CRS125 limited MAC Access per Port

bogivand · May 28, 2020, 10:06am

Hi.
CSR 125-24
Configuring MAC Access per Port by https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples#Limited_MAC_Access_per_Port
Entering commands

/interface bridge port add bridge=bridge1 interface=ether4 hw=yes learn=no unknown-unicast-flood=no
/interface ethernet switch unicast-fdb add mac-address=4C:5E:0C:00:00:01 port=ether4 svl=yes
/interface ethernet switch acl add action=drop src-mac-addr-state=sa-not-found src-ports=ether4 table=egress

the last command gets a message failure: policy rules are not supported on this switch chip.
How do I set it up correctly?

mutluit · May 28, 2020, 6:41pm

CSR 125-24
Configuring MAC Access per Port by https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples#Limited_MAC_Access_per_Port
Entering commands
/interface bridge port add bridge=bridge1 interface=ether4 hw=yes learn=no unknown-unicast-flood=no
/interface ethernet switch unicast-fdb add mac-address=4C:5E:0C:00:00:01 port=ether4 svl=yes
/interface ethernet switch acl add action=drop src-mac-addr-state=sa-not-found src-ports=ether4 table=egress
the last command gets a message failure: policy rules are not supported on this switch chip.
How do I set it up correctly?

Hmm. according to this page https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches#Cloud_Router_Switch_models
ACL on the CRS125 seems not possible:

Model Switch Chip CPU Wireless SFP+ port AccessControlList Jumbo Frame(Bytes)
CRS125-24G-1S QCA-8513L 600MHz - - - 4064

>

See also https://mum.mikrotik.com/presentations/EU17/presentation_4068_1491395690.pdf

Maybe you can use this method instead:
http://forum.mikrotik.com/t/switchport-port-security-maximum-1-for-mikrotik/112862/1

bogivand · May 29, 2020, 10:51am

CSR 125-24
Configuring MAC Access per Port by https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples#Limited_MAC_Access_per_Port
Entering commands
/interface bridge port add bridge=bridge1 interface=ether4 hw=yes learn=no unknown-unicast-flood=no
/interface ethernet switch unicast-fdb add mac-address=4C:5E:0C:00:00:01 port=ether4 svl=yes
/interface ethernet switch acl add action=drop src-mac-addr-state=sa-not-found src-ports=ether4 table=egress
the last command gets a message failure: policy rules are not supported on this switch chip.
How do I set it up correctly?
Hmm. according to this page https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches#Cloud_Router_Switch_models
ACL on the CRS125 seems not possible:
Model Switch Chip CPU Wireless SFP+ port AccessControlList Jumbo Frame(Bytes)
CRS125-24G-1S QCA-8513L 600MHz - - - 4064
>

See also https://mum.mikrotik.com/presentations/EU17/presentation_4068_1491395690.pdf

Maybe you can use this method instead:
http://forum.mikrotik.com/t/switchport-port-security-maximum-1-for-mikrotik/112862/1

Yes, ACL on the CRS125 not possible.
Method /interface bridge filter add action=drop chain=input in-interface=ether3 src-mac-address=!D0:BF:9C:9B:70:07/FF:FF:FF:FF:FF:FF does not work.
In order to work, you need to disable hw=yes on the port, but the connection on the port completely disappears.
http://forum.mikrotik.com/t/port-security/135169/1
Although this scheme works on CRS326, but not on CRS125.

Help me how to prohibit any traffic on the port other than traffic from the mac 07:07:07:07:07:07, to make it work on CRS125

mutluit · May 29, 2020, 11:04am

Did you replace the above MAC address with your 07:07… MAC address?
And is it the ether3 interface that you want to apply this? If it is another interface then of course you have to change “ether3” as well… (in your original posting you used ether4).
Ie.
/interface bridge filter add action=drop chain=input in-interface=ether4 src-mac-address=!07:07:07:07:07:07/FF:FF:FF:FF:FF:FF

And do you have configured these settings → see docs:

/interface bridge settings print
use-ip-firewall: ?
use-ip-firewall-for-vlan: ?
use-ip-firewall-for-pppoe: ?
allow-fast-path: ?
bridge-fast-path-active: ?
…

bogivand · May 29, 2020, 12:11pm

Yes, I changed everything to fit my settings.

/interface bridge filter add action=drop chain=input in-interface=ether10 src-mac-address=!98:E7:43:0E:XX:XX/FF:FF:FF:FF:FF:FF

use-ip-firewall: no
use-ip-firewall-for-vlan: no
use-ip-firewall-for-pppoe: no
allow-fast-path: yes
bridge-fast-path-active: yes