Now that we have DHCP snooping on the latest release candidate it would be really nice to have have IP source guard and dynamic arp inspection. So a user cannot use another IP address than provided by DHCP.
This exists I believe. For your LAN interface, set arp mode to read-only.
If you want a statically set IP for a client, you’d first have to add his mac to the arp table with desired IP.
Everyone else must use their dynamic IP given by DHCP.
But what does DHCP Snooping do in RC? I thought it should do exactly that 
Well the DHCP snooping feature in the newest RC only blocks rogue DHCP servers, nothing else
I just tested it in version 6.43rc66.
Yeah, sounds like it has almost nothing to do with DHCP Snooping More like DHCP Server Screening…
Heres two links for anyone who is not quite sure what i’m talking about;
https://www.juniper.net/documentation/en_US/junos/topics/concept/port-security-ip-source-guard.html
https://www.juniper.net/documentation/en_US/junos/topics/concept/port-security-dynamic-arp-inspection.html
@Mikrotik: Your implementation of DHCP Snooping is a very good improvement in switch security. Good work.
Since you are already filtering DHCP packets with DHCP Snooping, would you consider adding a option like “Add DHCP Snooping ARP entry” to the DHCP Snooping options?
It could work (at least) by adding/updating a ARP entry whenever a DHCPACK is received from a “Trusted” port. Similar to the “add-arp” option in DHCP Server.
That, together with “arp-reply” would prevent rogue clients when the DHCP server is on another switch/router.
Best regards.
- This is also available in Cisco-land as ip source verify and is applied at the interface level.
- Like others have said here, while DHCP snooping is a great step forward in expanding the MT security toolset, that feature is very narrow in terms of the security it provides.
- The more salient issue is when an attacker knows the client IP address. Neither DHCP snooping or read-only ARP are able to prevent such a spoof whereas as ip source verify can.
- It is almost certain that implementing source verify requires DHCP snooping as the latter’s database is typically what is queried to determine if a packet with a given SA is allowed through.
- It is also important to provide the ability to add static IP-to-MAC mappings so that trusted sources w/ static IPs are allowed through. The command in Cisco-land is:
— ip source binding [ MAC_ADDRESS ] vlan [ VLAN_ID (optional) ] [ IP_ADDRESS ] interface [ INGRESS_INTERFACE ] - I definitely vote in favor of implementing this very important security feature.
Extremely needed function (primarily for CRS3XX series switches). @MikroTik, add it, please.
+1 on this, I hope they won’t forgot this important feature