Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiLink Guide

    Home FortiSwitch 7.6.0 FortiLink Guide
    7.6.0
    7.6.0
    7.4.5
    7.4.4
    7.4.2
    7.4.1
    7.4.0
    7.2.9
    7.2.6
    7.2.4
    7.2.1
    7.2.0

    Configuring the DHCP server access list

    Configuring the DHCP server access list

    Starting in FortiOS 7.0.1, you can configure which DHCP servers that DHCP snooping includes in the server access list. These servers on the list are allowed to respond to DHCP requests.

    NOTE: You can add 255 servers per table. The maximum number of DHCP servers that can be added to all instances of the table is 2,048. This maximum is a global limit and applies across all VLANs.

    Configuring the DHCP server access list consists of the following steps:

    1. Enable the DHCP server access list on a VDOM level or switch-wide level.

      By default, the server access list is disabled, which means that all DHCP servers are allowed. When the server access list is enabled, only the DHCP servers in the server access list are allowed.

    2. Configure the VLAN settings for the managed switch port.

      You can set the DHCP server access list to global to use the VDOM or system-wide setting, or you can set the DHCP server access list to enable to override the global settings and enable the DHCP server access list.

      In the managed FortiSwitch unit, all ports are untrusted by default, and DHCP snooping is disabled on all untrusted ports. You must set the managed switch port to be trusted to allow DHCP snooping.

    3. Configure DHCP snooping and the DHCP access list for the managed FortiSwitch interface.

      By default, DHCP snooping is disabled on the managed FortiSwitch interface.

    To enable the DHCP sever access list on a global level:

    config switch-controller global

    set dhcp-server-access-list enable

    end

    For example:

    FGT_A (vdom1) # config switch-controller global

    FGT_A (global) # set dhcp-server-access-list enable

    FGT_A (global) # end

    To configure the VLAN settings:

    config switch-controller managed-switch

    edit <FortiSwitch_serial_number>

    set dhcp-server-access-list {global | enable | disable}

    config ports

    edit <port_name>

    set vlan <VLAN_name>

    set dhcp-snooping trusted

    next

    end

    next

    end

    For example:

    config switch-controller managed-switch

    edit "S524DN4K16000116"

    set fsw-wan1-peer "port11"

    set fsw-wan1-admin enable

    set dhcp-server-access-list enable

    config ports

    edit "port19"

    set vlan "_default.13"

    set allowed-vlans "quarantine.13"

    set untagged-vlans "quarantine.13"

    set dhcp-snooping trusted

    set export-to "vdom1"

    next

    end

    next

    end

    To configure the interface settings:

    config system interface

    edit <VLAN_name>

    set switch-controller-dhcp-snooping enable

    config dhcp-snooping-server-list

    edit <DHCP_server_name>

    set server-ip <IPv4_address_of_DHCP_server>

    next

    end

    next

    end

    For example:

    config system interface

    edit "_default.13"

    set vdom "vdom1"

    set ip 5.4.4.1 255.255.255.0

    set allowaccess ping https ssh http fabric

    set alias "_default.port11"

    set snmp-index 30

    set switch-controller-dhcp-snooping enable

    config dhcp-snooping-server-list

    edit "server1"

    set server-ip 10.20.20.1

    next

    end

    set switch-controller-feature default-vlan

    set interface "port11"

    set vlanid 1

    next

    end

    Previous
    Next

    Configuring the DHCP server access list

    Configuring the DHCP server access list

    Starting in FortiOS 7.0.1, you can configure which DHCP servers that DHCP snooping includes in the server access list. These servers on the list are allowed to respond to DHCP requests.

    NOTE: You can add 255 servers per table. The maximum number of DHCP servers that can be added to all instances of the table is 2,048. This maximum is a global limit and applies across all VLANs.

    Configuring the DHCP server access list consists of the following steps:

    1. Enable the DHCP server access list on a VDOM level or switch-wide level.

      By default, the server access list is disabled, which means that all DHCP servers are allowed. When the server access list is enabled, only the DHCP servers in the server access list are allowed.

    2. Configure the VLAN settings for the managed switch port.

      You can set the DHCP server access list to global to use the VDOM or system-wide setting, or you can set the DHCP server access list to enable to override the global settings and enable the DHCP server access list.

      In the managed FortiSwitch unit, all ports are untrusted by default, and DHCP snooping is disabled on all untrusted ports. You must set the managed switch port to be trusted to allow DHCP snooping.

    3. Configure DHCP snooping and the DHCP access list for the managed FortiSwitch interface.

      By default, DHCP snooping is disabled on the managed FortiSwitch interface.

    To enable the DHCP sever access list on a global level:

    config switch-controller global

    set dhcp-server-access-list enable

    end

    For example:

    FGT_A (vdom1) # config switch-controller global

    FGT_A (global) # set dhcp-server-access-list enable

    FGT_A (global) # end

    To configure the VLAN settings:

    config switch-controller managed-switch

    edit <FortiSwitch_serial_number>

    set dhcp-server-access-list {global | enable | disable}

    config ports

    edit <port_name>

    set vlan <VLAN_name>

    set dhcp-snooping trusted

    next

    end

    next

    end

    For example:

    config switch-controller managed-switch

    edit "S524DN4K16000116"

    set fsw-wan1-peer "port11"

    set fsw-wan1-admin enable

    set dhcp-server-access-list enable

    config ports

    edit "port19"

    set vlan "_default.13"

    set allowed-vlans "quarantine.13"

    set untagged-vlans "quarantine.13"

    set dhcp-snooping trusted

    set export-to "vdom1"

    next

    end

    next

    end

    To configure the interface settings:

    config system interface

    edit <VLAN_name>

    set switch-controller-dhcp-snooping enable

    config dhcp-snooping-server-list

    edit <DHCP_server_name>

    set server-ip <IPv4_address_of_DHCP_server>

    next

    end

    next

    end

    For example:

    config system interface

    edit "_default.13"

    set vdom "vdom1"

    set ip 5.4.4.1 255.255.255.0

    set allowaccess ping https ssh http fabric

    set alias "_default.port11"

    set snmp-index 30

    set switch-controller-dhcp-snooping enable

    config dhcp-snooping-server-list

    edit "server1"

    set server-ip 10.20.20.1

    next

    end

    set switch-controller-feature default-vlan

    set interface "port11"

    set vlanid 1

    next

    end

    Previous
    Next