Hello.
On CRS3xx I want to configure MAC-based-VLAN and DHCP-Snooping to prevent face dhcp servers.
Configured as guide suggests, but there is a problem with dhcp clients.
If a device connected to port on which is applied MAC-based-VLAN rule is configured with a static IP, the desired configuration works. The packets from device goes to configured new-vlan-id.
But if the device has DHCP enabled, it will never get an IP despite the new-vlan-id works.
The problem is with dinamic switch rule created by DHCP-Snooping option on bridge:
/interface ethernet switch rule> print
1 D switch=switch1 ports=ether1,ether2, <and so on except ports which have Trusted DHCP>
mac-protocol=ip protocol=udp src-port=67-68 dst-port=67-68
copy-to-cpu=no redirect-to-cpu=yes mirror=no
This renders client to be unable to get an IP address.
This is a major issue, as the rule should bloch DHCP offers and ACK, but not DHCP request and discover.
From the other part, port based vlan with unttaged packets does not bloch a client from getting an IP.
How to make this work?