1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DHCP and IPs assign to specific PCs

Discussion in 'Networks' started by HTF, Mar 31, 2010.

  1. HTF

    HTF Byte Poster

    181
    0
    14
    Hi,

    How to configure DHCP server (W2K3) on the private network so it will be assigning the IPs only to known machines. Do I have to use it reservation option so it won't be assigning IPs to unknown clients?
    Basically I would like to prevent access to the network and limit only to known clients. What if someone manually assign static IP (from the range of the network not even from the DHCP scope). How to prevent him from accessing the network.
     
    Certifications: A+
  2. MLP

    MLP Kilobyte Poster

    305
    19
    42
    Hi

    I've not tried this myself, but I've seen this, which describes a dll released from Microsoft, which allows you to create whitelists for Mac addresses that DHCP will give an IP to.

    Maria

    EDIT: NAP on server 2008 is probably a better solution, but this will work on 2003.
     
    Last edited: Mar 31, 2010
    Certifications: HND Computing
    WIP: 70-680, 70-270, 70-290
  3. SimonD

    SimonD Terabyte Poster Moderator

    3,463
    397
    199
    You would have to use MAC addresses to limit that, also depending on the size of the scope why not consider subnetting it further, for example if you have a class c address with 255.255.255.0 but you only needed to use say 30 hosts, then you would use a subnet of 255.255.255.248, that way because you can only have a maximum of 30 hosts (the first and last addresses can't be used as they id the network and the broadcast) you would be ok.

    An easy way to work out the subnet for amount of hosts is.

    256 128 64 32 16 8 4 2 Amount of hosts required.
    8 7 6 5 4 3 2 1 Number of bits to be used in the subnet


    0 254 252 248 240 224 192 128 Actual subnet mask. ****


    So for example you need 30 hosts, the only number that would help you would be 32, from the table above we see that it requires 5 bits, taking that as binary that's 11111000 which when converted to decimal is 248.

    **** Unfortunately the table doesn't translate perfectly onscreen here, draw it out like I have (each of the three rows matching up numbers) and it will make more sense.
     
    Certifications: CNA | CNE | CCNA | MCP | MCP+I | MCSE NT4 | MCSA 2003 | Security+ | MCSA:S 2003 | MCSE:S 2003 | MCTS:SCCM 2007 | MCTS:Win 7 | MCITP:EDA7 | MCITP:SA | MCITP:EA | MCTS:Hyper-V | VCP 4 | ITIL v3 Foundation | VCP 5 DCV | VCP 5 Cloud | VCP6 NV | VCP6 DCV | VCAP 5.5 DCA
    WIP: VCP6-CMA, VCAP-DCD and Linux + (and possibly VCIX-NV).
  4. westernkings

    westernkings Gigabyte Poster

    1,432
    60
    107
    Why not just set group policy to not allow users to edit connection settings? and then give out static IP addresses instead of DHCP? surely that is a pretty simple way of doing it?
     
    Certifications: MCITP:VA, MCITP:EA, MCDST, MCTS, MCITP:EST7, MCITP:SA, PRINCE2, ITILv3
  5. BrizoH

    BrizoH Byte Poster

    243
    6
    25
    Having recently inherited a network with all devices configured using static IP's, I hate them!

    One option in your situation would be:

    Created a DHCP scope - for examply 192.168.1.100-150

    Reserve specific IP's for your machines using MAC addresses

    Add any unused IP address to the exclusion list in DHCP settings.
     
    Certifications: CCNA, CCNA Security
    WIP: CCNP
  6. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    ^^^ This ^^^

    Used it a couple of times - poorly documented back in the day and haven't used it for about three years, but it worked well when I put it in. Decent enough solution when you don't have a NAC box in place.
     
    Certifications: A few
    WIP: None - f*** 'em
  7. MLP

    MLP Kilobyte Poster

    305
    19
    42
    Yep, we are talking about giving it a try next week. Ideally, NAP would be our first choice, but we can't migrate to Server 2008 until later in the year, and we have to find a way to get our Macs working with it. This method would give us 'NAP without NAP', as my boss described it.

    Static IP's - a nightmare on a bigger network. Tracking the IPs all the time is not fun. Also, in the case of laptops that are used at home, the IP address is very likely to be invalid for the users home setup.


    Maria
     
    Certifications: HND Computing
    WIP: 70-680, 70-270, 70-290
  8. HTF

    HTF Byte Poster

    181
    0
    14
    Thank you all for reply.

    Basiaclly this is just testing environment but I noticed that one of the users is connecting some other device to the network, apart from his PC, so I was wondering how to prevent this.

    So with no any additional software that you mentioned before (like Callout DLL, NAP, NAC) the only solution is to set the reservation for the MACs and add exclusion. Will it prevent him to assign the IP manually or I would have to limit the IP range of the network to the number of the machines on that network? Am I right or is there any other way?

    BTW: Callout DLL, NAP, NAC - another soft to test it, it's never ending story ;)

    Regards
     
    Last edited: Mar 31, 2010
    Certifications: A+
  9. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,190
    296
    319
    Difficult to manage....
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  10. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    The best way to prevent static ip addresses is with switch security. The are many technologies available to control access to your network, depending on what is supported by your switches. Of course any security scheme can be beat, but with capable switches you can make it quite difficult to get unauthorized access to your network, but keep in mind the effort required to maintain the security system. Check your switches to see what they support.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  11. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Yeah - try managing static IPs over 120 different sites, like I had to at the old bill :biggrin

    You might look at some of the cheaper third-party NAC solutions, or, as Spice_Weasel suggests later down the thread, look at switchport security. There's some pretty decent port security methods you can enable, that will only be fooled by determined hackers sniffing and forging MAC addresses. Since any hacker plumbed directly into your LAN already pretty much has the keys to the kingdom anyway you shouldn't concern yourself with that - the idea behind locking down LAN access is to stop pillocks bringing their own s*** into your network (laptops, NAS boxes or, on one memorable occasion when I worked for the Polis, a frickin' wireless access point) and compromising it. We used a Mirage box at one of our sites, which is pretty good - though I've posted before about the legitimacy of them patenting what is, in effect, a hack (ARP poisoning). It ain't cheap but if you want to put a NAC/NAP solution in place it's probably cheaper and certainly quicker than migrating to 2K8!

    BTW, FWIW, I used to get round the latter problem with batch files on the desktop - but it's a horrible bodge.
     
    Certifications: A few
    WIP: None - f*** 'em

Share This Page

Loading...