We updated our FortiGates to 6.0.5 a little while back and are now starting the upgrade to 6.0.x with our FortiSwitches.
I used our secondary location, which only has a single FortiGate and FortiSwitch 124E-POE to test this, and upgraded the FortiSwitch from 3.6.9 to 6.0.4.
Seemed to work okay, then saw no DHCP responses were getting back to clients. The FortiSwitch appeared to be blocking them.
Logging in directly through a management port and checking the vlan interface GUI page showed DHCP Snooping On/Enabled for each vlan interface (with switch port is listed as untrusted) and a warning label saying "DHCP Server(s) have been blocked".
Turning off DHCP snooping for the vlan interface allowed normal DHCP requests and responses.
Note that DHCP had been working fine with the switch on 3.6.9 (when managed by a FortiGate on 6.0.5).
Release notes for FortiSwitch 6.0.4 says DHCP Snooping is supported for 1xxE devices, but not DHCP Blocking.
Admin guide for Managed FortiSwitch 6.0.4 says 1xxE switches DON'T support DHCP Snooping nor Blocking.
Admin guide for Standalone FortiSwitch 6.0.3 says 1xxE switches DO support DHCP Snooping, but not Blocking.
For a switch that isn't able to DHCP Blocking it seemed to be doing it a bit too well. If the switch (when managed) doesn't support DHCP Snooping, then why is it enabled? Upgraded config issue?
Anybody know whether DHCP Snooping and DHCP Blocking are actually supported, currently broken, not supported, or something else for a 6.0.4 124E-POE FortiSwitch managed by a 6.0.5 FortiGate?
I'd like to understand what's happening with this switch before updating our other location which has 248E and 108E switches, along with non-Fortinet switches.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Additional detail: The FortiGate GUI for the 124E-POE switch ports shows the "DHCP Snooping" column with Trusted or Untrusted. EDIT: The 124E-POE shows a blank cell for DHCP Snooping on the FortiLink interface ports.
My 108E-POE on 3.6.9 (which doesn't support DHCP snooping) shows that field as blank.
Any ideas before I call TAC?
Update: Called TAC and they looked at 124E-POE config
Turns out that:
1. A FortiGate managed FortiSwitch 124E *does* support DHCP Snooping on the 6.0.x firmware
2. Upgrading from the 3.6.9 firmware on which the 124E does not support DHCP Snooping to 6.0.4 incorrectly set its FortiLink interface as an untrusted port within the FortiSwitch (not visible from the FortiGate)
3. Solution: ssh to the FortiSwitch, config switch interface, edit "FortiLinkInterfaceName", set dhcp-snooping trusted, end
Hopefully this helps out someone else if they get burned by this.
Thanks for investigating this, and sharing!
Seems the doc department was outpaced (again)...
Related update. I upgraded a 248E-FPOE and some 108E-POE switches from 3.6.9 to 6.0.4.
Unlike the 124E-POE they all correctly set the FortiLink interfaces as dhcp-snooping trusted after the upgrade.
Although the docs say that the 1xxE switches don't support DHCP snooping, the 108Es appear to have all the settings in 6.0.4, and show "Untrusted" in the GUI for untrusted ports. I'll have to set up a "rogue" DHCP server and test it.
One thing I did have to clean up after the upgrade was my discard-mode settings for the ports (only possible to set through the switch cli in 3.6.9 if managed).
In 6.0.4 the discard-mode is accessible from config switch-controller managed-switches, which is nice. Unfortunately, the upgrade overwrote all my previous discard-mode settings, allowing tagged and untagged frames on all ports. Annoying to go back and fix up. A possible security hole if somebody upgrades and doesn't realize this has happened.
I just got bit by this with a FortiGate on 6.0.5 and a 124E. The 124E had 3.6.6 and was connected in FortiLink. I upgraded to 6.0.5 and the FortiLink interface to the 124E (named "__FoRtI1LiNk0__") had dhcp snooping set to untrusted.
Did TAC say if this issue is specific to certain firmware versions between FortiGate and FortiSwitch, or specific to certain model of switches? I wonder if this is strictly an issue in going 3.6.x -> 6.0 when FortiLink is already in place, or it's just a total logic issue that it will set wrong in any situation and it's a bug they have to fix.
The 1xxE switches doy support DHCP snooping. They added a number of features in 6.0.0 that previously were not supported on 1xxE including DHCP snooping, stick MAC addresses, and MAC/IP/Protocol based VLAN assignment. Check out the release notes for that detail. The admin guides for 6.0.x still say it's not supported, but you can clearly set these in GUI/CLI. I think it's just documentation discrepancies.
There seems to also be some discrepancy in the terms snooping and blocking. Even in the 6.2.1 release notes they are listed separately but as far as I see, they are exactly the same thing. Anything I find across versions that talks about DHCP snooping OR DHCP blocking references CLI commands of "set dhcp-snooping <trusted | untrusted>". I've seen screenshots of the GUI that show it as "DHCP Blocking" but my 1xxE list it as "DHCP Snooping". I don't have a 200 series to look at, but I suspect they may have just changed the language from "blocking" to "snooping" at some point and never updated the feature tables, or they still have some switches using the word "blocking" and other "snooping".
PS - They also added support for Access (private) VLAN's to the 1xxE switches in 6.2.1, another feature that was previous 200 series and up only.
TAC basically told me 3.6.x is old with "hardly anybody using it" so they didn't think it was an issue. I strongly said it was an issue. The ticket got closed, without a bug being reported. I contacted my supplier and asked them to pass along the issue as a bug. Haven't contacted my SE regarding this yet.
I would guess this is an issue (bug) when upgrading FortiSwitch 1xxE models from 3.6.x to 6.0.x. I didn't see the same issue when I upgraded a 2xxE switch that was already using FortiLink.
Glad to hear they finally added pvlan support to the 1xxE switches in 6.2.1.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.