Solved: It means that MikroTik - Page 2

farrukh19911 · ‎01-24-2016

Good day to all

How to enable dhcp snooping and ip source guard, so that the user of the VLAN 60 (PC1) was not able to use other static addresses except 192.168.20.2 from DHCP, while not affecting the other VLAN? The scheme does not change and there is no other equipment.

Philip D'Ath · ‎01-25-2016

An even more complete example for switch1. I am 75% confident you can do option 82 processing on the Microtik, but I'll leave you to figure that out.

Enabling option 82 simply inserts an extra option in every DHCP request. Only DHCP servers that can process the option 82 can do anything with it. It wont break anything extra by turning on option 82 on the switch.

ip dhcp snooping vlan 60
ip dhcp snooping
ip dhcp snooping information option

interface Gigabit a/b/c
  description DHCP Server or uplink to switch to DHCP server
  ip dhcp snooping trust

interface Gigabit a/b/d
  description Interface facing client
  ip verify source

farrukh19911 · ‎01-25-2016

Now switch1, on which the hosts, functions as follows :
1) On the switch is turned on
ip dhcp snooping
ip dhcp snooping vlan 60
2) On ports 1-9 enabled function ip verify source
3) Everything works fine as I wanted to, that is, clients get the ip from dhcp server only, and can not even use his own ip as static, because of ip verify source

A task:
Now it is necessary that on the 10th port all PCs were able to use a single address which is tied to a switch port. Only one address which given by dhcp. How isitimplement?

Philip D'Ath · ‎01-25-2016

Add the following on switch1:

ip dhcp snooping information option

Then configure your DHCP server to give out the same IP address for the port everytime.

farrukh19911 · ‎01-25-2016

I did everything as you said, but the client didn't get an ip.

I also posted the screen short of DHCP Server.

But when i enter the ip dhcp snooping information option on Switch1, it doesn't show it in the sh run conf.

Philip D'Ath · ‎01-25-2016

You need to match on the circuit and port identifier, not the switch port MAC address.

You'll have to find an article on how to configure this on a Microtik.

farrukh19911 · ‎01-26-2016

You think that the problem only in DHCP Server?

With the configuration of the switchs is no problem?

Philip D'Ath · ‎01-26-2016

Is the DHCP server reporting a circuit identifier in DHCP requests?

farrukh19911 · ‎01-26-2016

Yes. Clients receive the IP addresses, and the DHCP server reporting a circuit identifier in DHCP requests (On MikroTik in IP>DHCP Server>Leases). It is only if I tie the IP address to host MAC.

Philip D'Ath · ‎01-26-2016

Then that confirms the switch is inserting the option 82 correctly.

Now you have to figure out how to configure your DHCP server to tie the IP address to the circuit identifier instead of the mac address. I don't know if the Mirotik is sophisticated enough to do this or not.

farrukh19911 · ‎01-26-2016

It means that MikroTik supports option 82, but how to configure, that is the question.

IP Dhcp snooping and IP Source Guard