Block DHCP Example CRS Does not work

sterling · September 24, 2015, 4:28pm

The example in the Wiki here:

http://wiki.mikrotik.com/wiki/Manual:CRS_examples#Protocol_Level_Isolation

Does not work on my CRS210-8G-2S+IN units.

Are there additional steps?

I followed the steps outlined in that section closely, just subbing in the SFPone interface as the ‘uplink’.
I printed the ACL and the entries are there.
It just doesn’t block DHCP.

I have a verified rogue DHCP server on port 4 of one of these, with a CCR upstream handing out authoritative DHCP.
When I do the DHCP Alert feature on the upstream CCR it still shows the offending MAC address from the CSR port 4.
When I disable the customer on ether4 then the rogue DHCP MAC does not show up.

Am I missing something?

Is this example flawed?

Is there another way to do this?

I have this figured out for the RB260GS units in my network (attached picture).
I would like to just do the same thing with the CRS units as well.

Any thoughts or help is appreciated.

Thanks!

sterling · September 25, 2015, 1:47pm

It occurs to me that the sample for DHCP filtering here may only work if the upstream is directly connected to the DHCP server/router.

I have it connected to a switch upstream that isn’t port isolated, so it’s probably leaking upstream to the switch.

Is there a modification to this example or another example where it just drops DHCP server responses on the ingress to the CRS from the rogue DHCP server?