DHCP lease management and ARP poisoning are two methods for controlling access. DHCP leases are managed through the NAC system, first putting a host onto a private network so that it can be assessed, then changing the host IP as needed. DHCP control requires little change to the underlying infrastructure and is less invasive than switch-port manipulation, VLAN steering or dynamically updating router ACLs.
ARP poisoning, on the other hand, uses ARP to manage the MAC-to-IP mapping used by network hosts to communicate within a single subnet. If a host sends out an ARP packet saying it's the network router, for example, all endpoints on that segment will send it all packets bound for other segments (note that the concept is called ARP poisoning whether it's used for good or evil).
Either method is easily defeated by knowledgeable attackers. Using a static IP address will bypass DHCP lease management handily. ARP poisoning is a bit stronger, but on Windows hosts, using the built-in arp -a <ip address> <mac address> command will create a static ARP mapping. The tricky part is getting the network peer--a router, for example--to know what your real MAC address is. Constantly sending out directed ARP responses is one solution.
Some vendors pooh-pooh problems and declare these enforcement methods good enough for most deployments because they provide half the solution by controlling the access of potentially infected computers. We say why spend time and resources to solve half the problem?
DHCP management and ARP poisoning do have their uses as interim enforcement methods during a NAC pilot; while upgrading infrastructure to support better enforcement methods like VLAN steering or 802.1X; or in those cases where nothing else works well, such as when the infrastructure is unmanaged or it's too costly to deploy in-line enforcement.
However, DHCP and ARP poisoning should be used only as stopgap measures. Otherwise, a false sense of security may settle in, only to be shattered once it's too late.
