Another topic that may be relevant is on Layer 2 security is DHCP Snooping. This is a feature that is available on MikroTik CRS3xx switches as well as all other MikroTik switches. DHCP snooping works as hardware-offload on MikroTik CRS3xx switches.
Once you enable the DHCP snooping on the switch, you can select the port connected to the DHCP server as a trusted port. That means that in case any other Rogue DHCP Server is placed on any un-trust port then it won’t be able to communicate with the DHCP clients. If we don’t use DHCP snooping, you may have someone putting a Rogue DHCP server and will lease IP addresses as well as a Gateway to the DHCP clients, so all their traffic will pass via this DHCP server which can have a sniffing tool which is capable of intercepting all traffics: This is called “Man-in-The-Middle” attack.
This is the simple explanation of the DHCP Snooping; let’s apply it on a LAB.
Here R1 is acting as a DHCP server which is already configured. I will create a bridge on SW1 and put inside of it Ether1, Ether2 and Ether3 (will use Ether3 later in this LAB). So the result will be as following:
As you can see, the 3 interfaces on SW2 are in a bridge and they are hardware offloaded.
To enable the DHCP Snooping, you need to go to the Bridge port and check DHCP Snooping as following:
Then you go to Ether1 interface (which is connected to the DHCP server) and you make it trusted, and Ether2 will be left un-trusted.
Here how you can make Ether1 as a trusted port:
Now we make Ether2 (connected to the PC) and Ether3 as un-trusted ports. By default, MikroTik switches have all ports un-trusted, so you don’t have to do anything. Here is an example on Ether2 (Ether3 will be the same):
Now let’s see if the PC will receive an IP address from the DHCP server. The PC is connected to Ether2 which is an un-trusted port.
Yes indeed, it has received an IP address.
Now what I need to do, is to move R1 from interface Ether1 on SW1 (which is a trusted port) to interface Ether3 (which is an un-trusted port), then I need to check whether my PC will still receive an IP address from the DHCP server. Let’s try.
I have moved the cable from Ether1 to Ether3 on SW1. Let’s check the PC now. I will release all IP addresses received on the PC using the following command:
You can see that my PC has released the assigned IP address. Now let’s try to renew the DHCP negotiation to see if the PC will receive an IP address from the DHCP server again which is plugged on Ether3 of the switch which is an un-trusted interface.
As you can see, my PC did not receive an IP address from the DHCP server and it has received an APIPA IP address from the Window’s operating system. This way we can secure ourselves from Rogue DHCP servers in our network.