Community discussions

MikroTik App
  4. RouterOS
  5. General

DHCP snooping bridge and tagged interfaces

Post Reply
 
MrSpock
just joined
Topic Author
Posts: 8
Joined: Fri Feb 27, 2015 11:13 pm

DHCP snooping bridge and tagged interfaces

Thu Mar 27, 2025 3:09 pm

Hi,
I'm stuck on a problem with what seems to be simple topic on every other switch I have except Mikrotik :)

I have CRS309-1G-8S+ with a number of tagged traffic on each interface.
I have sfp-sfpplus1 which is uplink port toward DHCP server.
On some sfp-sfpplus2-6 there are devices that are using DHCP to get IP. Traffic coming to switch is tagged.
Let say vlan 1111 have customers with DHCP client enabled:
Code: Select all
/interface bridge vlan
add bridge=br0 comment="MGMT vlan" tagged=br0,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4 vlan-ids=1111
When I enable dhcp-snooping on br0 and set sfp-sfpplus1 as trusted all DHCP stops to work.

How Am I suppose to setup this basic functionality to make it work so snoop and filter dhcp traffic for rouge DHCP servers for tagged traffic.
Last edited by chechito on Thu Mar 27, 2025 6:06 pm, edited 1 time in total.
Reason: fixed typo on title
Top
 
lurker888
Member Candidate
Member Candidate
Posts: 256
Joined: Thu Mar 02, 2023 12:33 am

Re: DHCP snooping bridge and tagged interafaces

Thu Mar 27, 2025 3:28 pm

When posting questions like this it is always nice to include a full configuration export of your device, because setting may have (seemingly strange) interactions. (/export file=choseaname; you may wish to read this over and redact any information you don't want to share.)

That said, what you describe is the correct way to set up this feature.

There were some issues with this feature in some recent software versions, so in this case it would be important to know which one you are using. (BTW this is also included in the export.) You may wish to try out a (bit) older version such as 7.17.2.
Top
 
User avatar
spippan
Long time Member
Long time Member
Posts: 527
Joined: Wed Nov 12, 2014 1:00 pm

Re: DHCP snooping bridge and tagged interafaces

Thu Mar 27, 2025 5:21 pm

Hi,
I'm stuck on a problem with what seems to be simple topic on every other switch I have except Mikrotik :)

I have CRS309-1G-8S+ with a number of tagged traffic on each interface.
I have sfp-sfpplus1 which is uplink port toward DHCP server.
On some sfp-sfpplus2-6 there are devices that are using DHCP to get IP. Traffic coming to switch is tagged.
Let say vlan 1111 have customers with DHCP client enabled:
Code: Select all
/interface bridge vlan
add bridge=br0 comment="MGMT vlan" tagged=br0,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4 vlan-ids=1111
When I enable dhcp-snooping on br0 and set sfp-sfpplus1 as trusted all DHCP stops to work.

How Am I suppose to setup this basic functionality to make it work so snoop and filter dhcp traffic for rouge DHCP servers for tagged traffic.


all of the points of @lurker888 true and there *might* be a corelation to that issue elsewhere in your config

but quick question:
- do you need "br0" tagged in vlan1111, because you also use L3 functions here (like IP addressing or dhcp-relaying?) - if NOT, have you tried to remove "br0" from "tagged=..." (beware: if you need L3/ip-connectivity via that VLAN you could cut yourself off of the management - be it ssh, web or winbox...)
Top
 
MrSpock
just joined
Topic Author
Posts: 8
Joined: Fri Feb 27, 2015 11:13 pm

Re: DHCP snooping bridge and tagged interfaces

Fri Mar 28, 2025 10:25 am

This is very basic setup. Here is whole config. When I enable dhcp-snooping on br0 DHCP stops to works on tagged traffic passing switch:
Software 7.18.2
I have one vlanif for switch management IP that's why br0 is tagged member for one vlan setup.
Code: Select all
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] comment=OLT2 l2mtu=9000
set [ find default-name=sfp-sfpplus2 ] comment=WIFI
set [ find default-name=sfp-sfpplus3 ] comment=OLT1 l2mtu=9000
set [ find default-name=sfp-sfpplus4 ] comment=CityA
set [ find default-name=sfp-sfpplus5 ] comment=CityB
set [ find default-name=sfp-sfpplus6 ] comment=CityC
set [ find default-name=sfp-sfpplus7 ] comment=OLT3
/interface vlan
add interface=br0 name=vlan1032 vlan-id=1032
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/snmp community
set [ find default=yes ] addresses=*.*.*.*/24
/interface bridge port
add bridge=br0 comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=no interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10 trusted=yes
add bridge=br0 comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=no interface=sfp-sfpplus2 internal-path-cost=10 path-cost=10
add bridge=br0 comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=no interface=sfp-sfpplus3 internal-path-cost=10 path-cost=10
add bridge=br0 comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=no interface=sfp-sfpplus4 internal-path-cost=10 path-cost=10
add bridge=br0 comment=defconf ingress-filtering=no interface=sfp-sfpplus5 internal-path-cost=10 path-cost=10
add bridge=br0 comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=no interface=sfp-sfpplus6 internal-path-cost=10 path-cost=10
add bridge=br0 comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=no interface=sfp-sfpplus7 internal-path-cost=10 path-cost=10
add bridge=br0 comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=no interface=sfp-sfpplus8 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=br0 comment="MGMT vlan" tagged=br0,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4 vlan-ids=1032
add bridge=br0 comment="CPE" tagged=sfp-sfpplus1,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7 vlan-ids=100
add bridge=br0 comment=PPPoE tagged=sfp-sfpplus1,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7 vlan-ids=101
add bridge=br0 comment="WiFi CPE" tagged=sfp-sfpplus1,sfp-sfpplus2 vlan-ids=99,1001
add bridge=br0 comment="CityA P2P" tagged=sfp-sfpplus1,sfp-sfpplus4 vlan-ids=83
add bridge=br0 comment="CityB P2P" tagged=sfp-sfpplus1,sfp-sfpplus5 vlan-ids=84
add bridge=br0 comment="MGM OLTT" tagged=sfp-sfpplus1,sfp-sfpplus3 vlan-ids=50
add bridge=br0 comment="MGMT ZTEC320" tagged=sfp-sfpplus1,sfp-sfpplus6 vlan-ids=650
add bridge=br0 comment="Test CPE" tagged=sfp-sfpplus1,sfp-sfpplus6 vlan-ids=103
add bridge=br0 comment="MGMT OLT" tagged=sfp-sfpplus1,sfp-sfpplus4 vlan-ids=600
add bridge=br0 comment="Test QinQ" tagged=br0,sfp-sfpplus1,sfp-sfpplus3 vlan-ids=336
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:48:72:D4:5F:1E name=ovpn-server1
/ip address
add address=10.5.1.20/24 comment="Inbang MGMT" interface=vlan1032 network=10.5.1.0
/ip dhcp-client
add disabled=yes interface=vlan1032
/ip dns
set servers=1.1.1.1
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add dst-address=0.0.0.0/0 gateway=10.5.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=MKTSW1
/system logging
add topics=dhcp
/system note
set show-at-login=no
Top
Post Reply
  4. RouterOS
  5. General