Community discussions

MikroTik App
just joined
Topic Author
Posts: 6
Joined: Thu Jun 22, 2017 8:10 pm

Can a bonded network be limited to Level 3 network?

Tue Feb 23, 2021 9:58 pm

I have a site where there is 5 buildings all with a cross-connect to a MDF. All network routing is working with this poor setup but some network Level 2 leaks happen (DHCP being most common). Is there a way to limit the current bonded interfaces to only work with Level 3 and higher networks to eliminate this problem? Yes a Level 3 Spine switch is the answer but this client does not have the funds to do this so trying to see if can create it based on current setup.

Setup is 5 * CRS125 with 2 bonded links back to the Main CRS125

My theory is limit the bonded links to Level 3 network only. Meaning Level 1 and 2 can only happen within that building but still allow data to move freely across full site on the level 3 and 4.
Forum Guru
Forum Guru
Posts: 7139
Joined: Mon Dec 04, 2017 9:19 pm

Re: Can a bonded network be limited to Level 3 network?

Wed Feb 24, 2021 12:12 pm

I'd hesitate to call DHCP "L2", it's a regular IP protocol, except that part of the exchange uses broadcast addresses. So I'd say you need to attach the following ingress ACL rules to the trunk ports:
  • drop frames carrying IP/UDP packets towards server port (67)
  • accept frames carrying IP packets
  • accept frames carrying ARP packets
  • accept STP BPDUs and other "link-local" traffic (by dst-mac-address)(?)
  • drop the rest
If IPv6 is used there, I'm not sure it is enough to drop RA packets and their solicitations.

But somehow a lot is missing in the picture - you say the whole network is a flat L2, but then where are the "legal" DHCP servers? I.e. would it not be a better solution to use VLANs, creating groups of ports which cannot leak to each other at all, and route the traffic among these groups?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: hsowizral and 171 guests