MikroTik

Community discussions
https://forum.mikrotik.com/

CRS1xx DHCP port isolation

https://forum.mikrotik.com/viewtopic.php?t=161270

Page 1 of 1

CRS1xx DHCP port isolation

Posted: Sun May 17, 2020 10:39 am
by dalami
Having typed a small novel - I'll condense to what I think my actual question is:

The example page for the CRS1xx shows how to limit DHCP. So given:
  • ether1: VoIP server
  • ether2-ether6: VoIP phones
  • ether7-ether8: unused/spare/future
  • sfp10: next switch/router/gateway
Based on the example page, I think the steps are:
  • Configure a single bridge with all physical ports included. I understood that much.
  • Place selected ports into a "community" - and I'm inferring the "preferred" first profile would be "2".
    Code: Select all
    /interface ethernet switch port set ether1 isolation-leakage-profile-override=2
    (and repeat for ether2-ether6)
  • Define the isolation.
    Code: Select all
    /interface ethernet switch port-isolation add port-profile=2 protocol-type=dhcpv4 type=dst forwarding-type=bridged ports=ether1 registration-status="" traffic-type=""
What I think this means is, with the exception of DHCP, all traffic will pass freely between all ports. Specifically for DHCP, all requests from clients on ports ether2-ether6 will only be sent to port ether1. Due to a lack of understanding of DHCP I'm concerned about traffic from the server - I do not want any DHCP broadcasts or replies from the VoIP server leaking out to the main LAN. Is this not a concern due to the nature of DHCP, or do I need some additional filtering?

Is it as simple as:
Code: Select all
/interface ethernet switch port-isolation add port-profile=2 protocol-type=dhcpv4 type=src forwarding-type=bridged ports=ether1 registration-status="" traffic-type=""

Additionally, I don't want any DHCP requests from the LAN to reach the VoIP server. Are the previous filters sufficient for that or do I need more?

Re: CRS1xx DHCP port isolation

Posted: Sun May 24, 2020 6:18 am
by dalami
I think I've got it working - now I'll find what breaks. In the meantime - can anyone confirm if what I've done is "correct" and more importantly - is there a "better" way I should do it?

First, I do NOT place the VoIP server port into the isolation group. I've left that at default. The remaining port config was as I described it (only using the "dst" rule - I didn't add the "src" rule).

This ensured the phones only queried the VoIP server. However - the VoIP server was broadcasting DHCP on my LAN. To block that, I placed the "spare" ports in a new isolation group and created a new dst rule following the syntax of the original - except specifying the port for uplink connection. To re-state:

All ports now in one bridge.
All phone ports are in isolation group 2.
All spare/LAN client ports are in isolation group 3.
Port Isolation rule is "dst", "bridged", "DHCPv4", profile 2, port of VoIP server.
Port Isolation rule is "dst", "bridged", "DHCPv4", profile 3, port of uplink.
All times are UTC+03:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/