fuzzyfreak
asked on
How do I stop DHCP giving out IP addresses to anything plugged into the network?
As a technology company which I am fairly new to, we seem to have a free for all attitude to plugging things into the network. I don't mind the hubs so much but three things I need to get on top of are virtual machines, mobile phones and self-purchased laptops. The latter is probably the one I need to resolve quickly. My problem is that anything plugged into our network will get an IP address and get access to certain resources - they have not been configured by me with anti-virus and computer accounts in AD, so my server screams at me with security failures which makes monitoring a nightmare. I think what I need to do is stop IP addresses being given to the devices above, but I am not sure how to do this.
Please advise.
Thanks
Please advise.
Thanks
simple answer would be the disable DHCP and use static IP addresses that way no new device will get an IP address.
Or Cisco ISE
ASKER
Network is small, we have about forty users but approximately 200 IP addresses for various devices (desktops, laptops, wireless devices, hubs, switches, VMs, Servers)
It is Windows domain DHCP giving them out.
No way am I going to give out static IP addresses!
I would prefer to simply reconfigure what we already have.
It is Windows domain DHCP giving them out.
No way am I going to give out static IP addresses!
I would prefer to simply reconfigure what we already have.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
How do I use MAC address filtering? Where is this option?
Any idea how much Kerio is?
Any idea how much Kerio is?
MAC Address Filtering - http://technet.microsoft.com/en-us/magazine/ff521761.aspx
Dont use Static. Will cause chaos including IP conflicts. It will also allow an user that has the know how to set their IP statically and then they have access.
You could also look at your network switches. If you set the access there (sorry - not a network engineer so cant advise) then only the devices you have given access to will gbe able to access the network.
Dont use Static. Will cause chaos including IP conflicts. It will also allow an user that has the know how to set their IP statically and then they have access.
You could also look at your network switches. If you set the access there (sorry - not a network engineer so cant advise) then only the devices you have given access to will gbe able to access the network.
When you find an unauthorized device on your network, create a DHCP reservation with the device's MAC address. Under 'Configure Options', enter bogus DNS and router info. They'll still be on your network, but they won't have name resolution or Internet access.
This is a band-aid at best. Even if you resolve the DHCP issue, you still have to contend with the user's who put a static IP on their device. Ultimately, you'll need senior management to back you, and institute a corporate policy prohibiting users from connecting personal devices to the corporate network. Then give the corporate policy teeth. You'll only have to make an example out of one person before people take the policy seriously.
This is a band-aid at best. Even if you resolve the DHCP issue, you still have to contend with the user's who put a static IP on their device. Ultimately, you'll need senior management to back you, and institute a corporate policy prohibiting users from connecting personal devices to the corporate network. Then give the corporate policy teeth. You'll only have to make an example out of one person before people take the policy seriously.
ASKER
follow this article >>> http://social.technet.microsoft.com/Forums/en-US/6a4479cd-5567-4a48-b936-251149ae034f/mac-address-filtering-with-windows-server-2008-r2?forum=winserverNAP
the reason being you listed windows 2008 as the server so I presume it is doing the DHCP.
Let me know if otherwise and let us know the name of the router and I will dig the detailed instructions for that.
the reason being you listed windows 2008 as the server so I presume it is doing the DHCP.
Let me know if otherwise and let us know the name of the router and I will dig the detailed instructions for that.
A simple solution:
Use a DHCP server and allow only reservations, no dynamic IP assignment.
Each new device would need to have its MAC address registered in the reservation pool before it can get an IP address from DHCP.
No need to purchase anything new, simple management...
Use a DHCP server and allow only reservations, no dynamic IP assignment.
Each new device would need to have its MAC address registered in the reservation pool before it can get an IP address from DHCP.
No need to purchase anything new, simple management...
ASKER
Thank you all for your suggestions, I think simple MAC address filtering is the way to go here for my known devices. But what I need to do is set up a scope that allows those plug and play devices to continue to get out to the Internet (not to the network). Any ideas here? Do I set up a new scope?
You need a "guest network". If on WiFi, that's easier, provided that your WiFi router/Access point has the "guest network" feature...
ASKER
I already have a guest network on wi-fi. No, this is for physical Ethernet connections.
ASKER
I think MAC address filtering is the answer here. I will raise a new question regarding a "guest" DHCP scope.
How big is the network? What is currently giving out DHCP addresses?
Thanks
Mark/