Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

Wildcard MAC and DHCP

I've got a situation where we would like to be able to block devices from a specific vendor from obtaining a DHCP address on a specific vlan. 

However i can't seem to use a wildcard MAC or 00:00:00 after the vendor ID

My second option was to look at a device ACL, however it seems i can only use a device group here. In this case the devices i don't want to get an IP are identified as Linux devices and are thus not unique.


So, is there any way i can do this?  Manually is not an option as it's for about 7000 access points (not fortiap) spread across 580 locations\fortigates.





NSE8 Fortinet Expert partner - Norway

Valued Contributor III

Are you using the FGT as the DHCP server?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at:


Yep, adding anything we don't already have is not an option. The FGT are already acting as DHCP servers for the wireless networks.


We're going to test a workaround by setting the lease time to 5 mins. but the basics of what's happening is that each location has 1-4 managed switches (aruba, same as the wifi), most ports are configured as access ports on vlan xxx which has until now not had dhcp, static ip's only (long story and ended up that way over the years, nothing to do with us or ftnt). the Aruba APs are put in to their correct vlans and the ports reconfigured automatically as trunk ports, which worked fine without dhcp on that vlan, but when we enabled dhcp to test, LLDP was beaten to it by dhcp, so the AP's get an IP from the wrong vlan, but are subsequently placed in their correct vlan, but with no renewal.


We're going to test a workaround tomorrow by setting the lease time down to 5mins (the scope is only 16 addresses and the number of dhcp devices per location shouldn't exceed 10, so it shouldn't be a performance hit we hope). The idea being that when the AP goes to renew its lease it will get its new IP from the correct vlan. Not ideal, but it may be good enough.


It just would be nice if i was able to block dhcp offers based on a Vendor portion of the MAC only, the reverse of VCI option 60 i think

NSE8 Fortinet Expert partner - Norway

Esteemed Contributor III

Is there a reason you can't make them as trunk ports at the switches? At least FortiAPs should support vlan.


Yes, most of the ports are required as access ports on the one vlan, we need the flexibility to have ports AP's get connected to auto-configure the ports to trunk. Amongst the near 600 locations there's a wide variety of number of APs or other equipment and it helps us maximize port usage and reduce the cost of having more switches. Each location has 12 vlans, 4 of them belonging to SSIDs.


The other option of course is for them to statically configure IPs on the terminals that are being connected to the LAN, that's how they've done it in the past, we'd be talking about 3-4000 units, so using dhcp will just make deployment that much easier and faster. 

NSE8 Fortinet Expert partner - Norway