DHCP and IPs assign to specific PCs

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi,

How to configure DHCP server (W2K3) on the private network so it will be assigning the IPs only to known machines. Do I have to use it reservation option so it won't be assigning IPs to unknown clients?
Basically I would like to prevent access to the network and limit only to known clients. What if someone manually assign static IP (from the range of the network not even from the DHCP scope). How to prevent him from accessing the network.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi

I've not tried this myself, but I've seen this, which describes a dll released from Microsoft, which allows you to create whitelists for Mac addresses that DHCP will give an IP to.

Maria

EDIT: NAP on server 2008 is probably a better solution, but this will work on 2003.

 

You would have to use MAC addresses to limit that, also depending on the size of the scope why not consider subnetting it further, for example if you have a class c address with 255.255.255.0 but you only needed to use say 30 hosts, then you would use a subnet of 255.255.255.248, that way because you can only have a maximum of 30 hosts (the first and last addresses can't be used as they id the network and the broadcast) you would be ok.

An easy way to work out the subnet for amount of hosts is.

256 128 64 32 16 8 4 2 Amount of hosts required.
8 7 6 5 4 3 2 1 Number of bits to be used in the subnet


0 254 252 248 240 224 192 128 Actual subnet mask. ****


So for example you need 30 hosts, the only number that would help you would be 32, from the table above we see that it requires 5 bits, taking that as binary that's 11111000 which when converted to decimal is 248.

**** Unfortunately the table doesn't translate perfectly onscreen here, draw it out like I have (each of the three rows matching up numbers) and it will make more sense.

 

Why not just set group policy to not allow users to edit connection settings? and then give out static IP addresses instead of DHCP? surely that is a pretty simple way of doing it?

 

Having recently inherited a network with all devices configured using static IP's, I hate them!

One option in your situation would be:

Created a DHCP scope - for examply 192.168.1.100-150

Reserve specific IP's for your machines using MAC addresses

Add any unused IP address to the exclusion list in DHCP settings.

 

^^^ This ^^^

Used it a couple of times - poorly documented back in the day and haven't used it for about three years, but it worked well when I put it in. Decent enough solution when you don't have a NAC box in place.

 

Yep, we are talking about giving it a try next week. Ideally, NAP would be our first choice, but we can't migrate to Server 2008 until later in the year, and we have to find a way to get our Macs working with it. This method would give us 'NAP without NAP', as my boss described it.

Static IP's - a nightmare on a bigger network. Tracking the IPs all the time is not fun. Also, in the case of laptops that are used at home, the IP address is very likely to be invalid for the users home setup.


Maria

 

Thank you all for reply.

Basiaclly this is just testing environment but I noticed that one of the users is connecting some other device to the network, apart from his PC, so I was wondering how to prevent this.

So with no any additional software that you mentioned before (like Callout DLL, NAP, NAC) the only solution is to set the reservation for the MACs and add exclusion. Will it prevent him to assign the IP manually or I would have to limit the IP range of the network to the number of the machines on that network? Am I right or is there any other way?

BTW: Callout DLL, NAP, NAC - another soft to test it, it's never ending story ;)

Regards

 

The best way to prevent static ip addresses is with switch security. The are many technologies available to control access to your network, depending on what is supported by your switches. Of course any security scheme can be beat, but with capable switches you can make it quite difficult to get unauthorized access to your network, but keep in mind the effort required to maintain the security system. Check your switches to see what they support.

Spice_Weasel

 

Yeah - try managing static IPs over 120 different sites, like I had to at the old bill

You might look at some of the cheaper third-party NAC solutions, or, as Spice_Weasel suggests later down the thread, look at switchport security. There's some pretty decent port security methods you can enable, that will only be fooled by determined hackers sniffing and forging MAC addresses. Since any hacker plumbed directly into your LAN already pretty much has the keys to the kingdom anyway you shouldn't concern yourself with that - the idea behind locking down LAN access is to stop pillocks bringing their own s*** into your network (laptops, NAS boxes or, on one memorable occasion when I worked for the Polis, a frickin' wireless access point) and compromising it. We used a Mirage box at one of our sites, which is pretty good - though I've posted before about the legitimacy of them patenting what is, in effect, a hack (ARP poisoning). It ain't cheap but if you want to put a NAC/NAP solution in place it's probably cheaper and certainly quicker than migrating to 2K8!

BTW, FWIW, I used to get round the latter problem with batch files on the desktop - but it's a horrible bodge.