General discussion

  • Creator
    Topic
  • #2263175

    Ethernet Mac address filteration in DHCP for windows LAN

    Locked

    by cprakash1 ·

    On windows server 2003 running DHCP server services, I have created a scope with 200 assignable ip addresses but I want to assign these IP only list of approved MAC addresses. We don’t care what address is given, just that it is give to an approved MAC address. I don’t want to assign a specific address to a specific MAC. Because here we have two types of system one is for corp. network and other is for testing. How can this be done? Can I have some third party software through which I can block unapproved IP in DHCP? Thanks

All Comments

  • Author
    Replies
    • #2486946

      I don’t think what you are trying to do is possible.

      by why me worry? ·

      In reply to Ethernet Mac address filteration in DHCP for windows LAN

      DHCP allows for reserved IP addresses which ties the same IP address to a specific MAC, but you state that you do not want to do this. Don’t forget that DHCP is a broadcast sent to all DHCP servers, and only one server gets a chance to response with an IP address offer to the client. It does not check the MAC of the requesting client unless a reservation is set to assign the same IP address to that MAC. I have not heard of any 3rd party software to allow for this, but the closest I have seen are Layer 2 and 3 devices that can turn up or shut down a port based on the MAC address of the NIC on the attached device. As far as DHCP is concerned, I have yet to see or find anything that meets your needs.

    • #2511082

      Subnet your system.

      by sbotsford ·

      In reply to Ethernet Mac address filteration in DHCP for windows LAN

      I strongly recommend that you split your production system from your test system by using different subnets.

      If you have a problem in your test system, it has less effect on your corporate environment.

      It doesn’t take much extra hardware to do this. You can either dual home your dhcp server, adding another card, or you can add a second server just for the test group.

      I do all of my dhcp services with static addressing. It’s a touch trickier to set up, but since IP maps to a constant host archival log files have a lot more meaning. And when I’m dealing with the switches, which work by IP and MAC only, I don’t have to keep looking up the IP.

      At present my setup has:
      1 server that is dual homed. One line connects to the “quarantine switch” This server has all my installation files on it, but does not bridge between the Q switch and the rest of the network. I plug into this switch when I’m doing an install, so that it cannot get infected while installing. (I had a nasty network worm here last month — average clean time was under a minute.)

      Regular machines get a fixed IP for the reasons mentioned above.

      Any other machine connecting to the network gets a dhcp address from a small pool. That pool of addresses cannot access either our servers, except for certain read only shares, nor the internet.

      In this way, no one can casually connect their laptop to my network and do something nasty.

      I’m considering setting up my switches to be in ‘disable on changed mac’ so that if someone tried to set up their machine to mimic an existing machine, but didn’t also mimic the mac address it would get caught.

Viewing 1 reply thread