What are my DHCP options?

somewhereinafrica used Ask the Experts™
Can I make it so that only my domain users gets a DHCP address lease, and everyone else gets denied?

win server 2008 std, win 7, win xp, AD
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
in a word - no

what you are looking at is a form of network access control.

there are freeware products out there that will do it for you but I've not used any of them.

DHCP happens independant of Windows.  If you are concerned about someone setting up on your network, look into 802.1x if your switches support it.
This will lock out PCs where the user is not authenticated with AD.


So basically i have 2 options:

1 - static IP and turn of DHCP
2 - Have DHCP and have a free for all to anyone who connects to the network - as far as internet access goes
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

DHCP kicks in before you can establish whether the PC is part of your domain, so you would have to filter based on MAC address, and have a list of allowed mac addresses.



I have 2 cisco switches (SLM 2048), they should support it. What is the impact of enabling this feature?
http://www.packetfence.org/en/home.html - not used it but it may be of use to you.  But you will need a capable network switch(es).


OK, that seems a bit too much for my small problem. Is there anyway that I can disable access to anything except the internet connection (which is through a stand alone router box) for non-authorized users?
Nope - DHCP is a broadcast system.  

If you know which ports on your switches are authorised, you could look at putting all the other network ports onto a different VLAN that only has internet access.
Stick to the comment made by 1peterx.

When you limit the access via MAC address, you must have the MAC's added to the "Allowed" list before they can connect.  Of course if someone knows the network info, they could set static settings...

You may want to look into a proxy.

I agree with jakethecatuk for this one.  Setup a second VLAN on a couple of ports for visitors and do not let them plug into the rest.
I have never actually setup the 802.1x, but I do not believe the impact is very noticeable.


Proxy.... such as?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial