Having typed a small novel - I’ll condense to what I think my actual question is:
The example page for the CRS1xx shows how to limit DHCP. So given:
- ether1: VoIP server
- ether2-ether6: VoIP phones
- ether7-ether8: unused/spare/future
- sfp10: next switch/router/gateway
Based on the example page, I think the steps are:
- Configure a single bridge with all physical ports included. I understood that much.
- Place selected ports into a “community” - and I’m inferring the “preferred” first profile would be “2”.
/interface ethernet switch port set ether1 isolation-leakage-profile-override=2
(and repeat for ether2-ether6)
- Define the isolation.
/interface ethernet switch port-isolation add port-profile=2 protocol-type=dhcpv4 type=dst forwarding-type=bridged ports=ether1 registration-status="" traffic-type=""
What I think this means is, with the exception of DHCP, all traffic will pass freely between all ports. Specifically for DHCP, all requests from clients on ports ether2-ether6 will only be sent to port ether1. Due to a lack of understanding of DHCP I’m concerned about traffic from the server - I do not want any DHCP broadcasts or replies from the VoIP server leaking out to the main LAN. Is this not a concern due to the nature of DHCP, or do I need some additional filtering?
Is it as simple as:
/interface ethernet switch port-isolation add port-profile=2 protocol-type=dhcpv4 type=src forwarding-type=bridged ports=ether1 registration-status="" traffic-type=""
Additionally, I don’t want any DHCP requests from the LAN to reach the VoIP server. Are the previous filters sufficient for that or do I need more?