Hot!Managed FortiSwitch 6.0.4 1xxE DHCP Snooping and Blocking

Author
tanr
Platinum Member
  • Total Posts : 683
  • Scores: 31
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
2019/06/05 19:13:23 (permalink) 6.0
0

Managed FortiSwitch 6.0.4 1xxE DHCP Snooping and Blocking

We updated our FortiGates to 6.0.5 a little while back and are now starting the upgrade to 6.0.x with our FortiSwitches.
 
I used our secondary location, which only has a single FortiGate and FortiSwitch 124E-POE to test this, and upgraded the FortiSwitch from 3.6.9 to 6.0.4. 
 
Seemed to work okay, then saw no DHCP responses were getting back to clients.  The FortiSwitch appeared to be blocking them. 
 
Logging in directly through a management port and checking the vlan interface GUI page showed DHCP Snooping On/Enabled for each vlan interface (with switch port is listed as untrusted) and a warning label saying "DHCP Server(s) have been blocked". 
 
Turning off DHCP snooping for the vlan interface allowed normal DHCP requests and responses.
 
Note that DHCP had been working fine with the switch on 3.6.9 (when managed by a FortiGate on 6.0.5).
 
Release notes for FortiSwitch 6.0.4 says DHCP Snooping is supported for 1xxE devices, but not DHCP Blocking.
Admin guide for Managed FortiSwitch 6.0.4 says 1xxE switches DON'T support DHCP Snooping nor Blocking.
Admin guide for Standalone FortiSwitch 6.0.3 says 1xxE switches DO support DHCP Snooping, but not Blocking.
 
For a switch that isn't able to DHCP Blocking it seemed to be doing it a bit too well.  If the switch (when managed) doesn't support DHCP Snooping, then why is it enabled?  Upgraded config issue?
 
Anybody know whether DHCP Snooping and DHCP Blocking are actually supported, currently broken, not supported, or something else for a 6.0.4 124E-POE FortiSwitch managed by a 6.0.5 FortiGate?
 
I'd like to understand what's happening with this switch before updating our other location which has 248E and 108E switches, along with non-Fortinet switches.
 
#1

7 Replies Related Threads

    tanr
    Platinum Member
    • Total Posts : 683
    • Scores: 31
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: Managed FortiSwitch 6.0.4 1xxE DHCP Snooping and Blocking 2019/06/07 07:25:30 (permalink)
    0
    Additional detail:  The FortiGate GUI for the 124E-POE switch ports shows the "DHCP Snooping" column with Trusted or Untrusted.  EDIT: The 124E-POE shows a blank cell for DHCP Snooping on the FortiLink interface ports. 
     
    My 108E-POE on 3.6.9 (which doesn't support DHCP snooping) shows that field as blank.
     
    Any ideas before I call TAC?
    post edited by tanr - 2019/06/07 15:13:50
    #2
    tanr
    Platinum Member
    • Total Posts : 683
    • Scores: 31
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: Managed FortiSwitch 6.0.4 1xxE DHCP Snooping and Blocking 2019/06/07 15:12:49 (permalink)
    5 (1)
    Update:  Called TAC and they looked at 124E-POE config
     
    Turns out that:
     
    1. A FortiGate managed FortiSwitch 124E *does* support DHCP Snooping on the 6.0.x firmware
     
    2. Upgrading from the 3.6.9 firmware on which the 124E does not support DHCP Snooping to 6.0.4 incorrectly set its FortiLink interface as an untrusted port within the FortiSwitch (not visible from the FortiGate)
     
    3. Solution: ssh to the FortiSwitch, config switch interface, edit "FortiLinkInterfaceName", set dhcp-snooping trusted, end
     
    Hopefully this helps out someone else if they get burned by this.
    #3
    ede_pfau
    Expert Member
    • Total Posts : 6068
    • Scores: 488
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Managed FortiSwitch 6.0.4 1xxE DHCP Snooping and Blocking 2019/06/08 04:20:10 (permalink)
    0
    Thanks for investigating this, and sharing!
    Seems the doc department was outpaced (again)...

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #4
    tanr
    Platinum Member
    • Total Posts : 683
    • Scores: 31
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: Managed FortiSwitch 6.0.4 1xxE DHCP Snooping and Blocking 2019/06/09 21:21:05 (permalink)
    0
    Related update.  I upgraded a 248E-FPOE and some 108E-POE switches from 3.6.9 to 6.0.4.
     
    Unlike the 124E-POE they all correctly set the FortiLink interfaces as dhcp-snooping trusted after the upgrade.
     
    Although the docs say that the 1xxE switches don't support DHCP snooping, the 108Es appear to have all the settings in 6.0.4, and show "Untrusted" in the GUI for untrusted ports.  I'll have to set up a "rogue" DHCP server and test it.
     
    One thing I did have to clean up after the upgrade was my discard-mode settings for the ports (only possible to set through the switch cli in 3.6.9 if managed). 
     
    In 6.0.4 the discard-mode is accessible from config switch-controller managed-switches, which is nice.  Unfortunately, the upgrade overwrote all my previous discard-mode settings, allowing tagged and untagged frames on all ports.  Annoying to go back and fix up.  A possible security hole if somebody upgrades and doesn't realize this has happened.
     
    #5
    HDClown
    New Member
    • Total Posts : 11
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/05/09 07:45:26
    • Status: offline
    Re: Managed FortiSwitch 6.0.4 1xxE DHCP Snooping and Blocking 2019/07/17 09:30:04 (permalink)
    0
    I just got bit by this with a FortiGate on 6.0.5 and a 124E.  The 124E had 3.6.6 and was connected in FortiLink.  I upgraded to 6.0.5 and the FortiLink interface to the 124E (named "__FoRtI1LiNk0__") had dhcp snooping set to untrusted.
     
    Did TAC say if this issue is specific to certain firmware versions between FortiGate and FortiSwitch, or specific to certain model of switches?  I wonder if this is strictly an issue in going 3.6.x -> 6.0 when FortiLink is already in place, or it's just a total logic issue that it will set wrong in any situation and it's a bug they have to fix.
     
    The 1xxE switches doy support DHCP snooping.  They added a number of features in 6.0.0 that previously were not supported on 1xxE including DHCP snooping, stick MAC addresses, and MAC/IP/Protocol based VLAN assignment.  Check out the release notes for that detail.  The admin guides for 6.0.x still say it's not supported, but you can clearly set these in GUI/CLI.  I think it's just documentation discrepancies.
     
    There seems to also be some discrepancy in the terms snooping and blocking.  Even in the 6.2.1 release notes they are listed separately but as far as I see, they are exactly the same thing.  Anything I find across versions that talks about DHCP snooping OR DHCP blocking references CLI commands of "set dhcp-snooping <trusted | untrusted>".  I've seen screenshots of the GUI that show it as "DHCP Blocking" but my 1xxE list it as "DHCP Snooping".  I don't have a 200 series to look at, but I suspect they may have just changed the language from "blocking" to "snooping" at some point and never updated the feature tables, or they still have some switches using the word "blocking" and other "snooping".
     
    PS - They also added support for Access (private) VLAN's to the 1xxE switches in 6.2.1, another feature that was previous 200 series and up only.
    #6
    tanr
    Platinum Member
    • Total Posts : 683
    • Scores: 31
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: Managed FortiSwitch 6.0.4 1xxE DHCP Snooping and Blocking 2019/07/17 10:59:57 (permalink)
    0
    TAC basically told me 3.6.x is old with "hardly anybody using it" so they didn't think it was an issue.  I strongly said it was an issue.  The ticket got closed, without a bug being reported.  I contacted my supplier and asked them to pass along the issue as a bug.  Haven't contacted my SE regarding this yet.
     
    I would guess this is an issue (bug) when upgrading FortiSwitch 1xxE models from 3.6.x to 6.0.x.  I didn't see the same issue when I upgraded a 2xxE switch that was already using FortiLink.
     
    Glad to hear they finally added pvlan support to the 1xxE switches in 6.2.1.
    #7
    tanr
    Platinum Member
    • Total Posts : 683
    • Scores: 31
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: Managed FortiSwitch 6.0.4 1xxE DHCP Snooping and Blocking 2019/09/22 08:51:04 (permalink)
    0
    An additional note on firmware updates for the 124E-POE breaking stuff.
     
    I just upgraded a 124E-POE FortiSwitch from firmware 6.0.4 to 6.0.5.
     
    The upgrade changed the switch from FortiGate managed to independent, and reset the interface IP (used for direct web access) to the default but kept all my vlans and port settings. Thus totally unreachable except by console cable, since its new IP didn't match to any of my port or vlan settings.
     
    Hooked up to console, changed a switch port to a vlan matching the default IP for access, switched it back to managed mode (wiping its config) and the FortiGate saw it again and used its saved config to properly update the switch.
     
    This 124E-POE has had more problems than most when upgrading for us. Makes me think the 124E line is not part of their regular testing.
    #8
    Jump to:
    © 2019 APG vNext Commercial Version 5.5