Fortinet white logo
Fortinet white logo

FortiLink Guide

Including option-82 data

Including option-82 data

Note

This feature requires FortiOS 7.4.0 or later and FortiSwitchOS 7.2.2 or later.

You can now include option-82 data in the DHCP request for DHCP snooping. DHCP option-82 data provides additional security by enabling a controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources. You can select a fixed format (set dhcp-option82-format legacy) for the Circuit ID and Remote ID fields or select which values appear in the Circuit ID and Remote ID fields (set dhcp-option82-format ascii).

The following is the fixed format for the option-82 Circuit ID field:

hostname-[<vlan:16><mod:8><port:8>].32bit

The following is the fixed format for the option-82 Remote ID field:

[mac(0..6)].48bit

If you want to select which values appear in the Circuit ID and Remote ID fields:

  • For the Circuit ID field, you can include the interface name, VLAN name, host name, mode, and description.
  • For the Remote ID field, you can include the MAC address, host name, and IP address.

You can specify whether the DHCP-snooping client only broadcasts packets on trusted ports in the VLAN (set dhcp-snoop-client-req drop-untrusted) or broadcasts packets on all ports in the VLAN (set dhcp-snoop-client-req forward-untrusted).

You can set a limit for how many entries are in the DHCP-snooping binding database for each port with the set dhcp-snoop-db-per-port-learn-limit command. By default, the number of entries is 64. The range of values depends on the switch model.

Tooltip

Before configuring the learning limit, check the range for your switch model by typing set dhcp-snoop-db-per-port-learn-limit ?.

You can also specify how long entries are kept in the DHCP-snooping server database with the set dhcp-snoop-client-db-exp command. By default, the entries are kept for 86,400 seconds. The range of values is 300-259,200 seconds.

You can use the diagnose switch-controller switch-info option82-mapping snooping command to display option-82 Circuit ID and Remote ID values in ASCII or hexadecimal format. This command requires the serial number of the managed switch unit and VLAN identifier. Specifying the port name is optional.

If you have included option-82 data in the DHCP request, it applies globally. You can override the global option-82 setting to specify plain text strings for the Circuit ID field and the Remote ID field for a specific VLAN on a port. If dhcp-snoop-option82-override is not configured for the incoming VLAN and switch interface, the settings for the Circuit ID and Remote ID fields are taken from the global option-82 configuration.

NOTE: The values for the Circuit ID and Remote ID field are either both taken from the global option-82 configuration or both taken from the dhcp-snoop-option82-override settings. The system cannot take one value at the global level and the other value from the override settings.

Each plain text string can be a maximum of 256 characters long. Together, the combined length of both plain text strings can be a maximum of 256 characters long.

NOTE: You can override the option-82 settings for DHCP snooping but not for DHCP relay.

To configure the option-82 data on a global level:

config switch-controller global

set dhcp-option82-format {ascii | legacy}

set dhcp-option82-circuit-id {intfname <interface_name> | vlan <VLAN_name> | hostname <host_name> | mode <mode> | description <string>}

set dhcp-option82-remote-id {mac <MAC_address> | hostname <host_name> | ip <IP_address>}

set dhcp-snoop-client-req {drop-untrusted | forward-untrusted}

set dhcp-snoop-client-db-exp <300-259200>

set dhcp-snoop-db-per-port-learn-limit <integer>

end

To display option-82 Circuit ID and Remote ID values in ASCII format:

diagnose switch-controller switch-info option82-mapping snooping ascii <FortiSwitch_serial_number> <VLAN_ID> <port_name>

For example:

diagnose switch-controller switch-info option82-mapping snooping ascii S524DN4K16000116 vlan11 port3

To display option-82 Circuit ID and Remote ID values in hexadecimal format:

diagnose switch-controller switch-info option82-mapping snooping hex <FortiSwitch_serial_number> <VLAN_ID> <port_name>

For example:

diagnose switch-controller switch-info option82-mapping snooping hex S524DN4K16000116 vlan11 port5

To override the option-82 global settings for a specific VLAN on a port:

config switch-controller managed-switch

edit "<FortiSwitch_serial_number>"

config ports

edit "<port_name>"

config dhcp-snoop-option82-override

edit <VLAN_name>

set remode-id <string>

set circuit-id <string>

next

end

next

end

next

end

For example:

config switch-controller managed-switch

edit "S524DF4K15000024"

config ports

edit "port10"

config dhcp-snoop-option82-override

edit vlan15

set remode-id "remote-id test"

set circuit-id "circuit-id test"

next

end

next

end

next

end

Including option-82 data

Including option-82 data

Note

This feature requires FortiOS 7.4.0 or later and FortiSwitchOS 7.2.2 or later.

You can now include option-82 data in the DHCP request for DHCP snooping. DHCP option-82 data provides additional security by enabling a controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources. You can select a fixed format (set dhcp-option82-format legacy) for the Circuit ID and Remote ID fields or select which values appear in the Circuit ID and Remote ID fields (set dhcp-option82-format ascii).

The following is the fixed format for the option-82 Circuit ID field:

hostname-[<vlan:16><mod:8><port:8>].32bit

The following is the fixed format for the option-82 Remote ID field:

[mac(0..6)].48bit

If you want to select which values appear in the Circuit ID and Remote ID fields:

  • For the Circuit ID field, you can include the interface name, VLAN name, host name, mode, and description.
  • For the Remote ID field, you can include the MAC address, host name, and IP address.

You can specify whether the DHCP-snooping client only broadcasts packets on trusted ports in the VLAN (set dhcp-snoop-client-req drop-untrusted) or broadcasts packets on all ports in the VLAN (set dhcp-snoop-client-req forward-untrusted).

You can set a limit for how many entries are in the DHCP-snooping binding database for each port with the set dhcp-snoop-db-per-port-learn-limit command. By default, the number of entries is 64. The range of values depends on the switch model.

Tooltip

Before configuring the learning limit, check the range for your switch model by typing set dhcp-snoop-db-per-port-learn-limit ?.

You can also specify how long entries are kept in the DHCP-snooping server database with the set dhcp-snoop-client-db-exp command. By default, the entries are kept for 86,400 seconds. The range of values is 300-259,200 seconds.

You can use the diagnose switch-controller switch-info option82-mapping snooping command to display option-82 Circuit ID and Remote ID values in ASCII or hexadecimal format. This command requires the serial number of the managed switch unit and VLAN identifier. Specifying the port name is optional.

If you have included option-82 data in the DHCP request, it applies globally. You can override the global option-82 setting to specify plain text strings for the Circuit ID field and the Remote ID field for a specific VLAN on a port. If dhcp-snoop-option82-override is not configured for the incoming VLAN and switch interface, the settings for the Circuit ID and Remote ID fields are taken from the global option-82 configuration.

NOTE: The values for the Circuit ID and Remote ID field are either both taken from the global option-82 configuration or both taken from the dhcp-snoop-option82-override settings. The system cannot take one value at the global level and the other value from the override settings.

Each plain text string can be a maximum of 256 characters long. Together, the combined length of both plain text strings can be a maximum of 256 characters long.

NOTE: You can override the option-82 settings for DHCP snooping but not for DHCP relay.

To configure the option-82 data on a global level:

config switch-controller global

set dhcp-option82-format {ascii | legacy}

set dhcp-option82-circuit-id {intfname <interface_name> | vlan <VLAN_name> | hostname <host_name> | mode <mode> | description <string>}

set dhcp-option82-remote-id {mac <MAC_address> | hostname <host_name> | ip <IP_address>}

set dhcp-snoop-client-req {drop-untrusted | forward-untrusted}

set dhcp-snoop-client-db-exp <300-259200>

set dhcp-snoop-db-per-port-learn-limit <integer>

end

To display option-82 Circuit ID and Remote ID values in ASCII format:

diagnose switch-controller switch-info option82-mapping snooping ascii <FortiSwitch_serial_number> <VLAN_ID> <port_name>

For example:

diagnose switch-controller switch-info option82-mapping snooping ascii S524DN4K16000116 vlan11 port3

To display option-82 Circuit ID and Remote ID values in hexadecimal format:

diagnose switch-controller switch-info option82-mapping snooping hex <FortiSwitch_serial_number> <VLAN_ID> <port_name>

For example:

diagnose switch-controller switch-info option82-mapping snooping hex S524DN4K16000116 vlan11 port5

To override the option-82 global settings for a specific VLAN on a port:

config switch-controller managed-switch

edit "<FortiSwitch_serial_number>"

config ports

edit "<port_name>"

config dhcp-snoop-option82-override

edit <VLAN_name>

set remode-id <string>

set circuit-id <string>

next

end

next

end

next

end

For example:

config switch-controller managed-switch

edit "S524DF4K15000024"

config ports

edit "port10"

config dhcp-snoop-option82-override

edit vlan15

set remode-id "remote-id test"

set circuit-id "circuit-id test"

next

end

next

end

next

end