What kind of switches are they using? DHCP Snooping is exactly what you want to use to counter such an attack as it will only allow 1 DHCP offer back to the client to prevent a host from accepting multiple offers.
Also, consider coupling in ARP Snooping (if it is a Layer 3 switch or above) to prevent hosts from forging another legitimate host's MAC address to obtain multiple addresses. ARP Spoofing relies on the DHCP Snooping table however, so DO NOT turn it on without having a stable database of valid DHCP bindings. Another option would be to couple in Port Security (which is available on most newer Catalysts) to prevent multiple MAC addresses from being seen on a single port - thus preventing a host from generating hundreds of random MAC addresses and starving the DHCP pool. HTH, Aaron Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=133469&t=133469 <http://www.groupstudy.com/form/read.php?f=7&i=133469&t=133469> -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html <http://www.groupstudy.com/list/cisco.html> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~