Hi, we are going to offer dedicated servers to our customers, they will have root access. We want to prevent a customer from being able to configure any IP from our network on their server.
I guess we will have to create an ACL rule on each port of the switch authorizing only the client IPs.
What I have not found is to create a negative condition, example:
If the IP is not “the authorized one” action DROP.
Or how would it be?
Thanks!
The square in front of a condition where a “!” appears when you click it is the “NOT” operator.
This option is not available in switch ACL.
That’s why I open this post 
Maybe there is some other way to do what I need?
I think is a very basic function for a switch…
Well, switch ACL does not exist, it is switch rule. It is not really intended for access control, but to redirect traffic in a different direction than it would normally flow. E.g. to send only some of the traffic, that is normally switched, to the CPU.
I guess you could work around it by having rules that redirect the traffic you want to handle to one port, and finally redirect all other traffic (IP 0.0.0.0/0) to another port where nothing is connected. Or to the CPU, where it can be logged for example.
In a higher-end device (you do not mention the device type) it should be possible to do some things in bridge filters, but you need to check at what point it will drop the HW Offload as you probably do not want that to happen.
Isn’t there an option in Mikrotik switches to restrict the IPs authorized to use a given port?
I don’t know what your exact configuration is…
What i would do is set the ARP to reply-only either on the Bridge or VLAN interface used, depending on the configuration and then set to the DHCP the add-arp-for-leases=yes parameter or static-only and manually enter the arp entry…
The servers are configured with static IP.
But as I said in the first message, the client has root access and can change the IP to another… Technically he can change it.
What we have to do is to prevent that when he sets another IP, it works for him…
For example:
We give him the server configured with IP: 5.134.110.50/24
But he, accesses the network configuration and changes it to: 5.134.110.51/24
What should happen at that moment is that the server stops working (network down), because the IP .51 is not authorized.
In Arista, this is done by ACL rules
https://www.arista.com/en/um-eos/eos-acls-and-route-maps
I don’t get it. What switch? Just use /ip services allow-from=x.x.x.x/yy or setup some chain=input firewall rules?
That’s not what the OP asks for…
Now I get it… Layer-2 security/filter using Layer-3 addresses.. Switch ACL can never check the L3-adress used.
Hmmm.. Static ARP entries on the router/gateway?
How can you control in a router the IPs allowed in a switch port ?
You can on CRS3xx https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches#Switch_Rules_.28ACL.29, CRS1xx/2xx https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches#Access_Control_List and even QCA8337/Atheros8327/Atheros8316 https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Rule_Table
You could use rules to permit packets from the correct source IP on each client port, followed by a drop rule for any IP from all client ports.
Thanks!
I already suggested that in reply #4, but AFAIK there is no action to drop/accept in a switch rule, only to send the traffic to a specified port or the CPU.
But that may be different on the device that you have.
Anyway, when you can spare a port you can still use that method, or you can redirect unmatched traffic to the CPU and see what is happening.
The “drop” is obtained by means of setting an empty list of permitted egress ports.
It’s working ok!
/interface ethernet switch acl
add ip-src=188.1.2.3 mac-protocol=ip src-ports=ether2
add mac-protocol=ip src-ports=ether2 action=drop
add ip-dst=188.1.2.3 mac-protocol=ip table=egress dst-ports=ether2
add table=egress dst-ports=ether2 action=drop
After executing these rules, only IP 188.1.2.3 is working on port 2 of the switch.
Perfect 
For educational purposes it would be great if you spelled out all the relevant properties, also those which keep default values in your particular case. E.g.:
/interface ethernet switch acl
add ip-src=188.1.2.3 mac-protocol=ip src-ports=ether2 > table=ingress action=forward
add mac-protocol=ip src-ports=ether2 > table=ingress > action=drop
add ip-dst=188.1.2.3 mac-protocol=ip table=egress dst-ports=ether2 > action=forward
add table=egress dst-ports=ether2 action=drop
Makes posted configuration much more self-documenting IMO.
I stumbled accros this thread as I have exactly the same issue.
Your solution looks good so I wanted to try it out. But when I do it in my lab the “drop” rule gets triggered as well even if I have an accept rule just before it. According to the Wiki https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-RuleTable only the first rule should trigger.
If there are multiple rules that can match, then only the first rule will be triggered.
Here is my config running on an RB2011 6.49.7.
/interface ethernet switch rule
add ports=ether2 src-address=10.153.4.2/32 switch=switch1 comment="Allow"
add ports=ether2 dst-address=10.153.4.2/32 switch=switch1 comment="Allow"
add ports=ether2 switch=switch1 new-dst-ports="" comment="Drop"
The first two rules is to allow source and destination for the customer IP on the interface ether2, and the last rule is to drop anything else on the port. But as soon as the last rule is active all traffic gets dropped. Why can’t I get it to work?