По ходу полностью "допилил" связку DHCP snooping + Option 82 + Source Guard + ARP Inspection.
Конфиг коммутатора:
interface range ethernet e(1-24)
spanning-tree portfast auto
exit
interface range ethernet g(1-4)
switchport mode general
exit
vlan database
vlan 4000,4050
exit
interface ethernet g1
switchport general pvid 4000
exit
interface ethernet g2
switchport general pvid 4000
exit
interface ethernet g3
switchport general pvid 4000
exit
interface ethernet g4
switchport general pvid 4000
exit
interface range ethernet e(1-24)
switchport access vlan 4000
exit
interface range ethernet g(1-4)
switchport general allowed vlan add 4000
exit
interface range ethernet g(1-4)
switchport general allowed vlan add 4050
exit
interface vlan 4050
name Mng
exit
ip dhcp snooping
ip dhcp snooping vlan 4000
interface ethernet g1
ip dhcp snooping trust
exit
ip arp inspection
ip arp inspection vlan 4000
interface ethernet g1
ip arp inspection trust
exit
interface ethernet g2
ip arp inspection trust
exit
interface ethernet g3
ip arp inspection trust
exit
interface ethernet g4
ip arp inspection trust
exit
ip source-guard
interface ethernet e1
ip source-guard
exit
interface ethernet e2
ip source-guard
exit
interface ethernet e3
ip source-guard
exit
interface ethernet e4
ip source-guard
exit
interface ethernet e5
ip source-guard
exit
interface ethernet e6
ip source-guard
exit
interface ethernet e7
ip source-guard
exit
interface ethernet e8
ip source-guard
exit
interface ethernet e9
ip source-guard
exit
interface ethernet e10
ip source-guard
exit
interface ethernet e11
ip source-guard
exit
interface ethernet e12
ip source-guard
exit
interface ethernet e13
ip source-guard
exit
interface ethernet e14
ip source-guard
exit
interface ethernet e15
ip source-guard
exit
interface ethernet e16
ip source-guard
exit
interface ethernet e17
ip source-guard
exit
interface ethernet e18
ip source-guard
exit
interface ethernet e19
ip source-guard
exit
interface ethernet e20
ip source-guard
exit
interface ethernet e21
ip source-guard
exit
interface ethernet e22
ip source-guard
exit
interface ethernet e23
ip source-guard
exit
interface ethernet e24
ip source-guard
exit
interface vlan 4050
ip address 10.0.0.5 255.255.255.0
exit
ip default-gateway 10.0.0.1
hostname Alc-test-sw
username muff password 4c87d8ad************************e9 level 15 encrypted
В dhcp.conf соответственно:
option domain-name "test.com";
option domain-name-servers 8.8.8.8;
log-facility local7;
default-lease-time 600;
max-lease-time 600;
ddns-update-style none;
local-address 10.0.0.1;
authoritative;
if exists agent.circuit-id
{
log(info, concat("Lease"," IP ",binary-to-ascii(10, 8,".",leased-address),
" MAC ",binary-to-ascii(16,8,":",substring(hardware,1, 6)),
" port ",binary-to-ascii(10,8, "",suffix(option agent.circuit-id, 1)),
" VLAN ",binary-to-ascii(10, 16,"",substring(option agent.circuit-id, 2, 2))
)
);
}
class "sw1-p2" { match if binary-to-ascii(16, 8, ":", suffix(option agent.remote-id, 5)) = "12:cf:5b:00:00" and binary-to-ascii (10, 8, "", suffix( option agent.circuit-id, 1)) = "2"; }
subnet 10.10.0.0 netmask 255.255.255.0
{
option routers 10.10.0.254;
pool { range 10.10.0.34; allow members of "sw1-p2"; }
}