DHCP attacks can catch networks off guard, but there are ways to block them. Have any thoughts or experiences with DHCP security? Share your insights below!
Hello, I have the following question, I don't know if you can answer it... if we have one or more switches in front of the switch that interconnects with the router, we have to place the "trunk" (fiber) ports as "trusted" that interconnect the switches between them? Where several VLANS pass as explained in your video "Mikrotik VLANs - CRS3XX Step by Step - Mikrotik Tutorial". Thanks.
hmm since you redirect to cpu only packets that are on selected interfaces and of selected type and port destination is it still necessary to specify everything on bridge filter? i mean wouldn't it be enough to only match mac addresses and allow/block then and let the switch chip do the work of filtering out dhcp packets?
Hello! The chip is redirecting all traffic to UDP ports 67 and 68. During a DHCP starvation attack, the packets will still reach the CPU, so you need to block them manually. The chip does not block frames on its own. For DHCP snooping, no additional filters are required, as I demonstrated in the video.
@@TheNetworkTrip yes i understand, i'm talking about the fact that switch chip will redirect only packets that are udp and 67-68 port src/dst so you don't need to check it again at bridge filter, and only check mac address i think less cpu based matching should be a bit faster
That’s correct if those are the only rules under the bridge. However, in a production environment, there may be additional rules targeting other traffic, so it’s important to be specific. The goal of the video is to show what’s happening first, and if we get it, we can customize the configuration as needed. There are tons of potential things we can do, but the video would be extremely longer.
DHCP attacks can catch networks off guard, but there are ways to block them. Have any thoughts or experiences with DHCP security? Share your insights below!
Thank's for the great Video. What tool are you using for the Network Simulation?
Hello! I use GNS3
Thanks
Welcome 🙏
In IPV6 I think he will have a bit of problem in exhausting the IPV6 addresses on a network:), is time we move on and leave IPV4 behind.
100% agree!
@TheNetworkTrip well done. Can i ask you , can we get video about
/ip cloud advanced set use-local-address=yes and what this does?
Thank you!
IP Cloud is an interesting topic, I'll record a video about it.
Hello, I have the following question, I don't know if you can answer it... if we have one or more switches in front of the switch that interconnects with the router, we have to place the "trunk" (fiber) ports as "trusted" that interconnect the switches between them? Where several VLANS pass as explained in your video "Mikrotik VLANs - CRS3XX Step by Step - Mikrotik Tutorial". Thanks.
Hello!
That’s correct, the trunk interfaces will be trusted.
@@TheNetworkTrip Thanks. I will do it.
hmm since you redirect to cpu only packets that are on selected interfaces and of selected type and port destination is it still necessary to specify everything on bridge filter? i mean wouldn't it be enough to only match mac addresses and allow/block then and let the switch chip do the work of filtering out dhcp packets?
Hello!
The chip is redirecting all traffic to UDP ports 67 and 68. During a DHCP starvation attack, the packets will still reach the CPU, so you need to block them manually. The chip does not block frames on its own.
For DHCP snooping, no additional filters are required, as I demonstrated in the video.
@@TheNetworkTrip yes i understand, i'm talking about the fact that switch chip will redirect only packets that are udp and 67-68 port src/dst so you don't need to check it again at bridge filter, and only check mac address i think less cpu based matching should be a bit faster
That’s correct if those are the only rules under the bridge. However, in a production environment, there may be additional rules targeting other traffic, so it’s important to be specific.
The goal of the video is to show what’s happening first, and if we get it, we can customize the configuration as needed. There are tons of potential things we can do, but the video would be extremely longer.