Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

restrict DHCP to to mac addresses

Posted on 2005-05-04
11
Medium Priority
?
1,536 Views
Last Modified: 2007-12-19
Is there a way to restrict issueing DHCP to a set list of MAC addresses?

thanks
phil
0
Comment
Question by:detox1978
  • 5
  • 3
  • 3
11 Comments
 
LVL 85

Accepted Solution

by:
oBdA earned 1200 total points
ID: 13931621
Yes; you can use reservations for the clients that are allowed to receive a DHCP address, then simply exclude the rest of the range.
Once you have reserved the whole scope, you'll have an exclamation mark at the scope in the DHCP manager; this is just to let you know that there aren't any more IP addresses available, but that's what you want.
0
 
LVL 2

Author Comment

by:detox1978
ID: 13933960
Thanks for the info, but I'm not sure i understand.  

I have found reservations on my DHCP server.  But i thought reservations were used to remove IP's from a scope, if i associate all my IP's against MAC addresses (i.e. one IP per MAC), is this not defeating the object of DCHP (Dynamic).


Phil
0
 
LVL 85

Expert Comment

by:oBdA
ID: 13934108
Not really; with reservations , you can make sure that a certain machine gets a certain address. That way, you'll have the advantage of "sort of" static addresses, and still the advantage that you can easily deploy changes through DHCP. Best of both worlds, so to speak.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Author Comment

by:detox1978
ID: 13934118
i see what you mean.... it would work, and retain alot of the benifit.

Are there any other ways?

0
 
LVL 85

Expert Comment

by:oBdA
ID: 13934173
Not that I knew of.
0
 
LVL 2

Author Comment

by:detox1978
ID: 13934190
doh...

ok will leave post open for another week, incase anyone else knows of a way....

0
 
LVL 14

Assisted Solution

by:alimu
alimu earned 300 total points
ID: 13934252
what's your aim? stopping people plugging into your network and getting an address?
The second last paragraph here in the "Threats and Countermeasures" section looks at using MAC addresses to combat the issue http://www.windowsecurity.com/articles/DHCP-Security-Part1.html  what many people don't know is that it's quite simple to change your MAC address (we used to do it for every computer that came into our organisation - don't ask, it was an administrative nightmare), it's also not that difficult for an attacker to change theirs.
0
 
LVL 2

Author Comment

by:detox1978
ID: 13934339
Hi alimu,

Thanks for the link.  - it confirms the reservations option oBdA suggested.

Our aim is to stop unauthorised hardware being plugged into the network (i.e. non company hardware - sales reps, auditors etc...).  

we aren't to concern with a hacker who will harvest mac address sent via DCHP broadcasts.  The way i see it, if they will go to that legnth, they will comprimise the system anyway.

Phil
0
 
LVL 14

Expert Comment

by:alimu
ID: 13983573
looks like no more takers detox1978..
if you're into a bit more security look at the physical side too - turn off network ports that aren't in use.
cheers!
alimu
0
 
LVL 14

Expert Comment

by:alimu
ID: 13983585
sorry about the multiple posts... I just thought of something else (not good news unfortunately)... If you have multiple dhcp scopes, you'll got to setup the dhcp reservations in every scope, you've also got a problem because anyone coming into your network with a static IP address that is within your subnet range is going to be allowed through anyway... dhcp isn't even a factor there.
A possible workaround but with quite a bit of overhead involved, is having an allowed MAC list on your switches.. i.e. this MAC address is the only one allowed to talk through this particular switch port.  I think you can only do this on a per-port basis and you've got management overhead every time someone wants to move desks.
0
 
LVL 2

Author Comment

by:detox1978
ID: 14067206
many thanks for your time and suggestions...


i will have to look into third party apps.... as reserving all dhcp IP's isn't an option.


0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question