DHCP MAC Filtering

DustyMiller

DustyMiller

DustyMiller

Associate
Joined
18 Oct 2002
Posts
1,978
Location
Swindon
My boss wants our DHCP server currently Server 2003 R2 to be able to give different IP and options depending on the MAC address of the client.

so Windows PC's are forced via the ISA server, and things like smartphones, and their lack of a ISA firewall client, and proxy settings go straight out via a different gateway.

Is this possible, I know using the DHCP callout i can block or allow by MAC address, but this applies to all addresses issued by the server thus I cannot control to the level I need.

Any ideas ??
 
How many DHCP servers and clients do you have? The initial idea that comes to mind is to set reservations for the clients on the DHCP server. If you allocate the IPs in different scopes, say workstations, laptops and PDAs, you can set the scope options with the different proxy settings etc.

It's inelegant and labour intensive, but if you have just a few clients it might work out okay. If you have dozens, hundreds or thousands of clients, then it's a terrible idea... but I thought I'd put it out there anyway.
 
Could be wrong, but I dont believe this is possible. We take a slightly different tack for similar reasons. Basically we lock down our network at the link layer with radius authentication on the switches. Our DHCP server is setup so that it doesnt give out a default gateway and our AD is setup so that everyone gets a proxy setups for browsing. This way no machines get out directly through the gateway, and all traffic goes through a proxy. For machines which we dont own (outside vendors/customers etc) we have a secure Wifi setup which is setup on a seperate DMZ on the firewall and then goes onto the internet. Our staff also use this if they bring in a computer from home, or use a wifi enabled smartphone. This connection is still firewalled, but not proxied.
 
I currently only have one active DHCP server. I guess the other way is to have multiple DHCP server each allowing only their own set of MAC addresses, this would require 4 DHCP servers. one for Dekstops & guests, one for Smartphones, and a second set for failover. And it's not very pretty either.

Damn you DHCP system. It doesnot help only having one subnet either.

HHHHmmmm I wonder if my Cisco switches & AP's can help ????
 
You could have multiple VLAN's which may be easier and then do this by where they're plugged in. Your DHCP server would still be adequate for the multiple VLAN's. Other than that it's going to be reservations I guess.



M.
 
DustyMiller said:
vlans wont work for us, as we have wireless barcode scanners, along with the new smartphones.
Click to expand...

Cisco AP's can create multiple SSIDs with differnt tagged VLANs on each one, you can also integrate them into some other authentication server such as RADIUS or whatever else you fancy.

IMO VLANs would be the first thing I'd be looking at.

One for the wired devices such as desktops, printers etc.

One for your General WIFI access for phones etc.

One for guest WIFI.

One for barcode scanner WIFI, or this could just be the same tagged VLAN as the desktops if that's how your system works.
 
But The VLAN's & multiple SSID's dont get me around the main problem, which is multiple different DHCP servers on a single subneted network, or have I missed something here ?
 
I don't see why you need more than one DHCP server; you can create multiple scopes on the existing one to suit your needs. If you have the MAC address of every device connecting to your LAN, you can set reservations in the corresponding scope and use the scope options to manage the settings for that group of devices. It's probably the least frustrating way of doing it, assuming you don't have a lot of clients.
 
DustyMiller said:
But The VLAN's & multiple SSID's dont get me around the main problem, which is multiple different DHCP servers on a single subneted network, or have I missed something here ?
Click to expand...

An IP Helper is what you need (on cisco gear anyway) to run DHCP across multiple VLANs
 
DustyMiller said:
My boss wants our DHCP server currently Server 2003 R2 to be able to give different IP and options depending on the MAC address of the client.

so Windows PC's are forced via the ISA server, and things like smartphones, and their lack of a ISA firewall client, and proxy settings go straight out via a different gateway.

Is this possible, I know using the DHCP callout i can block or allow by MAC address, but this applies to all addresses issued by the server thus I cannot control to the level I need.

Any ideas ??
Click to expand...

What about having two DHCP scopes, but bound to two different Nics. Smart phones, wifi etc.. isn't going to connect over ethernet so you could easily physically segment the network into two halfs.
 
ecksmen said:
What about having two DHCP scopes, but bound to two different Nics. Smart phones, wifi etc.. isn't going to connect over ethernet so you could easily physically segment the network into two halfs.
Click to expand...

Not necessary - see above - an IP helper will allow it to function properly
 
All of our Cisco switches are 3560's. But how can I seperate smartphones and wirteless barcode scanners, and thus laptops from the access points they all connect to.
 
You must log in or register to reply here.
Back
Top Bottom