There is a feature on Cisco switches at least that will inspect and block DHCP server packets on switch ports not trusted for DHCP. My higher education customers who run residential networks tend to deploy this given the propensity for students to plug their Best Buy special Linksys in "backwards" (e.g. LAN port into the resnet).
Thanks, Brian Desmond br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 From: Erik Goldoff [mailto:egold...@gmail.com] Sent: Wednesday, January 19, 2011 8:29 AM To: NT System Admin Issues Subject: RE: DHCP reservations explained... "I've seen more things go wrong (particularly in smaller networks) with DHCP than with DNS. (Admin deploys new networking device with DHCP server functionality turned out, etc)" Granted, I've seen that too, once or twice. Rogue DHCP can be a threat regardless, because if name resolution is working, and servers are statically assigned, but workstations get rogue assignments, productivity is still impacted ( although less systemically ) Kind of a pick your poison issue... choose based on your own comfort level with the associated risks and then deal with it. Erik Goldoff IT Consultant Systems, Networks, & Security ' Security is an ongoing process, not a one time event ! ' From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Tuesday, January 18, 2011 4:50 PM To: NT System Admin Issues Subject: Re: DHCP reservations explained... I am not fond of DHCP for server management, even though I will admit that it is a viable possibility. I prefer the flexibility of configuration that is possible when you have statically mapped IPs, and I've done this with hundreds of servers in various environments. In my experience, I've seen more things go wrong (particularly in smaller networks) with DHCP than with DNS. (Admin deploys new networking device with DHCP server functionality turned out, etc) Sure, DHCP maintenance of IP addresses means that you can change them quickly, etc, but I can script that if necessary, and I've probably performed major IP address changes a half dozen times in the past decade and a half (including consulting clients and my home network). But, it's just me. I'm not going to get too religious about it either way. ASB (My Bio via About.Me<http://about.me/Andrew.S.Baker/bio>) Exploiting Technology for Business Advantage... On Tue, Jan 18, 2011 at 2:16 PM, Erik Goldoff <egold...@gmail.com<mailto:egold...@gmail.com>> wrote: I've always liked DHCP reservations over static IP addresses for servers where possible for ease of management Single view of most servers from DHCP client list simple to change parameters globally ( default gateway, primary DNS, secondary DNS, etc ) without having to visit each server less likely to experience IP in use conflict from out of date tracking spreadsheets when adding new devices to the network etc, etc, etc but if your clients/applications use hostnames, then that's what I'd monitor for most checks, keeping a single/simple check using the IP address to cross verify against name resolution. On Tue, Jan 18, 2011 at 2:06 PM, David Lum <david....@nwea.org<mailto:david....@nwea.org>> wrote: The other day someone commented that it seemed like a bit much that 50% of my 100-ish servers have DHCP reservations - driving home yesterday I realized another reason why I have it that way (because yes, I chew on these questions and constantly evaluate why I do some process or another) - because my fellow SE's have their server monitoring set up to look at specific IP's instead of hostnames and I am unable to convince them otherwise. If the server IP changes it hoses their tests and the dependencies. It's not how I set *MY* monitoring up for servers I maintain, but I have posted that question here in fact and have seen differing opinions on weather hostname or IP is preferred. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 503.548.5229 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
