Allowing device on two ports

gigabyte091 · April 25, 2024, 12:09pm

Hey guys, i’m having one situation where I have CRS112 as PoE switch for some VoIP devices.

There are only two devices but customer have request so that they move one unit between two rooms when one of their colleague is on vacation.

There is one solution but that includes switching cables in network room and that is solution I want to avoid because there is a good chance they will unplug something they shouldn’t.

I configured switch so ether1 is one device, ether2 is another device and nothing else can be connected to that port. That is tested and it’s working.

Problem is when I tried to add MAC address that is reserved for ether2 on ether3, I get an error: “Couldn’t add New Switch FDB Entry - already have such switch ufdb entry (6)”

It makes sense that I can’t do that but is there any workaround that ?

Here is current configuration:

# 2024-04-25 14:05:09 by RouterOS 7.14.2
# software id = 
#
# model = CRS112-8P-4S
# serial number = 
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=
set [ find default-name=ether2 ] comment=
set [ find default-name=ether3 ] comment=
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] comment=
set [ find default-name=sfp9 ] disabled=yes
set [ find default-name=sfp10 ] disabled=yes
set [ find default-name=sfp11 ] disabled=yes
set [ find default-name=sfp12 ] disabled=yes
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether1 learn=no \
    unknown-unicast-flood=no
add bridge=bridge comment=defconf interface=ether2 learn=no \
    unknown-unicast-flood=no
add bridge=bridge comment=defconf interface=ether3 learn=no \
    unknown-unicast-flood=no
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp9
add bridge=bridge comment=defconf interface=sfp10
add bridge=bridge comment=defconf interface=sfp11
add bridge=bridge comment=defconf interface=sfp12
/interface ethernet switch acl
add action=drop src-mac-addr-state=sa-not-found src-ports=\
    ether1,ether2,ether3 table=egress
add action=drop src-mac-addr-state=static-station-move src-ports=\
    ether1,ether2,ether3 table=egress
/interface ethernet switch unicast-fdb
add comment="" mac-address=AA:AA:AA:AA:AA:AA port=ether2 svl=yes
add comment="" mac-address=BB:BB:BB:BB:BB:BB port=ether1 svl=yes
/ip dhcp-client
add interface=bridge
/system clock
set time-zone-name
/system identity
set name=Mikrotik
/system note
set show-at-login=no
/tool romon
set enabled=yes

jaclaz · April 25, 2024, 12:29pm

Maybe you want a manual switch box like:
https://www.fruitycables.co.uk/products/rj45-switch-box-2-port

That should be (relatively) foolproof.

gigabyte091 · April 25, 2024, 5:11pm

Not a bad idea but I would like to configure this without additional devices if possible.

jaclaz · April 25, 2024, 5:48pm

Yep, that is the last resort.

Maybe (but I have no idea if possible), you could have a script probing if link of the two given interfaces/ports is up and assign the allowed MAC on the interface that is up (assuming that the “moving” device is actually disconnected from one room socket and reconnected in the socket in the other room and that they are a direct connection).

But the day someone decides to plug any other device in the empty socket in the other room it will create havoc.

So you need something loosely along the lines of this:
http://forum.mikrotik.com/t/how-to-get-ip-mac-etherport-for-all-currently-active-etherports/139567/1
i.e. detecting which MAC address is connnected to which physical port.

Whooosh![1]

[1] that is the sound of that stuff going well over my head

gigabyte091 · April 26, 2024, 6:56am

Yea, they agreed to have another device so problem solved hehe.

pe1chl · April 26, 2024, 9:20am

Why is that specification of MAC address even required? We have lots of VoIP phones and we just plug them in whatever port.
(the phones are even on another VLAN but the get that info themselves from LLDP)

gigabyte091 · April 26, 2024, 9:44am

Just to prevent any attempt to connect to the switch with laptop or PC.

pe1chl · April 26, 2024, 10:50am

Ok so maybe you can try that VLAN method too. Make a VLAN for the VoIP devices, configure LLDP to use that Voice VLAN, and when you connect a phone it will automatically use that (tagged) VLAN on whatever port to use your VoIP service.
But when you connect a normal PC, it will remain on the untagged VLAN and you can provide normal LAN or Internet service there, or no service at all.

gigabyte091 · April 27, 2024, 2:34am

Thanks, this sounds like a solution I need. I will give it a try then.