Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiLink Guide

    Home FortiSwitch 7.4.5 FortiLink Guide
    7.4.5
    7.6.0
    7.4.5
    7.4.4
    7.4.2
    7.4.1
    7.4.0
    7.2.9
    7.2.6
    7.2.4
    7.2.1
    7.2.0

    Including option-82 data

    Including option-82 data

    Note

    This feature requires FortiOS 7.4.0 or later and FortiSwitchOS 7.2.2 or later.

    You can now include option-82 data in the DHCP request for DHCP snooping. DHCP option-82 data provides additional security by enabling a controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources. You can select a fixed format (set dhcp-option82-format legacy) for the Circuit ID and Remote ID fields or select which values appear in the Circuit ID and Remote ID fields (set dhcp-option82-format ascii).

    The following is the fixed format for the option-82 Circuit ID field:

    hostname-[<vlan:16><mod:8><port:8>].32bit

    The following is the fixed format for the option-82 Remote ID field:

    [mac(0..6)].48bit

    If you want to select which values appear in the Circuit ID and Remote ID fields:

    • For the Circuit ID field, you can include the interface name, VLAN name, host name, mode, and description.
    • For the Remote ID field, you can include the MAC address, host name, and IP address.

    You can specify whether the DHCP-snooping client only broadcasts packets on trusted ports in the VLAN (set dhcp-snoop-client-req drop-untrusted) or broadcasts packets on all ports in the VLAN (set dhcp-snoop-client-req forward-untrusted).

    You can set a limit for how many entries are in the DHCP-snooping binding database for each port with the set dhcp-snoop-db-per-port-learn-limit command. By default, the number of entries is 64. The range of values depends on the switch model.

    Tooltip

    Before configuring the learning limit, check the range for your switch model by typing set dhcp-snoop-db-per-port-learn-limit ?.

    You can also specify how long entries are kept in the DHCP-snooping server database with the set dhcp-snoop-client-db-exp command. By default, the entries are kept for 86,400 seconds. The range of values is 300-259,200 seconds.

    You can use the diagnose switch-controller switch-info option82-mapping snooping command to display option-82 Circuit ID and Remote ID values in ASCII or hexadecimal format. This command requires the serial number of the managed switch unit and VLAN identifier. Specifying the port name is optional.

    If you have included option-82 data in the DHCP request, it applies globally. You can override the global option-82 setting to specify plain text strings for the Circuit ID field and the Remote ID field for a specific VLAN on a port. If dhcp-snoop-option82-override is not configured for the incoming VLAN and switch interface, the settings for the Circuit ID and Remote ID fields are taken from the global option-82 configuration.

    NOTE: The values for the Circuit ID and Remote ID field are either both taken from the global option-82 configuration or both taken from the dhcp-snoop-option82-override settings. The system cannot take one value at the global level and the other value from the override settings.

    Each plain text string can be a maximum of 256 characters long. Together, the combined length of both plain text strings can be a maximum of 256 characters long.

    NOTE: You can override the option-82 settings for DHCP snooping but not for DHCP relay.

    To configure the option-82 data on a global level:

    config switch-controller global

    set dhcp-option82-format {ascii | legacy}

    set dhcp-option82-circuit-id {intfname <interface_name> | vlan <VLAN_name> | hostname <host_name> | mode <mode> | description <string>}

    set dhcp-option82-remote-id {mac <MAC_address> | hostname <host_name> | ip <IP_address>}

    set dhcp-snoop-client-req {drop-untrusted | forward-untrusted}

    set dhcp-snoop-client-db-exp <300-259200>

    set dhcp-snoop-db-per-port-learn-limit <integer>

    end

    To display option-82 Circuit ID and Remote ID values in ASCII format:

    diagnose switch-controller switch-info option82-mapping snooping ascii <FortiSwitch_serial_number> <VLAN_ID> <port_name>

    For example:

    diagnose switch-controller switch-info option82-mapping snooping ascii S524DN4K16000116 vlan11 port3

    To display option-82 Circuit ID and Remote ID values in hexadecimal format:

    diagnose switch-controller switch-info option82-mapping snooping hex <FortiSwitch_serial_number> <VLAN_ID> <port_name>

    For example:

    diagnose switch-controller switch-info option82-mapping snooping hex S524DN4K16000116 vlan11 port5

    To override the option-82 global settings for a specific VLAN on a port:

    config switch-controller managed-switch

    edit "<FortiSwitch_serial_number>"

    config ports

    edit "<port_name>"

    config dhcp-snoop-option82-override

    edit <VLAN_name>

    set remode-id <string>

    set circuit-id <string>

    next

    end

    next

    end

    next

    end

    For example:

    config switch-controller managed-switch

    edit "S524DF4K15000024"

    config ports

    edit "port10"

    config dhcp-snoop-option82-override

    edit vlan15

    set remode-id "remote-id test"

    set circuit-id "circuit-id test"

    next

    end

    next

    end

    next

    end

    Previous
    Next

    Including option-82 data

    Including option-82 data

    Note

    This feature requires FortiOS 7.4.0 or later and FortiSwitchOS 7.2.2 or later.

    You can now include option-82 data in the DHCP request for DHCP snooping. DHCP option-82 data provides additional security by enabling a controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources. You can select a fixed format (set dhcp-option82-format legacy) for the Circuit ID and Remote ID fields or select which values appear in the Circuit ID and Remote ID fields (set dhcp-option82-format ascii).

    The following is the fixed format for the option-82 Circuit ID field:

    hostname-[<vlan:16><mod:8><port:8>].32bit

    The following is the fixed format for the option-82 Remote ID field:

    [mac(0..6)].48bit

    If you want to select which values appear in the Circuit ID and Remote ID fields:

    • For the Circuit ID field, you can include the interface name, VLAN name, host name, mode, and description.
    • For the Remote ID field, you can include the MAC address, host name, and IP address.

    You can specify whether the DHCP-snooping client only broadcasts packets on trusted ports in the VLAN (set dhcp-snoop-client-req drop-untrusted) or broadcasts packets on all ports in the VLAN (set dhcp-snoop-client-req forward-untrusted).

    You can set a limit for how many entries are in the DHCP-snooping binding database for each port with the set dhcp-snoop-db-per-port-learn-limit command. By default, the number of entries is 64. The range of values depends on the switch model.

    Tooltip

    Before configuring the learning limit, check the range for your switch model by typing set dhcp-snoop-db-per-port-learn-limit ?.

    You can also specify how long entries are kept in the DHCP-snooping server database with the set dhcp-snoop-client-db-exp command. By default, the entries are kept for 86,400 seconds. The range of values is 300-259,200 seconds.

    You can use the diagnose switch-controller switch-info option82-mapping snooping command to display option-82 Circuit ID and Remote ID values in ASCII or hexadecimal format. This command requires the serial number of the managed switch unit and VLAN identifier. Specifying the port name is optional.

    If you have included option-82 data in the DHCP request, it applies globally. You can override the global option-82 setting to specify plain text strings for the Circuit ID field and the Remote ID field for a specific VLAN on a port. If dhcp-snoop-option82-override is not configured for the incoming VLAN and switch interface, the settings for the Circuit ID and Remote ID fields are taken from the global option-82 configuration.

    NOTE: The values for the Circuit ID and Remote ID field are either both taken from the global option-82 configuration or both taken from the dhcp-snoop-option82-override settings. The system cannot take one value at the global level and the other value from the override settings.

    Each plain text string can be a maximum of 256 characters long. Together, the combined length of both plain text strings can be a maximum of 256 characters long.

    NOTE: You can override the option-82 settings for DHCP snooping but not for DHCP relay.

    To configure the option-82 data on a global level:

    config switch-controller global

    set dhcp-option82-format {ascii | legacy}

    set dhcp-option82-circuit-id {intfname <interface_name> | vlan <VLAN_name> | hostname <host_name> | mode <mode> | description <string>}

    set dhcp-option82-remote-id {mac <MAC_address> | hostname <host_name> | ip <IP_address>}

    set dhcp-snoop-client-req {drop-untrusted | forward-untrusted}

    set dhcp-snoop-client-db-exp <300-259200>

    set dhcp-snoop-db-per-port-learn-limit <integer>

    end

    To display option-82 Circuit ID and Remote ID values in ASCII format:

    diagnose switch-controller switch-info option82-mapping snooping ascii <FortiSwitch_serial_number> <VLAN_ID> <port_name>

    For example:

    diagnose switch-controller switch-info option82-mapping snooping ascii S524DN4K16000116 vlan11 port3

    To display option-82 Circuit ID and Remote ID values in hexadecimal format:

    diagnose switch-controller switch-info option82-mapping snooping hex <FortiSwitch_serial_number> <VLAN_ID> <port_name>

    For example:

    diagnose switch-controller switch-info option82-mapping snooping hex S524DN4K16000116 vlan11 port5

    To override the option-82 global settings for a specific VLAN on a port:

    config switch-controller managed-switch

    edit "<FortiSwitch_serial_number>"

    config ports

    edit "<port_name>"

    config dhcp-snoop-option82-override

    edit <VLAN_name>

    set remode-id <string>

    set circuit-id <string>

    next

    end

    next

    end

    next

    end

    For example:

    config switch-controller managed-switch

    edit "S524DF4K15000024"

    config ports

    edit "port10"

    config dhcp-snoop-option82-override

    edit vlan15

    set remode-id "remote-id test"

    set circuit-id "circuit-id test"

    next

    end

    next

    end

    next

    end

    Previous
    Next