I am not sure if this is possible but I thought I would ask.
I am wondering if using the CRS125 switch if it is possible to DUMP / DROP all DHCP Broadcasts unless it is coming from the IP or MAC of the actual DHCP Server such as a Windows Server or a mikrotik router?
Is it possible that the CRS 125 can allow DHCP from a certain windows server using its mac address or IP and any other DHCP activity it gets it can drop it all together?
Would you be able to give me an example? of setting it up on the firewall? as wouldn’t the Rogue DHCP Server ignore the firewall as it would be internal and never hit the firewall?
Yes you can since this is a L3 switch (ar least it should be possible, I just couldn’t find how exactly…).
E.g. on a RB450 it is possible by filtering using switch rules and redirecting udp requests to destination port 67-68 (DHCP requests) to the proper DHCP server port, or drop them for ports on which you don’t want DHCP requests (use set new dest. port with no port set).
If you put the interfaces in a bridge, it is also possible to filter them, but this is done in the router and AFAIK is totally inefficient, being done by the CPU.
LE: What I wonder is I can not find any generic “rules” section for the switch on CRS-125, where set new dest port based on protocol/port could be used (I use FW 6.6).
