DHCP MAC Filter

Is there a way with MS Server 2003 DHCP server to filter MAC addresses?
EIther an "allow" these MAC addresses list to get an IP address, or restrict
cetain MAC addresses form getting an IP from my DHCP server.

If not, is this a function that can be perfomed with ISA 2004?

Thanks,

Jeff

Not with low administrative overhead. An easier way could be with a layer 2
ACL on your switch blocking the MAC's that should not get an IP. If you're
trying to prevent your servers from getting an IP, put them outside your
scope. If that is not an option you can use a reservation inside DHCP. If
this is for some security measure, look at your switches.

"JCunningham63" <(E-Mail Removed)> wrote in message
news:CA997F43-FE55-467C-9716-(E-Mail Removed)...
> Is there a way with MS Server 2003 DHCP server to filter MAC addresses?
> EIther an "allow" these MAC addresses list to get an IP address, or
restrict
> cetain MAC addresses form getting an IP from my DHCP server.
>
> If not, is this a function that can be perfomed with ISA 2004?
>
> Thanks,
>
> Jeff

Unfortunately I can't do this within the switch/router. My department shares
a university building with several other departments (I'm the only one
running DHCP), and most cooperate with using fixed IP addresses. But I still
get users in the building that grab my IP addresses; I do have DHCP
reservations for most of my clients, but want to have a few unassigned IPs
for visitors etc. I'm not too concerned with administrative overhead if you
have a suggestion.

Thanks.

"Neteng" wrote:

> Not with low administrative overhead. An easier way could be with a layer 2
> ACL on your switch blocking the MAC's that should not get an IP. If you're
> trying to prevent your servers from getting an IP, put them outside your
> scope. If that is not an option you can use a reservation inside DHCP. If
> this is for some security measure, look at your switches.
>
> "JCunningham63" <(E-Mail Removed)> wrote in message
> news:CA997F43-FE55-467C-9716-(E-Mail Removed)...
> > Is there a way with MS Server 2003 DHCP server to filter MAC addresses?
> > EIther an "allow" these MAC addresses list to get an IP address, or
> restrict
> > cetain MAC addresses form getting an IP from my DHCP server.
> >
> > If not, is this a function that can be perfomed with ISA 2004?
> >
> > Thanks,
> >
> > Jeff
>
>
>

So you have a list of MAC's you want to block correct? Create another DHCP
scope with dummy addresses that a have a reservation for those MAC's. Those
particular MAC's will grab an address from your 'dummy scope' and that will
leave your good addresses for the visitors. When ever you get some one
grabbing an address that shouldn't be, create a reservation in the dummy
scope and force release. They should jump over to the dummy scope when
renewing and free up the good address. HTH

"JCunningham63" <(E-Mail Removed)> wrote in message
news:25E31C03-1B86-4A14-A031-(E-Mail Removed)...
> Unfortunately I can't do this within the switch/router. My department
shares
> a university building with several other departments (I'm the only one
> running DHCP), and most cooperate with using fixed IP addresses. But I
still
> get users in the building that grab my IP addresses; I do have DHCP
> reservations for most of my clients, but want to have a few unassigned IPs
> for visitors etc. I'm not too concerned with administrative overhead if
you
> have a suggestion.
>
> Thanks.
>
> "Neteng" wrote:
>
> > Not with low administrative overhead. An easier way could be with a
layer 2
> > ACL on your switch blocking the MAC's that should not get an IP. If
you're
> > trying to prevent your servers from getting an IP, put them outside your
> > scope. If that is not an option you can use a reservation inside DHCP.
If
> > this is for some security measure, look at your switches.
> >
> > "JCunningham63" <(E-Mail Removed)> wrote in
message
> > news:CA997F43-FE55-467C-9716-(E-Mail Removed)...
> > > Is there a way with MS Server 2003 DHCP server to filter MAC
addresses?
> > > EIther an "allow" these MAC addresses list to get an IP address, or
> > restrict
> > > cetain MAC addresses form getting an IP from my DHCP server.
> > >
> > > If not, is this a function that can be perfomed with ISA 2004?
> > >
> > > Thanks,
> > >
> > > Jeff
> >
> >
> >

"JCunningham63" <(E-Mail Removed)> wrote in message
news:CA997F43-FE55-467C-9716-(E-Mail Removed)...
> Is there a way with MS Server 2003 DHCP server to filter MAC addresses?
> EIther an "allow" these MAC addresses list to get an IP address, or
restrict
> cetain MAC addresses form getting an IP from my DHCP server.

No.

> If not, is this a function that can be perfomed with ISA 2004?

No. That doesn't even come close to what it was designed for,...two
different planets.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

DHCP is *never* the proper choice when there is a security concern,...it is
only to be used in a trusted and controlled physical environment. In a
security concerned environment all machines are statically assigned and a
DHCP server should not be allowed to exist. The second option is to break
the system up into subnets with LAN Routers and use DHCP only in certain
subnets where the physical environment is controlled. The Routers must *not*
be allowed to forward DHCP Queries and the DHCP Server must not be allow to
contain Scopes for the other subnets.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"JCunningham63" <(E-Mail Removed)> wrote in message
news:25E31C03-1B86-4A14-A031-(E-Mail Removed)...
> Unfortunately I can't do this within the switch/router. My department
shares
> a university building with several other departments (I'm the only one
> running DHCP), and most cooperate with using fixed IP addresses. But I
still
> get users in the building that grab my IP addresses; I do have DHCP
> reservations for most of my clients, but want to have a few unassigned IPs
> for visitors etc. I'm not too concerned with administrative overhead if
you
> have a suggestion.
>
> Thanks.
>
> "Neteng" wrote:
>
> > Not with low administrative overhead. An easier way could be with a
layer 2
> > ACL on your switch blocking the MAC's that should not get an IP. If
you're
> > trying to prevent your servers from getting an IP, put them outside your
> > scope. If that is not an option you can use a reservation inside DHCP.
If
> > this is for some security measure, look at your switches.
> >
> > "JCunningham63" <(E-Mail Removed)> wrote in
message
> > news:CA997F43-FE55-467C-9716-(E-Mail Removed)...
> > > Is there a way with MS Server 2003 DHCP server to filter MAC
addresses?
> > > EIther an "allow" these MAC addresses list to get an IP address, or
> > restrict
> > > cetain MAC addresses form getting an IP from my DHCP server.
> > >
> > > If not, is this a function that can be perfomed with ISA 2004?
> > >
> > > Thanks,
> > >
> > > Jeff
> >
> >
> >

uhhh, so what's your point here? He has his hands tied and can't use another
router or the switches. He is not mitigating a security vulnerability, he's
just trying to find a solution to an awkward problem.

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> DHCP is *never* the proper choice when there is a security concern,...it
is
> only to be used in a trusted and controlled physical environment. In a
> security concerned environment all machines are statically assigned and a
> DHCP server should not be allowed to exist. The second option is to
break
> the system up into subnets with LAN Routers and use DHCP only in certain
> subnets where the physical environment is controlled. The Routers must
*not*
> be allowed to forward DHCP Queries and the DHCP Server must not be allow
to
> contain Scopes for the other subnets.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
> "JCunningham63" <(E-Mail Removed)> wrote in message
> news:25E31C03-1B86-4A14-A031-(E-Mail Removed)...
> > Unfortunately I can't do this within the switch/router. My department
> shares
> > a university building with several other departments (I'm the only one
> > running DHCP), and most cooperate with using fixed IP addresses. But I
> still
> > get users in the building that grab my IP addresses; I do have DHCP
> > reservations for most of my clients, but want to have a few unassigned
IPs
> > for visitors etc. I'm not too concerned with administrative overhead if
> you
> > have a suggestion.
> >
> > Thanks.
> >
> > "Neteng" wrote:
> >
> > > Not with low administrative overhead. An easier way could be with a
> layer 2
> > > ACL on your switch blocking the MAC's that should not get an IP. If
> you're
> > > trying to prevent your servers from getting an IP, put them outside
your
> > > scope. If that is not an option you can use a reservation inside DHCP.
> If
> > > this is for some security measure, look at your switches.
> > >
> > > "JCunningham63" <(E-Mail Removed)> wrote in
> message
> > > news:CA997F43-FE55-467C-9716-(E-Mail Removed)...
> > > > Is there a way with MS Server 2003 DHCP server to filter MAC
> addresses?
> > > > EIther an "allow" these MAC addresses list to get an IP address, or
> > > restrict
> > > > cetain MAC addresses form getting an IP from my DHCP server.
> > > >
> > > > If not, is this a function that can be perfomed with ISA 2004?
> > > >
> > > > Thanks,
> > > >
> > > > Jeff
> > >
> > >
> > >
>
>

"Neteng" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> uhhh, so what's your point here? He has his hands tied and can't use
another

My point is that he is screwed unless he can segment the machines he is
invloved with into their own segment (subnet) so that other machines outside
of his "area" don't grab addresses from his scope. If he can't do that, then
he shouldn't run DHCP at all and run static. He said most of his machine
were using reservations, so there isn't much point to running DHCP in the
first place in that case. When running static, when visitor's come in they
would aquire a static address from him.

He can segment his area off from the others with a simple Linux box or NT4
Workstation box with two Nics to build a "poor man's" router. Then he can
run DHCP without anyone bothering him.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> first place in that case. When running static, when visitor's come in they
> would aquire a static address from him.

By "aquire" I mean they must ask him for an address to use or have him
configure their machine,..I didn't mean aquire from DHCP.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com