Arran Cudbard-Bell <a.cudbard-b...@sussex.ac.uk> wrote: > >> The better way to do this is get your network infrastructure to enforce >> this. Even really old Cisco switches support DHCP snooping, I >> understand HP and other venduh's have their own similar thing. >> > Yes. We have it enabled most of our smarter L2/3 switches on campus. > Once it's combined with dynamic ARP protection or IP lockdown (like it > can be on the ProCurve switches), then it makes life quite difficult for > those statically assigning IPs. > > It's hideously broken on the 2600s though, doesn't process lease > renewals properly. So ATM it's only good for preventing rogue DHCP > servers, and little bits of compliance. > Wait till you look at the DHCP snooping on a Cisco WLC 4400. It is so picky about enforcing DHCP, that if the client already has a lease, it cannot ask for a new one[1] until the already assigned one has expired.
Cisco's solution for the past year or so, have your leases cracked down to five minutes or less :-/ Cheers [1] say in the *ahem* uncommon *ahem* case that a client moves between AP's or disconnects, reconnects...or hell even reboots their computer -- Alexander Clouter .sigmonster says: Knowledge is power. -- Francis Bacon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html