Configuring the DHCP server access list
Starting in FortiOS 7.0.1, you can configure which DHCP servers that DHCP snooping includes in the server access list. These servers on the list are allowed to respond to DHCP requests.
NOTE: You can add 255 servers per table. The maximum number of DHCP servers that can be added to all instances of the table is 2,048. This maximum is a global limit and applies across all VLANs.
Configuring the DHCP server access list consists of the following steps:
- Enable the DHCP server access list on a VDOM level or switch-wide level.
By default, the server access list is disabled, which means that all DHCP servers are allowed. When the server access list is enabled, only the DHCP servers in the server access list are allowed.
- Configure the VLAN settings for the managed switch port.
You can set the DHCP server access list to
global
to use the VDOM or system-wide setting, or you can set the DHCP server access list toenable
to override the global settings and enable the DHCP server access list.In the managed FortiSwitch unit, all ports are untrusted by default, and DHCP snooping is disabled on all untrusted ports. You must set the managed switch port to be trusted to allow DHCP snooping.
- Configure DHCP snooping and the DHCP access list for the managed FortiSwitch interface.
By default, DHCP snooping is disabled on the managed FortiSwitch interface.
To enable the DHCP sever access list on a global level:
config switch-controller global
set dhcp-server-access-list enable
end
For example:
FGT_A (vdom1) # config switch-controller global
FGT_A (global) # set dhcp-server-access-list enable
FGT_A (global) # end
To configure the VLAN settings:
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
set dhcp-server-access-list {global | enable | disable}
config ports
edit <port_name>
set vlan <VLAN_name>
set dhcp-snooping trusted
next
end
next
end
For example:
config switch-controller managed-switch
edit "S524DN4K16000116"
set fsw-wan1-peer "port11"
set fsw-wan1-admin enable
set dhcp-server-access-list enable
config ports
edit "port19"
set vlan "_default.13"
set allowed-vlans "quarantine.13"
set untagged-vlans "quarantine.13"
set dhcp-snooping trusted
set export-to "vdom1"
next
end
next
end
To configure the interface settings:
config system interface
edit <VLAN_name>
set switch-controller-dhcp-snooping enable
config dhcp-snooping-server-list
edit <DHCP_server_name>
set server-ip <IPv4_address_of_DHCP_server>
next
end
next
end
For example:
config system interface
edit "_default.13"
set vdom "vdom1"
set ip 5.4.4.1 255.255.255.0
set allowaccess ping https ssh http fabric
set alias "_default.port11"
set snmp-index 30
set switch-controller-dhcp-snooping enable
config dhcp-snooping-server-list
edit "server1"
set server-ip 10.20.20.1
next
end
set switch-controller-feature default-vlan
set interface "port11"
set vlanid 1
next
end
Including option-82 data
You can include option-82 data in the DHCP request. (DHCP option 82 provides additional security by enabling a controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources.) You can select a fixed format for the Circuit ID and Remote ID fields or select which values appear in the Circuit ID and Remote ID fields.
The following is the fixed format for the option-82 Circuit ID field:
Circuit-ID: vlan-mod-port
vlan - [ 2 bytes ]
mod - [ (1 Byte) -> Snoop - 1 , Relay - 0 ]
port - [ 1 byte ]
The following is the fixed format for the option-82 Remote ID field:
Remote-ID: mac [ 6 byte ]
If you want to select which values appear in the Circuit ID and Remote ID fields:
-
For the Circuit ID field, you can include the interface description, host name, interface name, mode, and VLAN.
-
For the Remote ID field, you can include the host name, IP address, and MAC address.
For example:
config system interface
edit "user"
set vdom "root"
set ip 192.168.101.1 255.255.255.0
set allowaccess ping
set device-identification enable
set role lan
set snmp-index 42
set switch-controller-dhcp-snooping enable
set switch-controller-dhcp-snooping-option82 enable
set interface "fortilink"
set vlanid 101
next
end
config system dhcp server
edit 7
set dns-service default
set default-gateway 192.168.101.1
set netmask 255.255.255.0
set interface "user"
config ip-range
edit 1
set start-ip 192.168.101.2
set end-ip 192.168.101.254
next
end
config reserved-address
edit 1
set type option82
set ip 192.168.101.201
set circuit-id "706F7274312C3130312C646863702D73"
set remote-id "39303a36433a41433a35463a30413a4142"
next
edit 2
set type option82
set ip 192.168.101.202
set circuit-id "706F7274322C3130312C646863702D73"
set remote-id "39303a36433a41433a35463a30413a4142"
next
end
next
end