Protecting network from DHCP Server releases address to unwanted computers

Posted on 2012-08-29
Last Modified: 2012-09-02
I would like to prevent unwanted computers to get IP address from my DHCP server if it was conected to my switch or any cable in my network.

I would like to allows only computers from my company to get IP address from my DHCP server, because today if someone connects to a network cable on my network it will be automatically conected on my netword.

In my researchs on internet I found maybe Radius could help me in prevent this kind of behavior on my network.

Another thing that I want to prevent is a computer with a clone MAC address to be connected on my net.

There´s a way that it´s not too expensive to achieve this ?


Question by:jrthurler
    LVL 6

    Expert Comment

    There are several methods you could employ. It would be helpful to know what the environment is...what OS/version is DHCP running on, is there a domain, etc.
    LVL 10

    Expert Comment

    There is an addon for microsoft dhcp that either allows or denies based on mac address. Forget what its called.
    LVL 25

    Accepted Solution

    Are you running managed switches? if so then you can use port security. This will NOT prevent a clone MAC address from connecting however it would make it very difficult.

    Another option is to use DHCP reservations with a tight range. This would face the same issue with a cloned MAC address but would be easier to connect.

    Following on the managed switch theme you should disable all ports that are not in use preventing a machine from connection simply by connecting to an empty port.
    LVL 4

    Assisted Solution

    You could use a MAC authentication in switches (if supported). It uses a RADIUS server to allow only "your" MAC addresses to connect.

    You can make reservations for all IP addresses in a range. Some would be valid for your users and others set to a non existing MAC addresses. There would be no IP addresses left to lease.

    Both solutions rely on MAC addresses. A changed MAC address could be allowed access.

    You could use a Web authentication in switches (if supported). When a user connects to the switch and opens a Web browser, the switch automatically presents a login
    page. The user then enters a username and password, which the switch
    forwards to a RADIUS server for authentication. Users will hate you for that ;-)
    LVL 4

    Expert Comment

    Of course any computer with a manually assigned IP address will access the network if you choose to use reservations.

    Author Comment

    The only way that I have to just allow authorized computers in my network is using SmartCard authentication ?
    LVL 25

    Expert Comment

    Using Port Security on a managed switch:

    1. You Limit the number of devices that can connect to a port
    2. The first device to connect to that port will register it's MAC
    3. Any other device (over the number allowed) that attempts to connect without the same MAC will shut the port down
    4. Port's not actively being used should be shut down

    If a rouge device connects to an empty port and it is shut down it doesn't work
    If a rouge device connects to a port by unplugging one device and plugging into that same port and it doesn't have the same MAC address it will shut down that port

    The only way a rogue device will connect would be to get the MAC address from another device that is active on the network. Since they wouldn't have network access yet it would require physical access.  Then change the MAC on the rogue device, unplug the active device and plug into the same port.  

    Port security is extremly effective except it does raise the work level of IT when a computer is moved.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
    Is your computer hacked? learn how to detect and delete malware in your PC
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now