• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 386
  • Last Modified:

How to purposefully assign "bad DHCP addresses" to rogue clients

I have a remote site on which a number of anauthorised machines are being used.  These users have been asked not to connect their PCs but a few continue to do so.

Is there a way of reserving "unrouteable" addresses to these machines through Windows 2003 DHCP server?  I have setup a new dummy scope and set the reservations for the "bad machines" to addresses from this scope, but they are still getting addresses from the main "good" scope.

Am I going about this the wrong way or is there an accepted method of acheiving my objectives?

Steve
0
SteveZX
Asked:
SteveZX
  • 4
  • 3
1 Solution
 
zelron22Commented:
How many valid machines do you have?  You could assign reservations for the good machines and then limit the scope so that there are no other available addresses.

0
 
zelron22Commented:
Of course, it won't stop someone from statically assigning an IP.  Cisco's URT (and I'm sure other products) can authenticate users before letting them on the network (or something like that).
0
 
zelron22Commented:
Another thing you can do (which won't prevent them from unplugging their machine and plugging theirs in) is to disable all ports on your switch that are not in use.  Assuming that you have a managed switch and you have mapped the ports.
0
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

 
SteveZXAuthor Commented:
Thanks for the prompt replies!

Total number of "good machines" is over 100 so don't want to reserve for these!

The current "bad" scope has exactly the number of addresses to match the number of rogue machines (they are all reserved therefore).  There are 12 rogue machine in total.

I am trying to implement a remote solution.  Physical access to the switch ports etc.. will require a special site visit (which I'm trying to avoid if possible!)

LOL - I thought this would be a quick and dirty solution until I could get to site next!  Any more suggestions gratefully received!

Cheers

Steve
0
 
zelron22Commented:
Well, you could require IPSEC and apply it to the workstations via group policy.  Then the rogue machines at least wouldn't be able to see anything although they would be able to access printers and the internet.

Another thing you can do is that as you identify rogue machines, create reservations for them.  Then, although they will get an IP in the scope, you can set the properties of the reservation and specify a bad gateway, bad DNS servers, etc. so that they won't be able to do much else, certainly not get to the internet or across the WAN.
0
 
SteveZXAuthor Commented:
IPSEC was a possiblilty but we have a number of laptops moving between sites so this may cause problems.  Also, the site server needs to be accessed from other remote sites.

I didn't realise that you could Configure Options against reservations - this will probably be the easiest solution to implement.  I'll get one of my guys to try this tomorrow and report back.

Many thanks

Steve
0
 
WillMcDoanldCommented:
Use MAC addresses for machines you know should be on your network, and make two address pools for known machines and for unknown, then just make the "unknown" pool something random with bogus info for the gateway
0
 
SteveZXAuthor Commented:
Assigning options to the reservations worked well - many thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now