Community discussions

MikroTik App
 
Fif
just joined
Topic Author
Posts: 3
Joined: Thu May 18, 2023 9:02 am

CRS3xx: DHCP Snooping & Option 82 with bonding

Thu May 18, 2023 8:50 pm

I have a few CRS3xx devices on my network. Some of them are linked with 802.3ad LACP bonding.
I have been experimenting with DHCP Snooping and option 82 processing.
However, https://help.mikrotik.com/docs/display/ ... CPOption82 states that:
For CRS3xx, CRS5xx series switches and CCR2116, CR2216 routers DHCP snooping will not work when hardware offloading bonding interfaces are created.
After configuring trusted ports, DHCP snooping and Option 82 processing on 3 switches (2 with 802.3ad LACP bonding links, one without any) this is what I see:
  • The switch that has no 802.3ad LACP LAGs has DHCP option 82 working properly: devices on access ports attached to that device have the DHCP option 82 added and stripped properly.
    I also see that the switch has automatically added a new dynamic switch rule:
    /interface/ethernet/switch/rule/print
     0  D switch=switch1 ports=sfpplus1,ether1,sfpplus4 mac-protocol=ip 
          protocol=udp src-port=67-68 dst-port=67-68 copy-to-cpu=no 
          redirect-to-cpu=yes mirror=no 
    
  • For the two switches that have 802.3ad LACP LAGs, the DHCP option 82 is not added for any devices attached to them, whether they are attached to a bonded port or not.
    No dynamic switch rule is added.
This is pretty much what's expected: DHCP snooping is not supported for bridges with HW-offloaded bonding (the CRS3xx devices support HW-offloaded LACP 802.3ad bonding).

Now this is where it gets interesting:
If I manually add a switch rule to redirect DHCP packets to the CPU, DHCP Snooping and option 82 processing start working!
/interface/ethernet/switch/rule/add switch=switch1  ports=[/interface/ethernet/find] mac-protocol=ip protocol=udp src-port=68 dst-port=67 redirect-to-cpu=yes
/interface/ethernet/switch/rule/add switch=switch1  ports=[/interface/ethernet/find] mac-protocol=ip protocol=udp src-port=67 dst-port=68 redirect-to-cpu=yes
/interface/ethernet/switch/rule/add switch=switch1  ports=[/interface/ethernet/find] mac-protocol=ip protocol=udp src-port=67 dst-port=67 redirect-to-cpu=yes
(note that the last line (both src/dst ports 67) is only needed if DHCP relays are used).

I wanted to share that interesting result.
Would there be any downsides to such a setup?

Who is online

Users browsing this forum: Google [Bot] and 64 guests