DHCP only to certain pcs.

[eric romero]

Hi All

Is there anyway to configure DHCP to assign Ips to the pcs we want instead
of any PC connected to the network? let's say to assign dynamic ips based on
authorized MAC addresses or any othe kind of authorization.

We want to avoid non-authorized pcs to get an IP via our DHCP.

thx
-

 

[John Collins]

What are you using for DHCP server? Router? windows? *nix?

I found this thread:
http://cert.uni-stuttgart.de/archive/focus-ms/2003/06/msg00044.html

and this one:

http://groups.google.com/groups?hl=...ac%20addresses&hl=en&lr=&ie=UTF-8&sa=N&tab=wg

hth,
John

 

[eric romero]

I am using DHCP-Windows2000.

Do you know how to set dynamic ips to be assigned to a certain group of mac
addresses?

 

[Simon Geary]

Within Windows 2000 DHCP you can do 1-to-1 mappings of IP and MAC addresses
but these cannot be grouped so that, for example, the 10 PC's on the 3rd
floor always get an IP address from this range of IP's. It has to be a one
at a time mapping.

 

[eric romero]

Thanks for the reply, this looks to me as a manual ip assignation, is there
any way to let DHCP know of a list of MAC addresses and let DHCP decides
which IP is assigned to each MAC address?

 

[Simon Geary]

No, unfortunately not. You have to configure this reservation before hand.

 

[eric romero]

This look slike mantaining IPs manually which breaks the DHCP concept..am I
right?

 

[Simon Geary]

The DHCP concept is to remove all manual IP address assignment. By wanting
to assign certain IP addresses to certain MAC addresses you are introducing
an extra layer of administration which is unnecessary for all but the most
security conscious networks.
Unless you have a strict requirement to lock down your DHCP servers it is
easier to just leave DHCP to assign them dynamically as the service is
designed for.

 

[eric romero]

Hi Simon,

Thanks for your input, what I want is to avoid non-office pepole to get an
ip when they come to the office with their laptops and plug into the utp
jacks.

Do you have any idea on how to prevent that and still use dynamic DHCP? yes
this could be seen as a security requiriment.

thx
-Eric

 

[Simon Geary]

This is a classic problem with DHCP, it makes things easier for the
administrator but gives anyone with a laptop access to your network. The MAC
address restriction is the only native method of restricting DHCP address
allocation but it really isn't manageable in a large network.
Look at the problem from a different perspective, why do you not want
visitors to have an IP address? Are you afraid they might access
confidential information or leave viruses on the network? These risks should
be mitigated by ACL's and virus software respectively, not just by denying
LAN access.
My point is that denying visitors an IP address is not in itself a security
mechanism, you have firewalls and suchlike to do that so if your regular
security is set up correctly you would in theory not need to worry about
visitors getting an IP. Remember also that most security attacks come from
employees anyway.
So how does any of this help you? Well, you should start off by thinking
whether or not you really need to restrict IP assignment or if your security
couldn't best be handled at a different layer. If you decide you do need to,
your only options are a very unmanageable MAC filter or perhaps a 3rd party
product.

 

[eric romero]

Hi Simon,

Thanks for your comments, I agree with you.
On the other hand by restrictingthe IP assignments we reduce the
troubleshoot in case of a security incident arises.