DHCP security

[Ed Greshko]

Ashley M. Kirchner wrote:
> 
>    While I realize DHCPd isn't a security program of any kind, this does
> have to do with it.  So I just switched our entire network over to DHCP
> assigned IPs in preparation for another project.  But in doing that,
> I've come to realize that anyone could plug in their machine and
> manually set their IP address and by-pass the DHCP discovery all
> together.  And thus also gaining access to our internal network,
> something we might not necassarily want to allow.  So the question now
> is, is there some way to restrict traffic to only those assigned IPs
> (through DHCP) and block anything else that happens to show up on the
> network?  Maybe through iptables somehow?

FWIW, I feel the only truly secure way to do this is to use managed switches.