit-id <string>
next
end
next
end
For example:
config switch interface
edit "port5"
config dhcp-snoop-option82-override
edit 100
set remote-id "remote-id test"
set circuit-id "circuit-id test"
next
end
next
end
Configuring the VLAN settings
You need to select a VLAN that is configured as a native VLAN or allowed VLAN for a switch interface.
Using the GUI:
- Go to Switch > VLAN.
- Select Add VLAN.
- Enter the VLAN identifier.
- Enter a description for the new VLAN.
- Under DHCP Snooping, select Enable.
- If needed, select Verify Source MAC, Insert Option 82, and Dynamic ARP Inspection.
- Under the DHCP Server Whitelist, select + to add the name and IP address of an approved DHCP server.
- In the Members by MAC Address section, select Add to add a MAC address.
- In the Members by IP Address section, select Add to add an IPv4 address and netmask.
- To save your changes, select Add at the bottom of the page.
Using the CLI:
config switch vlan
edit <vlan-id>
set dhcp-snooping enable
set dhcp-snooping-verify-mac {enable | disable>}
set dhcp-snooping-option82 {enable | disable}
set dhcp6-snooping enable
config member-by-mac
edit <id>
set mac XX:XX:XX:XX:XX:XX
set description <128 byte string>
next
end
config member-by-ipv4
edit <id>
set address a.b.c.d/e
set description <128-byte string>
next
end
config dhcp-server-access-list
edit <string>
set server-ip <xxx.xxx.xxx.xxx>
set server-ip6 <xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx>
next
end
next
end
NOTE: If you set the server-ip6 under the config dhcp-server-access-list command, the source IPv6 address of the server you are allowing should be the DHCP server’s IPv6 link-local address, such as fe80::213:1ff:fe00:1.
NOTE: If you enable dhcp-snooping-verify-mac, the system will verify that the source MAC address in the DHCP request from an untrusted port matches the client hardware address.
NOTE: If you enable dhcp-snooping-option82, the system inserts option-82 data into the DHCP messages for this VLAN.
For example, to configure IPv4 DHCP snooping:
config switch vlan
edit 10
set dhcp-snooping enable
config dhcp-server-access-list
edit "list1"
set server-ip 100.1.0.2
next
end
next
end
For example, to configure IPv6 DHCP snooping:
config switch vlan
edit 10
set dhcp6-snooping enable
config dhcp-server-access-list
edit "list1"
set server-ip6 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234
next
end
next
end
Specify any DHCP-snooping static entries
After you enable DHCP snooping for a VLAN, you can configure static entries by binding an IPv4 address with a MAC address for a specific switch interface:
-
Specify the MAC address in the form of
xx:xx:xx:xx:xx:xx. -
To find out which switch interfaces are valid, type
set switch-interface ?. -
Bind a single MAC address to a single IPv4 address. Multiple IP addresses cannot be bound to the same MAC address. The MAC address cannot be used in more than one static entry.
You can specify a maximum of 64 DHCP static entries for the entire FortiSwitch unit.
Using the CLI:
config switch vlan
edit <vlan-id>
set dhcp-snooping enable
config dhcp-snooping-static-client
set mac-addr <MAC_address>
set switch-interface <interface_name>
set ip-addr <IPv4_address>
next
end
next
end
For example:
config switch vlan
edit 10
set dhcp-snooping enable
config dhcp-snooping-static-client
set mac-addr 00:01:00:00:00:01
set switch-interface port20
set ip-addr 10.1.1.1
next
end
next
end
|
|
Configuring the interface settings
After you enable DHCP snooping on a VLAN, all interfaces are in an untrusted state by default, and DHCP snooping is disabled on all untrusted interfaces. You must explicitly configure the trusted interfaces and enable DHCP snooping for each interface.
In addition, you can set a limit for how many IP addresses are in the DHCP snooping binding database for each interface by enabling the dhcp-snoop-learning-limit-check and setting the learning-limit. By default, dhcp-snoop-learning-limit-check is disabled, and the number of entries for an untrusted ports is 5. You can set the number of entries to 0. The maximum number of entries depends on which FortiSwitch unit you are using. For example:
S548DN4K16000313 # show switch vlan 1
config switch vlan
edit 1
set learning-limit 100
set dhcp-snooping enable
next
end
NOTE: If the FortiSwitch unit has already learned more IP addresses than the dhcp-snoop-learning-limit before the limit is set, the configuration is rejected because the FortiSwitch unit cannot select which IP addresses should be kept. If the FortiSwitch unit has learned fewer IP address or the same number of IP addresses as the dhcp-snoop-learning-limit before the limit is set, the configuration is accepted.
NOTE: The per-VLAN learning limit is not supported on dual-chip platforms (448 series).
Using the GUI:
- Go to Switch > Interfaces.
- Select an interface.
- Click Edit.
- Select Trusted or Untrusted for DHCP snooping.
- If you want to accept DHCP messages with option-82 data from an untrusted interface, select the Option 82 Trust check box.
- Click Update.
Using the CLI:
config switch {interface | trunk}
edit <interface-name>
set native-vlan <VLAN-ID>
set dhcp-snooping {trusted | untrusted}
set dhcp-snoop-learning-limit-check {enable | disable}
set learning-limit <integer>
set dhcp-snoop-option82-trust {enable | disable}
next
end
For example:
config switch interface
edit "port5"
set native-vlan 10
set dhcp-snooping untrusted
set dhcp-snoop-learning-limit-check enable
set learning-limit 7
set dhcp-snoop-option82-trust enable
set snmp-index 5
next
end
Set dhcp-snooping to reflect the trust state of the interface. Where DHCP servers are located, you must configure interfaces as trusted.
If you enable dhcp-snoop-option82-trust, the system accepts DHCP messages with option-82 data from an untrusted interface.
Checking the DHCP-snooping configuration
To view the detailed status of IPv4 and IPv6 DHCP-snooping VLANs and ports:
get switch dhcp-snooping database-summary
An entry in the DHCP snooping binding database that contains an * after the IP address indicates a temporary or incomplete entry. For example:
08:00:27:13:16:51 2000 100.0.0.159* 10 4 port4
The DHCP server has not acknowledged this entry yet. If the DHCP server does not acknowledge the entry within 10 seconds, the entry is removed from the database. If the DHCP server does acknowledge the entry within 10 seconds, the entry will be considered “complete” (that is, no * after the IP address), and a proper expiration time is assigned to it.
To view the details of the IPv4 and IPv6 DHCP-snooping client and server databases, including DHCP-snooping static entries:
get switch dhcp-snooping status
To view the DHCP-snooping static entries:
get switch dhcp-snooping static-clients
To view the details of the IPv4 DHCP-snooping client database:
- Enter the following CLI command:
get switch dhcp-snooping client-db-details - Go to Switch > Monitor > DHCP Snooping > Clients.
To view the details of the IPv6 DHCP-snooping client database:
- Enter the following CLI command:
get switch dhcp-snooping client6-db-details - Go to Switch > Monitor > DHCP Snooping > Clients.
To view the details of the IPv4 DHCP-snooping server database:
- Enter the following CLI command:
get switch dhcp-snooping server-db-details - Go to Switch > Monitor > DHCP Snooping > Servers.
To view the details of the IPv6 DHCP-snooping server database:
- Enter the following CLI command:
get switch dhcp-snooping server6-db-details - Go to Switch > Monitor > DHCP Snooping > Servers.
If the dhcp-server-access-list is enabled globally and the server is configured for the dhcp-server-access-list, the svr-list column displays allowed for that server. If the dhcp-server-access-list is enabled globally and the server is not configured in the dhcp-server-access-list, the svr-list column displays blocked for that server.
Removing an entry from the DHCP-snooping binding database
You can remove an IP address from the DHCP-snooping binding database by specifying the associated VLAN ID and MAC address:
execute dhcp-snooping expire-client <1-4095> <xx:xx:xx:xx:xx:xx>
For example:
execute dhcp-snooping expire-client 100 01:23:45:67:89:01