I have a problem with my new CRS354-48G-4S+2Q+ switch. I tried to activate the DHCP snooping, but the packets are still flowing through. This switch replaced the Ubiquiti EdgeSwitch 48 Lite, where the DHCP snooping worked perfectly.
True DHCP server is connected directly to CRS354 via bonding (ports 3,4,5,6), but on port 23 is also a rogue DHCP.
There is a bridge with all the interfaces including bonds. DHCP snooping (without 82) is activated on bridge. All bonds and only the bonds are assigned as trusted interfaces.
But somehow still the rogue DHCP can send packets through, at least to the clients directly connected to CRS354 (as observed).
Mikrotik write about it in log:
07:10:36 bridge,warning ether23: received DHCP server message on untrusted port from source IP 10.1.22.0, MAC 80:1f:02:e0:65:xx
So, CRS knows about the packet going through, but doing nothing about it?
Apparently, there can be some problem with Hardware Offloading (even though the CRS3xx should handle it), so I tried to turn it off, but no luck.
P.S.: It seems like only the clients that are directly connected to the CRS are affected. Any other clients on subsequent switches are getting true dhcp responses
The map is as follows:
Code: Select all
DHCPServer --- bond to CRS354 --- clients
--- rogue DHCP
--- bond to Ubiquiti switch 1 --- clients
--- bond to Ubiquiti switch 2 --- clients
--- bond to Ubiquiti switch 3 --- clients
Code: Select all
MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK
MikroTik RouterOS 7.14.2 (c) 1999-2024 https://www.mikrotik.com/
Press F1 for help
[admin@MainSwitch - Mikrotik] > export
# 2024-04-11 09:53:37 by RouterOS 7.14.2
# software id = J0X5-8GZ0
#
# model = CRS354-48G-4S+2Q+
/interface bridge
add dhcp-snooping=yes name=bridge1 port-cost-mode=short
/interface ethernet
set [ find default-name=ether49 ] name="ether49 - MGMT"
/interface bonding
add mode=802.3ad name="bonding1 - 4Gb Trunk To 3NP - Main Server" slaves=ether3,ether4,ether5,ether6
add mode=802.3ad name="bonding2 - 4Gb Trunk To 2NP - Rack" slaves=ether45,ether46,ether47,ether48
add mode=802.3ad name="bonding3 - 2Gb Trunk To 3NP - SecondaryServer" slaves=ether13,ether14
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/snmp community
add addresses=::/0 name=snmp
/interface bridge port
add bridge=bridge1 interface=ether1 trusted=yes
add bridge=bridge1 interface=ether2 trusted=yes
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge1 interface=ether22
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=ether24
add bridge=bridge1 interface=ether25
add bridge=bridge1 interface=ether26
add bridge=bridge1 interface=ether27
add bridge=bridge1 interface=ether28
add bridge=bridge1 interface=ether29
add bridge=bridge1 interface=ether30
add bridge=bridge1 interface=ether31
add bridge=bridge1 interface=ether32
add bridge=bridge1 interface=ether33
add bridge=bridge1 interface=ether34
add bridge=bridge1 interface=ether35
add bridge=bridge1 interface=ether36
add bridge=bridge1 interface=ether37
add bridge=bridge1 interface=ether38
add bridge=bridge1 interface=ether39
add bridge=bridge1 interface=ether40
add bridge=bridge1 interface=ether41
add bridge=bridge1 interface=ether42
add bridge=bridge1 interface=ether43
add bridge=bridge1 interface=ether44
add bridge=bridge1 interface="ether49 - MGMT"
add bridge=bridge1 interface=qsfpplus1-1
add bridge=bridge1 interface=qsfpplus1-2
add bridge=bridge1 interface=qsfpplus1-3
add bridge=bridge1 interface=qsfpplus1-4
add bridge=bridge1 interface=qsfpplus2-1
add bridge=bridge1 interface=qsfpplus2-2
add bridge=bridge1 interface=qsfpplus2-3
add bridge=bridge1 interface=qsfpplus2-4
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=sfp-sfpplus3
add bridge=bridge1 interface=sfp-sfpplus4
add bridge=bridge1 hw=no interface="bonding1 - 4Gb Trunk To 3NP - Main Server" trusted=yes
add bridge=bridge1 hw=no interface="bonding2 - 4Gb Trunk To 2NP - Rack" trusted=yes
add bridge=bridge1 hw=no interface="bonding3 - 2Gb Trunk To 3NP - SecondaryServer" trusted=yes
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=10.1.1.38/24 interface=bridge1 network=10.1.1.0
/ip dns
set servers=10.1.1.1,8.8.8.8
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.1.1.1 routing-table=main suppress-hw-offload=no
/snmp
set contact= enabled=yes location="Server" trap-community=snmp trap-version=2
/system clock
set time-zone-name=Europe/Prague
/system identity
set name="MainSwitch"
/system logging
add action=disk topics=critical
add action=disk topics=error
add action=disk topics=info
add action=disk topics=warning
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
/system routerboard settings
set boot-os=router-os enter-setup-on=delete-key