Configure DHCP blocking, IGMP snooping, STP, and loop guard on managed FortiSwitch ports

Configure DHCP blocking, IGMP snooping, STP, and loop guard on managed FortiSwitch ports

Go to WiFi & Switch Controller> FortiSwitch Ports. Right-click any port and then enable or disable the following features:

  • DHCP blocking—The DHCP blocking feature monitors the DHCP traffic from untrusted sources (for example, typically host ports and unknown DHCP servers) that might initiate traffic attacks or other hostile actions. To prevent this, DHCP blocking filters messages on untrusted ports.
  • IGMP snooping—IGMP snooping allows the FortiSwitch to passively listen to the Internet Group Management Protocol (IGMP) network traffic between hosts and routers. The switch uses this information to determine which ports are interested in receiving each multicast feed. FortiSwitch can reduce unnecessary multicast traffic on the LAN by pruning multicast traffic from links that do not contain a multicast listener.
  • Spanning Tree Protocol (STP)—STP is a link-management protocol that ensures a loop-free layer-2 network topology.
  • Loop guard—A loop in a layer-2 network results in broadcast storms that have far-reaching and unwanted effects. Fortinet loop guard helps to prevent loops. When loop guard is enabled on a switch port, the port monitors its subtending network for any downstream loops. The loop guard feature is designed to work in concert with STP rather than as a replacement for STP.
  • STP root guard—Root guard protects the interface on which it is enabled from becoming the path to root. When enabled on an interface, superior BPDUs received on that interface are ignored or dropped. Without using root guard, any switch that participates in STP maintains the ability to reroute the path to root. Rerouting might cause your network to transmit large amounts of traffic across suboptimal links or allow a malicious or misconfigured device to pose a security risk by passing core traffic through an insecure device for packet capture or inspection. By enabling root guard on multiple interfaces, you can create a perimeter around your existing paths to root to enforce the specified network topology.
  • STP BPDU guard—Similar to root guard, BPDU guard protects the designed network topology. When BPDU guard is enabled on STP edge ports, any BPDUs received cause the ports to go down for a specified number of minutes. The BPDUs are not forwarded, and the network edge is enforced.

STP is enabled on all ports by default. Loop guard is disabled by default on all ports.

 

 

This entry was posted in Administration Guides, FortiOS 6, FortiSwitch on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

3 thoughts on “Configure DHCP blocking, IGMP snooping, STP, and loop guard on managed FortiSwitch ports

  1. Henry

    Nice! Awesome that those features are implemented with FortiLink now, but I wish they would implement DHCPv6 blocking and MLD-snooping as well. Seems a bit silly to implement new features without IPv6 support now in 2018.

    Reply
      1. Henry

        Sure, but without even the basic functionality of first-hop security (like DHCPv6 snooping) it’s not helping with IPv6 deployments. Vendors should take a bigger responsibility when it comes to functionality like that. It also annoys me that FortiGates doesn’t run DHCPv6 client from factory, only IPv4 are enabled by default. Even the average home Asus router runs DHCPv6 client by default now, but enterprise products lags behind.

        Also keep in mind that even though you don’t “activate” IPv6 in your network, all your clients requests IPv6 addresses so it is very easy to hijack traffic (even IPv4 traffic!) using DHCPv6 and NAT64+DNS64. The only ways to avoid that is 1) disable IPv6 on all the clients 2) DHCPv6-snooping 3) Isolate all ports within a VLAN from each other.

        IPv6 is a huge potential attack vector, but most people think they are safe if they just doesn’t enable it and that worries me.

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.