Hello.
On CRS3xx I want to configure MAC-based-VLAN and DHCP-Snooping to prevent face dhcp servers.
Configured as guide suggests, but there is a problem with dhcp clients.
If a device connected to port on which is applied MAC-based-VLAN rule is configured with a static IP, the desired configuration works. The packets from device goes to configured new-vlan-id.
But if the device has DHCP enabled, it will never get an IP despite the new-vlan-id works.
The problem is with dinamic switch rule created by DHCP-Snooping option on bridge:
/interface ethernet switch rule> print
1 D switch=switch1 ports=ether1,ether2, <and so on except ports which have Trusted DHCP>
mac-protocol=ip protocol=udp src-port=67-68 dst-port=67-68
copy-to-cpu=no redirect-to-cpu=yes mirror=no
This renders client to be unable to get an IP address.
This is a major issue, as the rule should bloch DHCP offers and ACK, but not DHCP request and discover.
From the other part, port based vlan with unttaged packets does not bloch a client from getting an IP.
How to make this work?
Re: CRS3xx MAC-based-VLAN and DHCP-snooping issue
Is your DHCP server listening on tagged VLAN? With MAC-based-VLAN, all packets will be tagged with corresponding VLAN tag even before client acquires DHCP lease ... just the way port-based-VLAN would do it.
Re: CRS3xx MAC-based-VLAN and DHCP-snooping issue
Please draw a network diagram with at least your router, the CRS328 and any other device ( if any ) between them.
Then export with hide-sensitive the CRS's configuration and manually remove any other sensitive info from the config-export.
Then export with hide-sensitive the CRS's configuration and manually remove any other sensitive info from the config-export.
Re: CRS3xx MAC-based-VLAN and DHCP-snooping issue
Here is the configuration on the switch:
Code: Select all
# jun/06/2022 11:12:20 by RouterOS 6.49.6
# software id = GR27-EFYX
#
# model = CRS328-24P-4S+
/interface bridge
add dhcp-snooping=yes igmp-snooping=yes ingress-filtering=yes name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] loop-protect=on poe-out=off
set [ find default-name=ether2 ] loop-protect=on poe-out=off
set [ find default-name=ether3 ] loop-protect=on poe-out=off
set [ find default-name=ether4 ] loop-protect=on poe-out=off
set [ find default-name=ether5 ] loop-protect=on poe-out=off
set [ find default-name=ether6 ] loop-protect=on
set [ find default-name=ether7 ] loop-protect=on poe-out=off
set [ find default-name=ether8 ] loop-protect=on poe-out=off
set [ find default-name=ether9 ] loop-protect=on poe-out=off
set [ find default-name=ether10 ] loop-protect=on poe-out=off
set [ find default-name=ether11 ] loop-protect=on poe-out=off
set [ find default-name=ether12 ] loop-protect=on poe-out=off
set [ find default-name=ether13 ] loop-protect=on poe-out=off
set [ find default-name=ether14 ] loop-protect=on poe-out=off
set [ find default-name=ether15 ] loop-protect=on poe-out=off
set [ find default-name=ether16 ] loop-protect=on poe-out=off
set [ find default-name=ether17 ] loop-protect=on poe-out=off
set [ find default-name=ether18 ] loop-protect=on poe-out=off
set [ find default-name=ether19 ] loop-protect=on poe-out=off
set [ find default-name=ether20 ] loop-protect=on poe-out=off
set [ find default-name=ether21 ] loop-protect=on poe-out=off
set [ find default-name=ether22 ] loop-protect=on poe-out=off
set [ find default-name=ether23 ] loop-protect=on poe-out=off
set [ find default-name=ether24 ] loop-protect=on poe-out=off
set [ find default-name=sfp-sfpplus1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full loop-protect=on
set [ find default-name=sfp-sfpplus2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full loop-protect=on
set [ find default-name=sfp-sfpplus3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full loop-protect=on
set [ find default-name=sfp-sfpplus4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full loop-protect=on
/interface vlan
add interface=bridge name=acc vlan-id=9
add interface=bridge name=default vlan-id=1
add interface=bridge name=voip vlan-id=11
/interface bonding
add mode=802.3ad name=bonding23-24 slaves=ether23,ether24 transmit-hash-policy=layer-2-and-3
/interface bridge port
add bpdu-guard=yes bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether1 pvid=9 restricted-role=yes restricted-tcn=yes
add bpdu-guard=yes bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=9 restricted-role=yes restricted-tcn=yes
add bpdu-guard=yes bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=9 restricted-role=yes restricted-tcn=yes
add bpdu-guard=yes bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=9 restricted-role=yes restricted-tcn=yes
add bpdu-guard=yes bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=9 restricted-role=yes restricted-tcn=yes
add bpdu-guard=yes bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether6 pvid=9 restricted-role=yes restricted-tcn=yes
add bpdu-guard=yes bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether7 pvid=9 restricted-role=yes restricted-tcn=yes
add bpdu-guard=yes bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether8 pvid=9 restricted-role=yes restricted-tcn=yes
add bpdu-guard=yes bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether9 pvid=9 restricted-role=yes restricted-tcn=yes
add bpdu-guard=yes bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether10 pvid=9 restricted-role=yes restricted-tcn=yes
add bpdu-guard=yes bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether11 pvid=9 restricted-role=yes restricted-tcn=yes
add bpdu-guard=yes bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether12 pvid=9 restricted-role=yes restricted-tcn=yes
add bpdu-guard=yes bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether13 pvid=9 restricted-role=yes restricted-tcn=yes
add bpdu-guard=yes bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether14 pvid=9 restricted-role=yes restricted-tcn=yes
add bpdu-guard=yes bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether15 pvid=9 restricted-role=yes restricted-tcn=yes
add bpdu-guard=yes bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether16 pvid=9 restricted-role=yes restricted-tcn=yes
add bpdu-guard=yes bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether17 pvid=9 restricted-role=yes restricted-tcn=yes
add bpdu-guard=yes bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether18 pvid=9 restricted-role=yes restricted-tcn=yes
add bpdu-guard=yes bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether19 pvid=9 restricted-role=yes restricted-tcn=yes
add bpdu-guard=yes bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether20 pvid=9 restricted-role=yes restricted-tcn=yes
add bpdu-guard=yes bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether21 pvid=9 restricted-role=yes restricted-tcn=yes
add bpdu-guard=yes bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether22 pvid=9 restricted-role=yes restricted-tcn=yes
add bridge=bridge disabled=yes edge=yes-discover frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether23 trusted=yes
add bridge=bridge disabled=yes edge=yes-discover frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether24 trusted=yes
add bridge=bridge edge=no-discover frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-sfpplus1 trusted=yes
add bridge=bridge edge=no-discover frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-sfpplus2 trusted=yes
add bridge=bridge edge=no-discover frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-sfpplus3 trusted=yes
add bridge=bridge edge=no-discover frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp-sfpplus4 trusted=yes
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=bonding23-24 trusted=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge tagged=bridge,bonding23-24,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4 vlan-ids=1
add bridge=bridge tagged=bridge,bonding23-24,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4 vlan-ids=9
add bridge=bridge tagged="bridge,bonding23-24,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,ether2" untagged=ether7 vlan-ids=11
/interface ethernet switch rule
add new-vlan-id=11 ports=ether7 src-mac-address=AA:AA:AA:AA:AA:AA/FF:FF:FF:FF:FF:FF switch=switch1
/ip accounting
set enabled=yes
/ip address
add address=10.X.X.X/16 interface=voip network=10.X.0.0
/ip firewall filter
add action=drop chain=input connection-state=invalid,untracked
add action=accept chain=input connection-state=established,related
add action=accept chain=input in-interface=voip
add action=drop chain=input
add action=drop chain=forward connection-state=invalid,untracked
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward
/ip route
add distance=1 gateway=10.X.X.X
You do not have the required permissions to view the files attached to this post.
Re: CRS3xx MAC-based-VLAN and DHCP-snooping issue
PS. Same configuration on same switch with Router OS 6.46.6 works as expected.
Re: CRS3xx MAC-based-VLAN and DHCP-snooping issue
Take a look here https://help.mikrotik.com/docs/display/ ... CPOption82
DHCP snooping does not work on hardware offloaded Bonding interfaces... And 802.3ad ( as well as XoR )is hardware offloaded on all CRS3xx devices...
I had come across the same issue in the past...
So remove DHCP snooping and test again if your client devices can get an IP.
DHCP snooping does not work on hardware offloaded Bonding interfaces... And 802.3ad ( as well as XoR )is hardware offloaded on all CRS3xx devices...
I had come across the same issue in the past...
So remove DHCP snooping and test again if your client devices can get an IP.
Re: CRS3xx MAC-based-VLAN and DHCP-snooping issue
Yes, removing DHCP Snooping, or setting on specified port as "Trusted" does resolve the issue.
But this is not how need to work a corporate switch. The port must be monitored for rogue dhcp servers and block them, and also should do MAC-to-VLAN and or Voice-to VLAN.
But this is not how need to work a corporate switch. The port must be monitored for rogue dhcp servers and block them, and also should do MAC-to-VLAN and or Voice-to VLAN.
Re: CRS3xx MAC-based-VLAN and DHCP-snooping issue
As you can see from the manual, DHCP snooping does not work on Hardware offloaded bonded interfaces.
https://help.mikrotik.com/docs/display/ ... CPOption82
Also, according to the manual, MAC based vlan does not work for DHCP packets when DHCP snooping is enabled
https://help.mikrotik.com/docs/display/ ... CBasedVLAN
Mac Based VLAN will not use the new-vlan-id property when communicating with the CPU, but only between switch ports.
You are using restricted-role and restricted-tcn, but those parameters are only used on MSTP, is that the case?
I can see that src-mac-address=AA:AA:AA:AA:AA:AA .. What's that MAC ?
I would suggest checking your overall configuration again...
I also see firewall rules, that i do not understnad why they should exist on a switch...
https://help.mikrotik.com/docs/display/ ... CPOption82
Also, according to the manual, MAC based vlan does not work for DHCP packets when DHCP snooping is enabled
https://help.mikrotik.com/docs/display/ ... CBasedVLAN
Mac Based VLAN will not use the new-vlan-id property when communicating with the CPU, but only between switch ports.
You are using restricted-role and restricted-tcn, but those parameters are only used on MSTP, is that the case?
I can see that src-mac-address=AA:AA:AA:AA:AA:AA .. What's that MAC ?
I would suggest checking your overall configuration again...
I also see firewall rules, that i do not understnad why they should exist on a switch...
Re: CRS3xx MAC-based-VLAN and DHCP-snooping issue
DHCP snooping does not work on Hardware offloaded bonded interfaces
This begs the question, "What is @marina getting out of bonding, and why is it worth keeping?"
The CRS328 has four SFP+ ports. If he wants a faster connection, put the DHCP server down that leg. It'll be 5x faster than a pair of bonded 1G ports.
If @marina is after connection redundancy, why use bonding to achieve it? Let loop-protect or RSTP sort it out for you. Yes, it means you get only 1G instead of a potential 2G LACP bond, but that's difficult to achieve in practice anyway due to the way the hash algorithms interact with real-world data flows. Besides which, it just takes us back to the prior question: if you want it to be faster, use the SFP+ ports.
What does 2-cable redundancy actually buy, presuming it goes to the same place on the other end? A cable cut is likely to take out both cables at once. A switch port failure is likely to take out both ports in the same 8-port group at once, if it doesn't nuke the whole switch. I mean seriously, how often does this sort of thing actually save the day? Not in theory, not on whiteboards in Cisco CSKGJHSKSD classes, I mean in actual everyday practice?
I also see firewall rules, that i do not understnad why they should exist on a switch...
It's a good point: @marina, do these rules even trigger? Hardware offloading should cause the packets to fly right past the IP firewall filter, for good reason. There are ways to force traffic down from the switch chip through the CPU, but now you're putting a single 800 MHz CPU core in the way of all traffic.
If you want a device with many 1G ports, 4 SFP+ ports, and the ability to do both DHCP snooping type things and firewall type things, a CCR2116 is likely a better bet.
From your posted config, you're using only one port for PoE. Either put a midspan power injector on that link, or keep the CRS328 and delegate firewalling and routing stuff to a proper router.