Page 1 of 1

CRS DHCP Snooping (Port Level Isolation) not working (SOLVED)

Posted: Thu Oct 29, 2015 6:00 pm
by huntah
Hi,

I have used the Wiki Example to implement DHCP Snooping (Rouge Server detection).
But it isnt working.. I am missing something..

Here is my setup:
Clients on ports 1-22
DHCP Server (port 14)

Master-port = ether1-master
slave ports = port 2-22 master (ether1-master)
/interface ethernet switch port
set 1 isolation-leakage-profile-override=2
..
set 22 isolation-leakage-profile-override=2
Then I have set the DHCP Snooping (Port Level Isolation) and added:
/interface ethernet switch port-isolation
add disabled=yes forwarding-type=bridged port-profile=2 ports=ether14-ESXi protocol-type=dhcpv4 registration-status="" traffic-type="" type=dst
My DHCP Server is on ESXi at port ether14.

But none of the clients are getting IPs.
What am I doing wrong? I followed this Wiki:
http://wiki.mikrotik.com/wiki/Manual:CR ... _Isolation

Thanks for help

Re: CRS DHCP Snooping (Port Level Isolation) not working

Posted: Fri Oct 30, 2015 3:44 am
by skuykend
Not an expert on this, but the wiki doesn't show setting the isolation-leakage-profile-override on the 'true' dhcp server port.

Also, I'll assume you disabled your second rule because it wasn't working for you.

Re: CRS DHCP Snooping (Port Level Isolation) not working (SOLVED)

Posted: Fri Oct 30, 2015 8:25 am
by huntah
I need to learn to RTFM :).

The "true" DHCP server must NOT be in the same isolation group..
Now everthing is working as it should and I can enable the filtering rule!

Thanks for your help.

Re: CRS DHCP Snooping (Port Level Isolation) not working (SOLVED)

Posted: Fri Oct 30, 2015 3:06 pm
by huntah
If you use RB951 or similar you can enable DHCP snopping via Switch Rule ..
/interface ethernet switch rule add dst-port=68 new-dst-ports="" ports=ether2-master-local,ether3-slave-local,ether4-slave-local switch=switch1
In this example DHCP traffic isnt allowed on ports ether2,3,4 (all ports in same switch group!)

Re: CRS DHCP Snooping (Port Level Isolation) not working (SOLVED)

Posted: Fri Oct 30, 2015 8:16 pm
by IPANetEngineer
Very cool 8)

Will have to try this in our lab

Re: CRS DHCP Snooping (Port Level Isolation) not working (SOLVED)

Posted: Sun Nov 22, 2015 12:27 am
by huntah
As it turns out in RB951U it does not work because it uses Atheros 8227 you need at least Atheros8327 chip to use rules. On the other hand if you use RB951G it works because it uses Atheros8327.

You can check witch Mikrotik products have which chip on this Wiki Page
http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features

Re: CRS DHCP Snooping (Port Level Isolation) not working (SOLVED)

Posted: Sun Nov 22, 2015 2:56 pm
by andriys
I'd like to point your attention to the fact that port-level isolation and DHCP snooping are completely different beasts. A true DHCP snooping is NOT supported by RouterOS at the moment, please do not mislead others.

Re: CRS DHCP Snooping (Port Level Isolation) not working (SOLVED)

Posted: Sun Nov 22, 2015 11:39 pm
by chechito
i think its more like dhcp screening