First off all clients have statically assigned IPs, there is a very small
DHCP scope available for setting up new computers/printers (6 address).
However recently 2-3 addresses in this range have been used on a
consistent basis (however, not consistent enough to always catch them
being active). This is a medium environment (about 500-1000 computers,
and a large number of printers as well as a few servers) thus tracking
them down by walking to each client and checking IPs would be a rather
large task. I have been able to grab their MAC addresses using arp. The
server is running windows 2000 server clients are a mix of win95/98,
win2k, winXP, mac 7-9, mac os x, linux, unix. I know that it is not any
of the servers and a pretty good feeling that it is not any of them
printers, what i suspect is going on is someone is bringing in their
home laptop and connecting to an active port. Only the IT people know of
the DHCP aspect of the environment.
What I am looking to do is to block those MAC addresses from using the
DHCP scope or from accessing the network as a whole. Then once the users
complain that the "internet is broken" we will be able to take appropriate
Main reason this is such a big deal is that we are billed from network
usage and the unknown MAC addresses are causing a rather large amount of
traffic when they are on.
So any help would be great!