Announcement

Collapse
No announcement yet.

Deny DHCP Address

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Deny DHCP Address

    Windows 2003 R2 SP2. From the DHCP server itself, can I deny a device from getting any IP address from the DHCP pool? If so, can the present lease be terminated without rebooting it, essentially disabling it? It is not a computer.

    Thank you. Thank you very much.

  • #2
    Re: Deny DHCP Address

    You cannot, to my knowledge, prevent a device from getting an IP via DHCP (EDIT: Unless you have fancy switches/routers giving out DHCP addresses). You can, however, make a new DHCP scope with only one available IP, create a reservation within that scope for the device's MAC address and then deny that scope's subnet all access to anything. If you want to prevent internet access but retain LAN access, you could give it a bad default gateway address.
    Wesley David
    LinkedIn | Careers 2.0
    -------------------------------
    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
    Vendor Neutral Certifications: CWNA
    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

    Comment


    • #3
      Re: Deny DHCP Address

      Server 2008 can do soemthign like this according to specific policies you set.

      Look into NAP.

      http://www.microsoft.com/windowsserv.../nap-main.aspx

      Comment


      • #4
        Re: Deny DHCP Address

        Originally posted by Nonapeptide View Post
        You cannot, to my knowledge, prevent a device from getting an IP via DHCP (EDIT: Unless you have fancy switches/routers giving out DHCP addresses). You can, however, make a new DHCP scope with only one available IP, create a reservation within that scope for the device's MAC address and then deny that scope's subnet all access to anything. If you want to prevent internet access but retain LAN access, you could give it a bad default gateway address.
        Thats great. I should've thought of that That creates 2 more questions though. The goal here is to take the device off the network while keeping the current address, without having to go to the device. Will this knock the device off the network, essentially 'pulling the plug' on it, or does it need to be rebooted and then the server will deny the request?


        If that IP is in the middle of the present scope, would it go like this:


        The present scope is 172.25.1.1/24 - 172.25.1.254/24, the deny address is 172.25.1.200

        scope1 172.25.1.1 - 172.25.1.199

        scope2 172.25.1.201 - 172.25.1.254

        scope3 172.25.1.200 with reservation

        Comment


        • #5
          Re: Deny DHCP Address

          Originally posted by vndic8 View Post
          Windows 2003 R2 SP2. From the DHCP server itself, can I deny a device from getting any IP address from the DHCP pool? If so, can the present lease be terminated without rebooting it, essentially disabling it? It is not a computer.

          Thank you. Thank you very much.

          This can be done.. its called server callout :

          http://blogs.technet.com/teamdhcp/ar...filtering.aspx

          bio..

          Comment


          • #6
            Re: Deny DHCP Address

            vndic8, you'll have to delete the DHCP lease in the DHCP console and then wait until that device attempts to renew its DHCP address which depends on the lease duration that you have set. That's one reason I like the idea of shorter than average DHCP leases.
            Wesley David
            LinkedIn | Careers 2.0
            -------------------------------
            Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
            Vendor Neutral Certifications: CWNA
            Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
            Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

            Comment


            • #7
              Re: Deny DHCP Address

              @bio, this sounds like it is great tool, Im reading all the comments in the blog so I know as much as possible about it before I use it. Did you mean that it will disable the network connection for the device without going to the device?


              @Nonapeptide, the lease duration, thats part of the problem. They are set for infinite (that makes little sense, but I didnt set it up) Whats involved in resetting the entire scope? Is my example about the scopes correct?

              Thanks guys!

              Comment


              • #8
                Re: Deny DHCP Address

                Originally posted by vndic8 View Post
                @Nonapeptide, the lease duration, thats part of the problem. They are set for infinite (that makes little sense, but I didnt set it up) Whats involved in resetting the entire scope? Is my example about the scopes correct?
                Your example about the scope is correct if you wanted to give that device an IP on a separate subnet. If you are okay leaving it on the same subnet and just giving it a false default gateway, you can keep it all one scope and then make a DHCP reservation within that scope and make a bad 003 Router entry.

                If you change the lease duration to something sensible then you'll still have to somehow get that device to get a new lease. Is it some kind of printer or camera? If it has a web interface, it will probably have some way of making it apply for a new lease such as switching it from DHCP to static and back again.
                Wesley David
                LinkedIn | Careers 2.0
                -------------------------------
                Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                Vendor Neutral Certifications: CWNA
                Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                Comment


                • #9
                  Re: Deny DHCP Address

                  Originally posted by vndic8 View Post
                  Windows 2003 R2 SP2. From the DHCP server itself, can I deny a device from getting any IP address from the DHCP pool? If so, can the present lease be terminated without rebooting it, essentially disabling it? It is not a computer.

                  Thank you. Thank you very much.
                  What is your ultimate goal, because no matter what you do with it, DHCP has got its limitations and everything goes out of the window if the device has a static IP. Depending on what you are after, there might also be other options such as Port Security configuration on the switches, ieee 802.1x authentication etc.
                  Caesar's cipher - 3

                  ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                  SFX JNRS FC U6 MNGR

                  Comment


                  • #10
                    Re: Deny DHCP Address

                    Am I missing something here? There is only one subnet. The bad default gateway wont work for me. Once I make the MAC address reservation, deleting the lease and rebooting it should be enough for it to work, no?

                    Comment


                    • #11
                      Re: Deny DHCP Address

                      Originally posted by vndic8 View Post
                      Am I missing something here? There is only one subnet
                      I know there's only one subnet on your network, but if you wanted to knock the thing completely off the LAN and not simply remove internet access, you'd need to make a scope just for that device and make that scope a separate subnet so it would get a completely invalid subnet. I was never clear on if you wanted to remove all network access or only internet access.

                      Originally posted by vndic8 View Post
                      The bad default gateway wont work for me.
                      Uh oh. Why not?

                      Originally posted by vndic8 View Post
                      Once I make the MAC address reservation, deleting the lease and rebooting it should be enough for it to work, no?
                      Yes.
                      Wesley David
                      LinkedIn | Careers 2.0
                      -------------------------------
                      Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                      Vendor Neutral Certifications: CWNA
                      Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                      Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                      Comment


                      • #12
                        Re: Deny DHCP Address

                        Originally posted by Nonapeptide View Post
                        I was never clear on if you wanted to remove all network access or only internet access.
                        Internet access would suffice.

                        Comment


                        • #13
                          Re: Deny DHCP Address

                          Time to move from DHCP to some lower level tactics. Kill the IP or MAC at the switch/router level. Just blackhole all traffic from that device. Swift, silent, deadly.

                          Wesley David
                          LinkedIn | Careers 2.0
                          -------------------------------
                          Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                          Vendor Neutral Certifications: CWNA
                          Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                          Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                          Comment

                          Working...
                          X