Multiple DHCP scopes on one server
May 26, 2010 3:01 AM   Subscribe

Multiple DHCP scopes on one server for the purpose of assigning a reservation to one MAC.

I have a DHCP scope, 192.168.0.100-200, that assignes address' to my client PCs. I have one user who consistantly brings their home PC to work and this is not allowed. I want to block this PC from the network. If I create a new scope, for example 192.168.5.100-200, and then give it bogus router and DNS info for the purpose of making his PC useless on our network will this cause problems for all my legit PCs on 192.168.0.x?
posted by m3thod4 to Computers & Internet (8 answers total) 1 user marked this as a favorite
 
You seem to be looking for a technical solution to a human problem. These things tend not to work.

There's nothing that stops your user from figuring things out and manually assigning his IP address, or changing his mac address.

You realise they're actually donating computer time to your employer? Could you ask them why they bring their laptop, and find a way of letting them do the same thing on their work computer?
posted by stereo at 3:30 AM on May 26, 2010


Hmm, what DHCP software are you using?

With the ISC DHCP server (the typical DHCP server on many Linux distributions), you can put that MAC address into a class, and then deny all members of that class.

Here's the man page for that configuration file.
posted by chengjih at 3:30 AM on May 26, 2010


Oh, what stereo said. This is some sort of company policy violation, and it's probably best approached as such, especially if it's repeated and willful.

The technical way to handle it may not be the best way, and that user can bypass simple DHCP schemes if they're technically inclined. If you really want to stop them technically, you'd also have to lock down other aspects of the network rather than just DHCP, and that may not be possible given your setup, your equipment, etc.

I suppose one can combine the technical with a policy approach, by having your DHCP server alert you of an unauthorized machine on the network, which you can then smash with a 2x4, but that's probably overboard.
posted by chengjih at 3:36 AM on May 26, 2010


You know what I would do if I was the boss? Because I'm an ass? I'd DHCP that bad boy to a special subnet, and give that person a first class ticket to the Upside-down-ternet! Aw yeah. If you do this, please set up hidden cameras to capture the hilarity.

But yeah, as you can see in the link above, ISC will let you do pretty much exactly what you want. And if you don't want to go upside-down, you can set up a captive portal with a web page that explains why people aren't allowed to bring their own computers to work. That's probably the professional way to go about it. But that's no fun.
posted by Geckwoistmeinauto at 4:19 AM on May 26, 2010


You can't do this with just DHCP. There's nothing to stop this user from picking an arbitrary address in 192.168.0.0/24 and manually configuring his home computer to use that address. If your DHCP server then assigns that address to one of your other users' desktop computers, that other user will experience problems.

What I'd do in this situation is configure the DHCP server not to respond at all to the home computer, and then block traffic to/from that hardware address from traversing any routers. If it's a wireless network, you should also stop that hardware address from associating with any APs.
posted by one more dead town's last parade at 7:35 AM on May 26, 2010


Just add a lease with a bogus IP address, but yeah...seems BOFHish.
posted by rhizome at 9:15 AM on May 26, 2010


Response by poster: Ugh, this is great. I must have an out of date profile setting because I never saw these repsonses. Just going over them now. Sorry everybody!
posted by m3thod4 at 10:05 PM on August 8, 2010


Response by poster: What I was trying to do is prevent a user from connecting a non-company PC to our network. I read a few forum postings where people set up a second scope with bogus router and dns information and that is why I posed my question. However, I figured out I could setup a DHCP reservation in the current scope, and then uniquely set bogus info for that reservation.

We do have Cisco switches which would allow me to do some port security, but as we do office moves frequently this would be a hassle on my end.

Thanks everyone!
posted by m3thod4 at 10:08 PM on August 8, 2010


« Older Baby-friendly Scottish holiday   |   Toughen up a thirtysomething. Newer »
This thread is closed to new comments.