Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cardine
New Contributor II

DHCP-Snooping blocking for other Vlans

So i have  three VLAN 1,100,1000 - i've enabled DHCP on VLAN 1000, the other VLAN's do not have DHCP Snooping turned on.

 

When i plug my laptop into one of the ports i get no IP from the Native Vlan - 1. If i disable dhcp snooping on vlan 1000 it works fine.

 

MY question is when you enable DHCP snooping for ANY vlan does that impact the trust/untrust setting regarding of whether other vlan's have it or not? - my assumption is yes i proved it by trusting the uplink/downlink port and reenabling DHCP Snooping on VLAN 1000 - continues to work fine.

 

FWIW - the switch is not being managed by the FG - managed directly

 

Just wanted to check with others.

 

Cheers,

1 Solution
saneeshpv_FTNT

Hi,

 

Your testing and findings are correct.

 

When you enable DHCP snooping for any VLAN, the Switch will autmatcally places all ports as untrusted by default and will start inspecting the DHCP message arriving on those ports even if DHCP snooping is not explicitly enabled for a Specific VLAN. 

 

Before you use DHCP snooping, you need to enable the trusted DHCP server list.

NOTE: The maximum number of DHCP servers that can be added to the list is 2,048. This maximum is a global limit and applies across all VLANs.

 

https://docs.fortinet.com/document/fortiswitch/7.2.3/administration-guide/335964/dhcp-snooping

 

Best Regards,

View solution in original post

3 REPLIES 3
saneeshpv_FTNT

Hi,

 

Your testing and findings are correct.

 

When you enable DHCP snooping for any VLAN, the Switch will autmatcally places all ports as untrusted by default and will start inspecting the DHCP message arriving on those ports even if DHCP snooping is not explicitly enabled for a Specific VLAN. 

 

Before you use DHCP snooping, you need to enable the trusted DHCP server list.

NOTE: The maximum number of DHCP servers that can be added to the list is 2,048. This maximum is a global limit and applies across all VLANs.

 

https://docs.fortinet.com/document/fortiswitch/7.2.3/administration-guide/335964/dhcp-snooping

 

Best Regards,

cardine
New Contributor II

Thank you for the confirmation saneeshpv_FTNT.

 

In terms of enabling trusted DHCP server, that's optional and meant to increase security.

bendre18
New Contributor

I think you are probably right here. My suspicion is that snooping, as implemented on this AT switch anyway, breaks DHCP that is encapsulated inside double tagged frames. Thinking about it, the provider probably doesn’t need to care about snooping on a qinq tunnel anyway… and should only be implemented on the cvlan if desired by the customer.

omegle xender
Top Kudoed Authors