this pic is my lan network topology.
i seeting the dhcp-reply function on the cisco 3550, the real dhcp-server is ros .
and the arp is enabled on the interface. but i can not bind the ip by the pc mac address.
i have seen many dynamic ip on the winbox.
can i bind ip by the mac address on the winbox.
Do you want to have the dhcp server issue the same ip to the same mac address every time?
/ip dhcp-server lease
make-static X
Replace X with the line of the dhcp lease for that mac address.
After the “make-static” , you can change the ip assignment at this point to whatever ip you want the dhcp server to issue.
oh ,no!
i just want when a new pc join in net , it’s ip have to assignment by me. it can not get the dynamic ip.
Are you using a hotspot? Otherwise, assign the ip/subnet/gateway/dns in the client computer. Use an ip that is not assigned by the dhcp server.
no , i have not using a hotspot.
Do you need a dhcp server on the localnet? If not, disable it. Maybe it is just me, but I think you have a choice of two (edit:three) solutions:
set the ips static (manually) in the client computers and disable the dhcp server
or
set the dhcp-server lease to static in the router
or
use a radius server in conjunction with the dhcp server to assign ips to the mac addresses.
To disable the dhcp server:
/ip dhcp-server
disable X
Replace X with the line of the dhcp server for that interface.
i just want when a new pc join in net , it’s ip have to assignment by me. it can not get the dynamic ip. also if the newer manually assign the ip/mask/gateway mua, it also can not join in the net.
when i added it’s ip and mac address on dhcp-server lease, it can join in the net. plz look here.
It is YOUR network. How do you want to assign the ips?
In the client computer manually (static assignment)?
Or by dhcp with either a static lease or radius?
Both allow you to choose the ip. One requires you set up the client computer manually, the other doesn’t. Your choice.
ADD: For example, the mac-ip set in the screenshot above, click the “Make Static” button. That mac address will always get that ip when it requests one (renew ip lease).
In my network, i assign the ips by dhcp.
the newer can not random get ip, it can get the ip just after i assign the mac address and ip at dhcp-server lease. so i can know who owned the ip in my network.
My purpose was to prevent DHCP server randomly assigned dynamic IP to access the computer network.
If you want to avoid access by the random ips issued, then limit the range of your ip-pool to half the localnet ips. Then block those ips with a “/ip firewall filter” rule. Good macs will get an ip outside the range of the dhcp server. For example, set the ip-pool for that dhcp server to issue 192.168.0.2-192.168.0.127. Then when you want to “allow” a mac address through the firewall rule, set the dhcp lease to “Make Static” and change (edit) the ip to one in the 192.168.0.128-192.168.0.254 range. Use a firewall filter rule like this:
/ip firewall filter
add chain=forward action=drop src-address=192.168.0.0/25
This will drop any connections from 192.168.0.0-192.168.0.127 (random dhcp ips), and still allow the 192.168.0.128-192.168.0.254 ips (your edited or “allowed” dhcp ips) through.
To:SurferTim
Do you have a msn ID Or gtalk? 
It is best to stay here on the forum. Somebody may see something I don’t and be able to help you. I am trying to determine how your network is set up, and what security you expect on it.
Without a hotspot to stop unauthorized users, it is difficult to control public users with ip addresses only. A packet sniffer will tell what ips are getting through, and a good hacker would be through in a few seconds.
To:SurferTim
you don’t understand my purpose.
In my network ,i just want know who owned the ip,
If a guest want to access net In Workspace, he must post the pc mac address to me ,then i assign a ip to her.
So the guest can automatic get ip from the Dhcp-server.
if the guest don’t post the mac address to me ,her will not access to net .This is my purpose.
That is what the comment parameter is for. For each dhcp server lease, make the lease static, then add the name of the user in the comment. Users without anything in the comment are “unknown” users.
ADD: I see your new addition to your post above. Best security is a hotspot. Then the dhcp lease/firewall rule above. But I could get through that dhcp lease trick in a few seconds.
One simple question: are you trying to prevent access to the Internet to new clients, but they can still access the local network regardless? Or are you trying to block ALL access, including the local network, until you have vetted the new client?
TO fewi..
you are right.
That doesn’t answer the question.
Both are different scenarios that have different solutions, and both are solvable. But they are solved on different devices, so before going into a long explanation of the wrong one it would be useful to know what exactly you’re trying to achieve.
ok..
I just want to to block ALL access, including the local network, until I have vetted the new client(A new clinet can access the local network until i added the client mac address to the dhcp-server lease with specify ip ).
Again that is not a clear answer because those two statements are mutually exclusive. First you say you want to block ALL access, including the local network. Then in parentheses you say that a new client can access the local network until you have added him to a DHCP server. Which one are you trying to do? The first statement contradicts the second, and vice versa.
The first is done on the switches and has nothing to do with the router. The second one is configured on the router. Switches can prevent access to the local network (see http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/configuration/guide/port_sec.html, applies to other Catalyst models as well), routers cannot prevent access to the local network.