| Description | This article describes how to allow the DHCP Snooping traffic on multiple FortiSwitches until the final user. |
| Scope | Standalone mode, FortiSwitch 7.4.x onwards. |
| Solution |
DHCP snooping can be activated between the DHCP Server and the first FortiSwitch and the Client connected to this FortiSwitch can receive IP address, but the problem arises when there is more than 1 FortiSwitch on the topology, the user connected to the Final FortiSwitch might not receive IP address if FortiSwitches has any other firmware version like 7.2.x or some other different one that 7.4.x, this is the topology to achieve:
FortiGate is acting as the DHCP server, but the DHCP Server in charge could be any other box, port15 is the elected one which has inside 2 VLANs, and VLAN 66 is the one which will be providing the IP address to the final device:
The first FortiSwitch-248E should have a trunk connection, VLANs allowed, DHCP server access list on global mode enabled, and VLAN with DHCP snooping enabled along with the server access-list:
Trunk configuration:
FortiSwitch-S248E# show switch trunk config switch trunk edit "ConSwitch" set mode lacp-active set auto-isl 1 set static-isl enable set members "port46" next edit "ConFortiGate" set auto-isl 1 set mode lacp-active set static-isl enable set members "port43" next end
FortiSwitch interface configuration, allows the needed VLANs:
edit "ConSwitch" set native-vlan 4094 set allowed-vlans 1,6,10,20,66-67,4088-4094 set edge-port disabled set snmp-index 56 next edit "ConFortiGate" set native-vlan 4094 set allowed-vlans 1,6,10,20,66-67,4088-4094 set dhcp-snooping trusted set edge-port disabled set snmp-index 59 next end
Verify DHCP server access list in global mode is activated:
FortiSwitch-S248E # config system global FortiSwitch-S248E (global) # sho fu | grep dhcp-server-access-list set dhcp-server-access-list enable
Validate the VLAN has DHCP snooping enabled and its own DHCP list server:
FortiSwitch-S248E # config switch vlan FortiSwitch-S248E (vlan) # edit 66 FortiSwitch-S248E (66) # sho config switch vlan edit 66 set igmp-snooping enable set dhcp-snooping enable config dhcp-server-access-list edit "list1" set server-ip 66.66.66.1 next end next end
The second FortiSwitch-124F should have a trunk connection, VLANs allowed, DHCP server access list on global mode enabled, and VLAN with DHCP snooping enabled along with the server access-list:
Trunk configuration:
FortiSwitch-124F # sho switch trunk config switch trunk edit "Snoop" set mode lacp-active set members "port22" next edit "DownstreamSwitch" set mode lacp-active set members "port24" next end
FortiSwitch interface configuration, allows the needed VLANs:
FortiSwitch-124F # show switch interface Snoop config switch interface edit "Snoop" set allowed-vlans 1-100 set dhcp-snooping trusted set edge-port disabled set snmp-index 32 next end
FortiSwitch-124F # show switch interface DownstreamSwitch config switch interface edit "DownstreamSwitch" set allowed-vlans 1-100 set edge-port disabled set snmp-index 34 next end
Verify DHCP server access list in global mode is activated:
FortiSwitch-124F # config system global FortiSwitch-124F (global) # sho fu | grep dhcp-server-access-list set dhcp-server-access-list enable
Validate the VLAN has DHCP snooping enabled and its own DHCP list server:
FortiSwitch-124F # config switch vlan FortiSwitch-124F (vlan) # edit 66 FortiSwitch-124F (66) # show config switch vlan edit 66 set dhcp-snooping enable config dhcp-server-access-list edit "1" set server-ip 66.66.66.1 next end next end
The last FortiSwitch-124F should have a trunk connection, VLANs allowed, DHCP server access list on global mode enabled, and VLAN with DHCP snooping enabled along with the server access-list:
Trunk configuration:
Last-FortiSwitch-124F # sho switch trunk config switch trunk edit "UpstreamSwitch" set mode lacp-active set auto-isl 1 set static-isl enable set members "port22" next end
FortiSwitch interface configuration, allow the needed VLANs:
config switch interface edit "UpstreamSwitch" set native-vlan 4094 set allowed-vlans 1,10-16,20,23,30,40,55,66-68,70-71,80,88,98-99,300,1993,2000-2001,4088-4094 set dhcp-snooping trusted set edge-port disabled set snmp-index 32 next end
Verify DHCP server access list in global mode is activated:
Last-FortiSwitch-124F # config system global Last-FortiSwitch-124F (global) # sho fu | grep dhcp-server-access-list set dhcp-server-access-list enable
Validate the VLAN has DHCP snooping enabled and its own DHCP list server:
Last-FortiSwitch-124F # config switch vlan Last-FortiSwitch-124F (vlan) # edit 66 Last-FortiSwitch-124F (66) # sho config switch vlan edit 66 set dhcp-snooping enable config dhcp-server-access-list edit "1" set server-ip 66.66.66.1 next end next end
FortiSwitch port configuration where the laptop is connected:
Last-FortiSwitch-124F # sho switch interface port14 config switch interface edit "port14" set native-vlan 66 set allowed-vlans 4093 set untagged-vlans 4093 set packet-sampler enabled set sample-direction rx set snmp-index 14 next end Last-FortiSwitch-124F # config switch interface Last-FortiSwitch-124F (interface) # edit port14 Last-FortiSwitch-124F (port14) # sho fu | grep dhcp set dhcp-snooping untrusted
Validations:
Check the last FortiSwitch can reach by ping the FortiGate DHCP-server:
Last-FortiSwitch-124F # exe ping 66.66.66.1 PING 66.66.66.1 (66.66.66.1): 56 data bytes 64 bytes from 66.66.66.1: icmp_seq=0 ttl=255 time=2.0 ms 64 bytes from 66.66.66.1: icmp_seq=1 ttl=255 time=0.6 ms 64 bytes from 66.66.66.1: icmp_seq=2 ttl=255 time=0.6 ms 64 bytes from 66.66.66.1: icmp_seq=3 ttl=255 time=0.6 ms 64 bytes from 66.66.66.1: icmp_seq=4 ttl=255 time=0.6 ms
--- 66.66.66.1 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 0.6/0.8/2.0 ms
Connect the laptop to the port specified and check the DHCP snooping table:
Last-FortiSwitch-124F # get switch dhcp-snooping status
User database:
S MAC Address VLAN Client IP Lease Time(D:H:M:S) Expiry Time(D:H:M:S) Interface Host Name Domain Name Vendor Server IP 00:e0:4a:36:10:37 66 66.66.66.2 7:0:0:0 6:22:42:56 port14 LaptopUser MSFT 5.0 66.66.66.1
Server database:
mac vlan ip interface status svr-state last-seen-time expiry-time OFFER/ACK/NAK/OTHER e8:1c:ba:8a:2d:72 66 66.66.66.1 UpstreamSwitch trusted disabled 2024-11-26 16:51:33 2024-11-27 16:51:33 1/1/0/0
Last-FortiSwitch-124F # get switch dhcp-snooping client-db-details
S MAC Address VLAN Client IP Lease Time(D:H:M:S) Expiry Time(D:H:M:S) Interface Host Name Domain Name Vendor Server IP 00:e0:4a:36:10:37 66 66.66.66.2 7:0:0:0 6:22:42:15 port14 LaptopUser MSFT 5.0 66.66.66.1
Last-FortiSwitch-124F # get switch dhcp-snooping database-summary
snoop-enabled-vlans : 66 verifysrcmac-enabled-vlans : option82-enabled-vlans : option82-trust-enabled-intfs : trusted ports : UpstreamSwitch untrusted ports : port1 port2 port3 port4 port5 port6 port7 port8 port9 port10 port11 port12 port13 port14 port15 port16 port17 port18 port19 port20 port21 port23 port24 port25 port26 port27 port28 Max Client Database Entries : 512 Client Database : 1 Max Server Database Entries : 128 Server Database : 1 Limit Database : 1 / 256
DHCP Global Configuration:
========================== DHCP Broadcast Mode : Trusted DHCP Allowed Server List : Disable Add hostname in Option82 : Disable |
