Community discussions

MikroTik App
  4. RouterOS
  5. General

crs switch

Post Reply
 
mix359
just joined
Topic Author
Posts: 15
Joined: Fri Jan 04, 2013 8:20 pm

crs switch

Tue May 03, 2016 4:40 pm

Hi to all,

We have just bought 2 crs125-24g-1s-rm to try how they work and if we can change our current switches.
I've red the manual and example document, and have tried some function, and after some day of testing I've some question about some function that I cannot found or cannot set correctly.
Just to say, my current comparison are the zyxel switches (from 1510 to 1920 24/48 ports models)

loopguard
I've noticed the option "Allow Unicast Loopback" under the port settings of the switch. From the manual I read that this enable the replay of a packet if it come and go from/to the same port.
Does this block loop on two different port? (ex. if I put a cable on port 2-3, and they are on the same vlan...)
In the zyxel switch, if it detect a loop of 2 ports, it disable the ports and re-enable it after some specified time.
There's something similar?

dhcp snooping
Reading the example page I've seen an example of port isolation that should block dhcp offer that doesn't come from the specified port. (http://wiki.mikrotik.com/wiki/Manual:CR ... _Isolation)
I've tried that and it partially work: I've a dhcp server on a port that is not in the list. If I attach a device on a port, it receive an ip from the wrong dhcp, than after some seconds, the device lost the ip. After some minutes the device receive the ip again.
So it's working, but not completely...
What I'm doing wrong?
Following the example, I only see a rule that permit dhcpv4 on dst port. If that work as the firewall, I don't see any "deny" rule for the other port (for that protocol).

arp inspection
Does the same trick used for the dhcp snooping work for the arp inspection? (same port isolation rule but with arp protocol selected?) Should it protect from unsecure arp response?

port security
I've seen that the 802.1x is not implemented (and for the moment there isn't any planning), so I would like to know if there is any way to secure the port and permit only some client to access the network.
Currently I've many switches in our labs, so I need that a computer in that lab access the gateway and the other pc in that lab (so I cannot use single port isolation). The optimal setup would permit only a device that receive an ip from my dhcp server or that have the mac address manually inserted in the switch to access the network.
Normally with a routerboard I can to this trick with the dhcp server/relay + arp replay-only, but in this case, all the switching part happen before the routeboard part.
Any way I can do something like this with port isolation, etc? (Only a device that have gained the ip from my dhcp or that is manually inserted can talk to the other ports)

guest vlan
I haven't seen any "guest vlan" config. I immagine that if I use the MAC based vlan assignment, there should be a way the tag the packet from a port that is not tagged by the MAC tagging.

Thanks to all
Regards
Daniele
Top
Post Reply
  4. RouterOS
  5. General