Skip to main content
simonorch
simonorch
Explorer
October 25, 2016
Question

Wildcard MAC and DHCP

  • October 25, 2016
  • 1 reply
  • 7801 views

I've got a situation where we would like to be able to block devices from a specific vendor from obtaining a DHCP address on a specific vlan. 

However i can't seem to use a wildcard MAC or 00:00:00 after the vendor ID

My second option was to look at a device ACL, however it seems i can only use a device group here. In this case the devices i don't want to get an IP are identified as Linux devices and are thus not unique.

 

So, is there any way i can do this?  Manually is not an option as it's for about 7000 access points (not fortiap) spread across 580 locations\fortigates.

 

Thanks

 

Simon

1 reply

rwpatterson
rwpatterson
New Member
October 25, 2016

Are you using the FGT as the DHCP server?

simonorch
simonorchAuthor
Explorer
October 25, 2016

Yep, adding anything we don't already have is not an option. The FGT are already acting as DHCP servers for the wireless networks.

 

We're going to test a workaround by setting the lease time to 5 mins. but the basics of what's happening is that each location has 1-4 managed switches (aruba, same as the wifi), most ports are configured as access ports on vlan xxx which has until now not had dhcp, static ip's only (long story and ended up that way over the years, nothing to do with us or ftnt). the Aruba APs are put in to their correct vlans and the ports reconfigured automatically as trunk ports, which worked fine without dhcp on that vlan, but when we enabled dhcp to test, LLDP was beaten to it by dhcp, so the AP's get an IP from the wrong vlan, but are subsequently placed in their correct vlan, but with no renewal.

 

We're going to test a workaround tomorrow by setting the lease time down to 5mins (the scope is only 16 addresses and the number of dhcp devices per location shouldn't exceed 10, so it shouldn't be a performance hit we hope). The idea being that when the AP goes to renew its lease it will get its new IP from the correct vlan. Not ideal, but it may be good enough.

 

It just would be nice if i was able to block dhcp offers based on a Vendor portion of the MAC only, the reverse of VCI option 60 i think

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
October 25, 2016

Is there a reason you can't make them as trunk ports at the switches? At least FortiAPs should support vlan.

Terms & ConditionsAccessibility statement