Arran Cudbard-Bell <a.cudbard-bell@sussex.ac.uk> wrote:
The better way to do this is get your network infrastructure to enforce this. Even really old Cisco switches support DHCP snooping, I understand HP and other venduh's have their own similar thing.
Yes. We have it enabled most of our smarter L2/3 switches on campus. Once it's combined with dynamic ARP protection or IP lockdown (like it can be on the ProCurve switches), then it makes life quite difficult for those statically assigning IPs.
It's hideously broken on the 2600s though, doesn't process lease renewals properly. So ATM it's only good for preventing rogue DHCP servers, and little bits of compliance.
Wait till you look at the DHCP snooping on a Cisco WLC 4400. It is so picky about enforcing DHCP, that if the client already has a lease, it cannot ask for a new one[1] until the already assigned one has expired. Cisco's solution for the past year or so, have your leases cracked down to five minutes or less :-/ Cheers [1] say in the *ahem* uncommon *ahem* case that a client moves between AP's or disconnects, reconnects...or hell even reboots their computer -- Alexander Clouter .sigmonster says: Knowledge is power. -- Francis Bacon