Have to brief bosses on why they need to go DHCP

MichaelD

Lifer
Jan 16, 2001
31,528
3
76
Oh boy. I stepped in it this time. I am a brand new SysAdmin at my brand new job. I never professed to be a DHCP expert to my bosses. However, they see in my work history that I've worked with it, and I told them I worked with it and extolled it's virtues. This is about 10x more experience w/it than most of the other SysAdmins here have. :(

The network is fairly large (about 2,000 client boxes...mostly W2K/WinXP). Servers are W2003 Server and UNIX, which I don't touch and know nothing about. The server/switch backbone is gigabit fiber and copper. All workstations are 10/100 copper. We produce "products" that go out around the world.

Anyway, they are almost complete with a WinNT to W2003 Server/AD migration. HOWEVER, the powers that be refuse to move to DHCP. Believe it or not, every box in this building has a static IP and all client workstations are port-locked to the switch/port they plug into.

I've been trying unsuccessfully to get them to move to DHCP. They said that when they first started the migration, they gave DHCP a shot and it "blew up in their faces."

The rationale they give is that with DHCP, even though you can't get on the domain w/o DA rights, you can still put any box on the network and get an IP.

I understand that in the past, they had some folks bring laptops from home, plug'em in and they infected the network. Now, with static, nobody can get on at all, w/o it being approved first. I understand this, but it seems so "primitive."

Well, today at lunch, I started rattling off what I know about DHCP and how great it is and why it's so stupid they they aren't using for all client workstations.

They volunteered me to brief the bosses as to why we need to be DHCP for client workstations.

I have worked w/AD for about three years. I can rebuild a server, build DNS records, forwarders and stuff like that. I know HOW DHCP works and I know why it's good, but what do I tell them to convince them that static is not the way to go?

If you can help or advise, thank you. :)
 

cipher00

Golden Member
Jan 29, 2001
1,295
0
76
Among other things, you might want to try the total cost of ownership route. "It's much cheaper to support..." type of thing (though you might want to have some estimated savings). Can you recommend a smaller run (say, 10-20 machines, or a single small work group) as an experiment?
 

MichaelD

Lifer
Jan 16, 2001
31,528
3
76
Originally posted by: cipher00
Among other things, you might want to try the total cost of ownership route. "It's much cheaper to support..." type of thing (though you might want to have some estimated savings). Can you recommend a smaller run (say, 10-20 machines, or a single small work group) as an experiment?

:) Thank you. That has been suggested and it looks like they are going to go with a test group of about 50 systems. They still want me to talk to them though. :shocked:
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
the biggest thing is any changes are centralized (domain name, gateways, re-addressing if needed, name servers, etc)

the one thing I do know is that networks change, and making change/adaptibility and being able to scale a network are paramount over any other concerns.

As far as plugging a laptop in? Well that may be true but it is the weakest argument there is for security...a simple sniff in 5 seconds would tell me the IP address range (I would see windows broadcasts from clients, arps, routing protocols, etc) , as well as router discovery.

But it does sound like they have some pretty tight security (worms have been a real pain the last 2 years) measures.

How about looking into 802.1x authentication on the switches? That way you have to be authenticated before you can actually communicate.

-edit-
oh. They year is 2004. We use DHCP for clients now. We learned the hard way. Sally moves offices, sally needs her IP stack reconfigured. Sally goes to a conference room for a presentation - sally needs her IP stack reconfigured.

DHCP is all about mobility and in today's "anywhere, anytime access" mantra a company is absolutely required to use DHCP.
 

MichaelD

Lifer
Jan 16, 2001
31,528
3
76
Thanks Spidey, I had kinda blanked-out on the "centralized changes" part. Luckily, I'm not briefing for a few days...I think.

Can you tell me a little more about the 802.1 authentication on the switches? MAC tables or something like that?
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
802.1x is kinda fancy and requires strong/current network gear.

basically the switch asks the client for credentials via a protocol called 802.1x. then the switch queries a radius server (you can integrate you AD if needed). If all is well then the client can talk, if not then you can decide what to do with him...like can't talk, put him in a visitor vlan, etc.

but the overall total cost of ownership is the best route...support costs money and labor ain't cheap.