CRS DHCP Snooping (Port Level Isolation) not working (SOLVED)

huntah · Thu Oct 29, 2015 6:00 pm

Hi,

I have used the Wiki Example to implement DHCP Snooping (Rouge Server detection).
But it isnt working.. I am missing something..

Here is my setup:
Clients on ports 1-22
DHCP Server (port 14)

Master-port = ether1-master
slave ports = port 2-22 master (ether1-master)

/interface ethernet switch port
set 1 isolation-leakage-profile-override=2
..
set 22 isolation-leakage-profile-override=2

Then I have set the DHCP Snooping (Port Level Isolation) and added:

/interface ethernet switch port-isolation
add disabled=yes forwarding-type=bridged port-profile=2 ports=ether14-ESXi protocol-type=dhcpv4 registration-status="" traffic-type="" type=dst

My DHCP Server is on ESXi at port ether14.

But none of the clients are getting IPs.
What am I doing wrong? I followed this Wiki:
http://wiki.mikrotik.com/wiki/Manual:CR ... _Isolation

Thanks for help

skuykend · Fri Oct 30, 2015 3:44 am

Not an expert on this, but the wiki doesn't show setting the isolation-leakage-profile-override on the 'true' dhcp server port.

Also, I'll assume you disabled your second rule because it wasn't working for you.

huntah · Fri Oct 30, 2015 8:25 am

I need to learn to RTFM

.

The "true" DHCP server must NOT be in the same isolation group..
Now everthing is working as it should and I can enable the filtering rule!

Thanks for your help.

huntah · Fri Oct 30, 2015 3:06 pm

If you use RB951 or similar you can enable DHCP snopping via Switch Rule ..

/interface ethernet switch rule add dst-port=68 new-dst-ports="" ports=ether2-master-local,ether3-slave-local,ether4-slave-local switch=switch1

In this example DHCP traffic isnt allowed on ports ether2,3,4 (all ports in same switch group!)

StubArea51 · Fri Oct 30, 2015 8:16 pm

Very cool

Will have to try this in our lab

huntah · Sun Nov 22, 2015 12:27 am

As it turns out in RB951U it does not work because it uses Atheros 8227 you need at least Atheros8327 chip to use rules. On the other hand if you use RB951G it works because it uses Atheros8327.

You can check witch Mikrotik products have which chip on this Wiki Page

http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features

Sun Nov 22, 2015 2:56 pm

I'd like to point your attention to the fact that port-level isolation and DHCP snooping are completely different beasts. A true DHCP snooping is NOT supported by RouterOS at the moment, please do not mislead others.

Sun Nov 22, 2015 11:39 pm

i think its more like dhcp screening

CRS DHCP Snooping (Port Level Isolation) not working (SOLVED)

CRS DHCP Snooping (Port Level Isolation) not working (SOLVED)

Re: CRS DHCP Snooping (Port Level Isolation) not working

Re: CRS DHCP Snooping (Port Level Isolation) not working (SOLVED)

Re: CRS DHCP Snooping (Port Level Isolation) not working (SOLVED)

Re: CRS DHCP Snooping (Port Level Isolation) not working (SOLVED)

Re: CRS DHCP Snooping (Port Level Isolation) not working (SOLVED)

Re: CRS DHCP Snooping (Port Level Isolation) not working (SOLVED)

Re: CRS DHCP Snooping (Port Level Isolation) not working (SOLVED)

Who is online