DHCP Support on L2 Switch

Tim Peiffer peiffer at umn.edu
Wed May 16 12:41:26 UTC 2007

The benefits to the network of having DHCP Option-82 enabled on an L2 
switch are mostly for clearcut address tracking down to physical 
resources.  Option-82 is not so clear-cut unless you also deploy some 
methods for enforcing that the only way an address can exist on the 
network is through DHCP; you need to get rid of static addressing.

We run an internal address tracking method that is accurate to within 2 
minutes of traffic inception on our net.  We do this by scraping arp 
tables on the routers, mac-address forwarding tables on switches, and 
inferring sessions of 'time to the IP to the MAC to the port to the 
jack/circuit'.  We do this at the scale of approximately 75,000 access 
ports.  We have searched for years for commercial products to do what we 
do - none were available that could scale or met our requirements.  DHCP 
Option-82 in an enforced environment brings all of the above attributes 
together (date/time, IP, MAC, circuit) and is accurate to within seconds 
of when the IP traffic comes on the wire.

Tim Peiffer
Network Support Engineer
Networking and Telecommunications Services
University of Minnesota.

PS.. You gain tremendous credibility in the network security community 
and/or law enforcement community when you can nail bad network behaviour 
(can you say DDOS?) to a physical port and shut it off within seconds of 
the complaint.

