Arran Cudbard-Bell <[email protected]> wrote:
>
>> The better way to do this is get your network infrastructure to enforce
>> this. Even really old Cisco switches support DHCP snooping, I
>> understand HP and other venduh's have their own similar thing.
>>
> Yes. We have it enabled most of our smarter L2/3 switches on campus.
> Once it's combined with dynamic ARP protection or IP lockdown (like it
> can be on the ProCurve switches), then it makes life quite difficult for
> those statically assigning IPs.
>
> It's hideously broken on the 2600s though, doesn't process lease
> renewals properly. So ATM it's only good for preventing rogue DHCP
> servers, and little bits of compliance.
>
Wait till you look at the DHCP snooping on a Cisco WLC 4400. It is so
picky about enforcing DHCP, that if the client already has a lease, it
cannot ask for a new one[1] until the already assigned one has expired.
Cisco's solution for the past year or so, have your leases cracked down
to five minutes or less :-/
Cheers
[1] say in the *ahem* uncommon *ahem* case that a client moves between
AP's or disconnects, reconnects...or hell even reboots their
computer
--
Alexander Clouter
.sigmonster says: Knowledge is power.
-- Francis Bacon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
