Hot!Managed FortiSwitch 6.0.4 1xxE DHCP Snooping and Blocking

Author
tanr
Platinum Member
  • Total Posts : 666
  • Scores: 27
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
2019/06/05 19:13:23 (permalink) 6.0
0

Managed FortiSwitch 6.0.4 1xxE DHCP Snooping and Blocking

We updated our FortiGates to 6.0.5 a little while back and are now starting the upgrade to 6.0.x with our FortiSwitches.
 
I used our secondary location, which only has a single FortiGate and FortiSwitch 124E-POE to test this, and upgraded the FortiSwitch from 3.6.9 to 6.0.4. 
 
Seemed to work okay, then saw no DHCP responses were getting back to clients.  The FortiSwitch appeared to be blocking them. 
 
Logging in directly through a management port and checking the vlan interface GUI page showed DHCP Snooping On/Enabled for each vlan interface (with switch port is listed as untrusted) and a warning label saying "DHCP Server(s) have been blocked". 
 
Turning off DHCP snooping for the vlan interface allowed normal DHCP requests and responses.
 
Note that DHCP had been working fine with the switch on 3.6.9 (when managed by a FortiGate on 6.0.5).
 
Release notes for FortiSwitch 6.0.4 says DHCP Snooping is supported for 1xxE devices, but not DHCP Blocking.
Admin guide for Managed FortiSwitch 6.0.4 says 1xxE switches DON'T support DHCP Snooping nor Blocking.
Admin guide for Standalone FortiSwitch 6.0.3 says 1xxE switches DO support DHCP Snooping, but not Blocking.
 
For a switch that isn't able to DHCP Blocking it seemed to be doing it a bit too well.  If the switch (when managed) doesn't support DHCP Snooping, then why is it enabled?  Upgraded config issue?
 
Anybody know whether DHCP Snooping and DHCP Blocking are actually supported, currently broken, not supported, or something else for a 6.0.4 124E-POE FortiSwitch managed by a 6.0.5 FortiGate?
 
I'd like to understand what's happening with this switch before updating our other location which has 248E and 108E switches, along with non-Fortinet switches.
 
#1

4 Replies Related Threads

    tanr
    Platinum Member
    • Total Posts : 666
    • Scores: 27
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: Managed FortiSwitch 6.0.4 1xxE DHCP Snooping and Blocking 2019/06/07 07:25:30 (permalink)
    0
    Additional detail:  The FortiGate GUI for the 124E-POE switch ports shows the "DHCP Snooping" column with Trusted or Untrusted.  EDIT: The 124E-POE shows a blank cell for DHCP Snooping on the FortiLink interface ports. 
     
    My 108E-POE on 3.6.9 (which doesn't support DHCP snooping) shows that field as blank.
     
    Any ideas before I call TAC?
    post edited by tanr - 2019/06/07 15:13:50
    #2
    tanr
    Platinum Member
    • Total Posts : 666
    • Scores: 27
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: Managed FortiSwitch 6.0.4 1xxE DHCP Snooping and Blocking 2019/06/07 15:12:49 (permalink)
    5 (1)
    Update:  Called TAC and they looked at 124E-POE config
     
    Turns out that:
     
    1. A FortiGate managed FortiSwitch 124E *does* support DHCP Snooping on the 6.0.x firmware
     
    2. Upgrading from the 3.6.9 firmware on which the 124E does not support DHCP Snooping to 6.0.4 incorrectly set its FortiLink interface as an untrusted port within the FortiSwitch (not visible from the FortiGate)
     
    3. Solution: ssh to the FortiSwitch, config switch interface, edit "FortiLinkInterfaceName", set dhcp-snooping trusted, end
     
    Hopefully this helps out someone else if they get burned by this.
    #3
    ede_pfau
    Expert Member
    • Total Posts : 5962
    • Scores: 468
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Managed FortiSwitch 6.0.4 1xxE DHCP Snooping and Blocking 2019/06/08 04:20:10 (permalink)
    0
    Thanks for investigating this, and sharing!
    Seems the doc department was outpaced (again)...

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #4
    tanr
    Platinum Member
    • Total Posts : 666
    • Scores: 27
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: Managed FortiSwitch 6.0.4 1xxE DHCP Snooping and Blocking 2019/06/09 21:21:05 (permalink)
    0
    Related update.  I upgraded a 248E-FPOE and some 108E-POE switches from 3.6.9 to 6.0.4.
     
    Unlike the 124E-POE they all correctly set the FortiLink interfaces as dhcp-snooping trusted after the upgrade.
     
    Although the docs say that the 1xxE switches don't support DHCP snooping, the 108Es appear to have all the settings in 6.0.4, and show "Untrusted" in the GUI for untrusted ports.  I'll have to set up a "rogue" DHCP server and test it.
     
    One thing I did have to clean up after the upgrade was my discard-mode settings for the ports (only possible to set through the switch cli in 3.6.9 if managed). 
     
    In 6.0.4 the discard-mode is accessible from config switch-controller managed-switches, which is nice.  Unfortunately, the upgrade overwrote all my previous discard-mode settings, allowing tagged and untagged frames on all ports.  Annoying to go back and fix up.  A possible security hole if somebody upgrades and doesn't realize this has happened.
     
    #5
    Jump to:
    © 2019 APG vNext Commercial Version 5.5