Mon Apr 22, 2019 12:27 pm
@Mikrotik: Your implementation of DHCP Snooping is a very good improvement in switch security. Good work.
Since you are already filtering DHCP packets with DHCP Snooping, would you consider adding a option like "Add DHCP Snooping ARP entry" to the DHCP Snooping options?
It could work (at least) by adding/updating a ARP entry whenever a DHCPACK is received from a "Trusted" port. Similar to the "add-arp" option in DHCP Server.
That, together with "arp-reply" would prevent rogue clients when the DHCP server is on another switch/router.
Best regards.