Question
-
CreatorTopic
-
June 15, 2009 at 1:35 am #2215676
URGENT requirement!!!!locking the ip address to a particular MAC
Lockedby mohdanwarahmed · about 14 years, 9 months ago
Hi all….
Aim: Ip address lets say 10.0.0.1 when assigned to a particular MAC let it be pc, should not be used by any other mac, even if i switch off the device.
I tried through dhcp reservation option which maps the ip address to a mac address, it works. but the problem is, when i switch off the pc, this ip address can be used on the other machine(pc).
Is there any such solution in microsoft dhcp or else can we do it through the cisco router???? If any please give me the detail procedure.
Topic is locked -
CreatorTopic
All Answers
-
AuthorReplies
-
-
June 15, 2009 at 1:35 am #2934437
Clarifications
by mohdanwarahmed · about 14 years, 9 months ago
In reply to URGENT requirement!!!!locking the ip address to a particular MAC
Clarifications
-
June 15, 2009 at 3:14 am #2934429
Set the lease…
by breezer85 · about 14 years, 9 months ago
In reply to URGENT requirement!!!!locking the ip address to a particular MAC
Best thing to do is set the lease to the maximum numbers of days, or even better assign the machine this ip address as static!
-
June 16, 2009 at 6:47 am #2953928
if i set the static ip add
by mohdanwarahmed · about 14 years, 9 months ago
In reply to Set the lease…
if i set the static ip add, ofcourse when i will shut my system down, the other pc can use ip address of mine, which i dont want.
-
-
June 15, 2009 at 6:16 am #2934379
Another option
by churdoo · about 14 years, 9 months ago
In reply to URGENT requirement!!!!locking the ip address to a particular MAC
In MS DHCP, if your desired IP address is NOT within the address pool it will not get assigned to other clients, yet it CAN be used in a reservation.
In other words in your example, if your address pool is say 10.0.0.50 – 10.0.0.200, 10.0.0.1 will not be leased to any general clients, however 10.0.0.1 can be used in a reservation and will be assigned to the appropriate client with the matching MAC address.
-
June 16, 2009 at 7:00 am #2953921
Thanks for posting..
by mohdanwarahmed · about 14 years, 9 months ago
In reply to Another option
hi churdoo,
As you said, if we exclude the ip 10.0.0.1 from the pool and reserve the ip to the mac add, it would work, but WHEN I SWITCH OFF MY PC,the clients may statically or manually configure the same ip on the pc and still can use.
Please explain if i m wrong.
and also if there is a solution which can be done from the cisco router configuring dhcp, please let me know.-
June 19, 2009 at 12:47 pm #2956431
There should be
by tmalo627 · about 14 years, 9 months ago
In reply to Thanks for posting..
Most higher end routers, especially a Cisco, should have a section to reserve IP addresses to a specific MAC. Sometimes it’s referred to as Static DHCP. Simply put in the MAC address and the IP address you want to match up and it should take care of the rest for you.
Also to touch on another poster’s idea through MS if the address is not in the address pool, it won’t get assigned. If you’re saying you have the reservation set and that address is still be given out, there may be another device performing the DHCP service somewhere in your network. A good way to test that is to go to the machine that is picking up the IP address it shouldn’t have and run IPCONFIG /ALL. See what it says for DHCP server. That will tell you the device issuing the address.
Hope this helps.
-
-
-
June 19, 2009 at 3:05 am #2956666
Just out of curiousity…
by breezer85 · about 14 years, 9 months ago
In reply to URGENT requirement!!!!locking the ip address to a particular MAC
…Why does this machine have to have this IP address. Surely if you’ve got a DHCP server which assigns an IP you’ll still get connected!
Also, when you set the lease to 365 days and switch the machine off, that IP WILL stay with that machine and no other. Beacause all other machines will not query for an IP until after the 365 day lease time expires!
-
June 19, 2009 at 5:24 am #2956644
Probably because
by brenton keegan · about 14 years, 9 months ago
In reply to Just out of curiousity…
Probably because he’s doing this on his workstation. It sounds like to me he’s created an ACL that restricts traffic, but he wants his workstation to have a different level of access than the other workstations. So he has to specify a specific IP.
-
June 19, 2009 at 5:41 am #2956638
Agreed, and not only that; when the cat’s away?
by churdoo · about 14 years, 9 months ago
In reply to Probably because
I agree it sounds like he’s got an ACL which allows special access for the IP 10.0.0.1 in his example, but the problem isn’t so much “How do you assign this IP addy to this specific workstation?”;
rather the second part of the problem is, “how does he keep others, once they learn of the special access for IP 10.0.0.1, from assigning themselves this IP statically and giving themselves this access when the cat’s away?”
I don’t know how to do this in Cisco gear, though I’m no Cisco powerhouse by any stretch of the imagination.
-
-
June 19, 2009 at 8:17 am #2956547
hey breezer!!!
by mohdanwarahmed · about 14 years, 9 months ago
In reply to Just out of curiousity…
thanks for your postings!!
seems your idea of setting the lease wud work out as u said that other pcs cannot access with the ip address when my pc is shut.
can u give me the procedure of how to lease an ip address in dhcp environment…gimme the exact steps so that i can do it easily….!!!-
June 22, 2009 at 7:29 am #2958393
Lease Time Steps…
by breezer85 · about 14 years, 9 months ago
In reply to hey breezer!!!
Start – Admin Tools – DHCP – Expand the server tab – Right click ‘Scope…’ – Properties – General Tab – Change the lease time.
I would much prefer to do it this way than trying to mess about with different solutions! My theory is to keep it short, sweet and simple!
-
-
-
June 19, 2009 at 5:26 am #2956643
Exclusion
by brenton keegan · about 14 years, 9 months ago
In reply to URGENT requirement!!!!locking the ip address to a particular MAC
You could exclude the IP address from the address pool.
Under address pool you can specify any exclusions you want. You would of course need to set your IP address statically at this point.
-
June 19, 2009 at 6:57 am #2956593
Maybe this is an option…
by brenton keegan · about 14 years, 9 months ago
In reply to URGENT requirement!!!!locking the ip address to a particular MAC
I don’t know a lot about it but check this out:
http://articles.techrepublic.com.com/5100-10878_11-6123047.html -
June 19, 2009 at 8:29 am #2956537
Why is there a problem?
by neilb@uk · about 14 years, 9 months ago
In reply to URGENT requirement!!!!locking the ip address to a particular MAC
If you assign a DHCP reservation to a particular MAC address then that’s the only system that can pick up that address. That’s why they are called “reservations”.
The only was that it can be assigned to another system is if you have two DHCP servers covering the same address range and you don’t put the reservation on all of them
-
June 19, 2009 at 9:40 am #2956489
It’s not about getting the assignment…
by brenton keegan · about 14 years, 9 months ago
In reply to Why is there a problem?
It’s not about another workstation getting the assignment, it’s a security issue with a workstation having the reserved IP addressed assigned statically.
A reservation is simply for DHCP, but it doesn’t disallow someone setting the reserved IP manually.
This threat is really an internal threat. If a user wanted to be malicious and knew the magic IP address he/she could set it statically when the admin is away.
-
June 19, 2009 at 10:06 am #2956480
Ah, I misunderstood. Thought it was too easy…
by neilb@uk · about 14 years, 9 months ago
In reply to It’s not about getting the assignment…
If users have access to their NIC properties then the only way round that is not to turn off the system that has to have the IP. Windows should error out with duplicate addresses.
A GPO to stop users dicking with the NIC settings is the obvious way though. If they are stuck with DHCP then there is nothing they can do.
-
June 19, 2009 at 11:30 am #2956460
Laptop
by brenton keegan · about 14 years, 9 months ago
In reply to Ah, I misunderstood. Thought it was too easy…
All the user needs to do then is bring a computer in that’s not on the domain and plug it in. This would get around the domain policy settings.
I posted a link to info on configing Stick MAC. I think this could prevent users from doing this.
-
June 23, 2009 at 10:15 pm #2758154
hi breezer
by mohdanwarahmed · about 14 years, 9 months ago
In reply to Laptop
Hello!!
I think sticky port or sticky mac will not be the solution for the simple reason that sticky mac will not lock the ip address infact it locks the mac!!!
I hope i m correct!!
Learning alot here though…newy thnx for ur postings!!!
-
-
-
-
AuthorReplies