- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: DHCP servers in VLANs
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DHCP servers in VLANs
I'm curious ... if I create two VLANs interfaces (attached to a particular physical interface, of course) and I enable for them the DHCP server, how are IPs for connected devices issued? I mean, I just can connect a host/device/client to the physical interface, so ... which DHCP would issue the IP for this host recently connected?
Thank you all.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you configure a DHCP Server on a FGT it is always tied to an interface - either physical,switch or vlan interface :)
THat means that DHCP will onl listen on the interface it is tied to.
So e.g. only a client that comes from out of vid1 via vlan vid1 interface will get an ip from a dhcp configured on vlan vid1 interface.
Annother DHCP for annother vlan will not see this request because it doesn't hit the interface it is listening on.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sw2090 wrote:If you configure a DHCP Server on a FGT it is always tied to an interface - either physical,switch or vlan interface :)
THat means that DHCP will onl listen on the interface it is tied to.
So e.g. only a client that comes from out of vid1 via vlan vid1 interface will get an ip from a dhcp configured on vlan vid1 interface.
Annother DHCP for annother vlan will not see this request because it doesn't hit the interface it is listening on.
What's `vid1 interface`? My point is these two client will be connected to the same physical interface, so how would each DHCP for each VLAN distinguish to which VLAN does the client want to connect to?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vid1 interface is an interface configured for vlan id 1. Just as example.
In fact if the clients are in different vlans they are connected to the same PHYSICAL interface, though the FortiGate threats a vlan as a virtual interface. So traffic will come in via the PHYSICAL interface but it will hit the corresponding VIRTUAL vlan interface accoarding to vlan id in the packet. Only traffic that does not have a vlan id will hit the PHYSICAL interface.
And your DHCP Servers on the FGT will be tied to the virtual vlan interfaces...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh, so apparently the key is the VLAN ID, so the thing is in the managed switches, I think now I can see the point.
You connect a host/device/client to a particular port in a managed switch, which is tagged with a specific VLAN ID, so when packages go from this host to the fortigate through that port, the fortigate is able to recognize which VLAN interface are those packages owned by, right?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
that's the usual way. Except from the port on the managed switch should indeed be untagged in that specific vlan id. If it were tagged the client would have to append the vlan tag and the switch would just handle it. If the port is untagged the switch will rewrite (if there is) or append (if there is not) the vlan id.
Unfortunately most embedded devices e.g. don't support vlan tagging on their own. And even on on windows that's driver depedent and may require manufacturer tools.
Linux handles that from out of stock though.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh, so that's the point of Tagged/Untagged
- When a port is set as Tagged, it expects the packages are tagged for the clients/hosts themselves and the managed switch doesn't handle the tags
- When a port is set as Untagged, it doesn't expect the package are tagged but the managed switch tags the packages that are coming through, or in the case the package was tagged, it replaces the tag.
This is a good point because it's apparently a little counterintuitive.
Anyway ... thank you very much, you helped me to understand more about networking.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you got it and
yes it is counterintuitive :)
Took my own dumb self a while to get it too when I first got in touch with it :)
Btw vlan interfaces on ports of a FGT are always tagged!
The rest depends on the switch. They all support a port being tagged in more than one vlan but e.g. HP supports a port being untagged in only one vlan and also requires this! So if there is no vid the port is tagged in on a hp switch it will be tagged with the untagged vlan on that port! One should keep this in mind :)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Related Posts
- Users do not get VLANs DHCP... 154 Views
- Windows Deployment Services not working in... 191 Views
- Help setting up internet access for... 199 Views
- Connect Fortigate to internet with 2... 266 Views
- Trouble Receiving DHCP Packet Over S2S... 302 Views
Labels
-
FortiGate
6,566 -
FortiClient
1,308 -
5.2
801 -
5.4
639 -
FortiManager
566 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
336 -
FortiAP
336 -
FortiClient EMS
267 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
61 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
25 -
Firewall policy
24 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
Virtual IP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
IP address management - IPAM
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SSO
6 -
Traffic shaping policy
5 -
SNMP
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Web application firewall profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Web profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Fortinet Engage Partner Program
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Schedule
1 -
SDN connector
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Web rating
1 -
FortiManager-VM
1 -
Email filter profile
1 -
Multicast routing
1 -
Internet Service Database
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1 -
System settings
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.