Yeah, it looks like Mikrotik doesn’t have an easy way to do this either and it’s been a popular request for more than a year. Cisco and Juniper both have DHCP Option 82 features that allow for this kind of behavior down to the individual switch port MACs (circuit ID’s). Adds a bit of network hardening by locking in a specific path of a requesting MAC and when it doesn’t match, it doesn’t respond.
We’re not having any issues that this would directly address at the moment, I’m just exploring ways of further hardening our bridged networks from known common attack methods.
It would be nice, and maybe fairly simple, to have sonar do what I’m trying to do, leveraging your batcher tool. i.e. If a DHCP request is sent to sonar and the account is statically assigned, match the client mac to the assignment, the agent remote id to the inventory item and then write the lease to the Mikrotik. If either data point fails to match then drop the request.
Elaborating on an idea in the future: I could then hypothetically tie our network controller to a sonar API/webhook to monitor for failed DHCP matches (wrong paths), identify the offending source port on our network via the agent MAC value, then have our controller turn off/block that specific switch port of all traffic and notify the admin team of the occurrence.
This would effectively shutdown a snooper/hacker automatically network wide without much effort and give us visibility into the exact location of malicious behavior to go look into.