09-24-2014 05:22 AM
We are going to use enforce dhcp option on the controller to avoid the static IP address client.
can we use the enforce dhcp option if we use the external dhcp server or it can be used only if we have internal dhcp server?
if it. can be used along with external dhcp server then how controller will keep track of dhcp exchanges ?
thanks in advance
09-24-2014 12:19 PM
We are doing this in production with two peered external DHCP servers and it works fine for us.
Note there are other related flags in the global firewall you may want to investigate -- we run
with "Prevent DHCP exhaustion", "Prohibit IP spoofing" and "Prohibit ARP spoofing" turned on.
Those are all essential ingredients to good first-hop security.
With the latter option enabled, you may also want to consider local-proxy-arp on your client VLAN interfaces, but take care that you understand it if your controller has an IP applied to those VLAN interfaces. This prevents occasional blacklisting events if there is a device that accidentally sends corrupt ARP replies (iPhone) and also reduces the ARP traffic over the air in general, which is a good thing.