Wireless Access

 View Only
  • 1.  enforce dhcp

    Posted Sep 24, 2014 08:23 AM
    Hi

    We are going to use enforce dhcp option on the controller to avoid the static IP address client.

    can we use the enforce dhcp option if we use the external dhcp server or it can be used only if we have internal dhcp server?

    if it. can be used along with external dhcp server then how controller will keep track of dhcp exchanges ?

    thanks in advance
    #ALE


  • 2.  RE: enforce dhcp

    Posted Sep 24, 2014 08:24 AM
    Yes, most use it with an external server. Since the controller is "in-line", it sees the whole DORA.


  • 3.  RE: enforce dhcp

    Posted Sep 24, 2014 03:20 PM

     

    We are doing this in production with two peered external DHCP servers and it works fine for us.

     

    Note there are other related flags in the global firewall you may want to investigate -- we run

    with "Prevent DHCP exhaustion", "Prohibit IP spoofing" and "Prohibit ARP spoofing" turned on. 

    Those are all essential ingredients to good first-hop security.

     

    With the latter option enabled, you may also want to consider local-proxy-arp on your client VLAN interfaces, but take care that you understand it if your controller has an IP applied to those VLAN interfaces.  This prevents occasional blacklisting events if there is a device that accidentally sends corrupt ARP replies (iPhone) and also reduces the ARP traffic over the air in general, which is a good thing.