Announcement

Collapse
No announcement yet.

DHCP server - static only

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DHCP server - static only

    Hello,

    It IS about time i register Petri and join this great community

    Your assistance please:
    I would like to setup my DHCP server to work with reservations only - meaning a mac-address for an ip address only.
    Is there a way for the server to stop handing out addresses and only lease and listen to its reservations?

    Thanks!
    Last edited by iomega; 4th March 2014, 14:39. Reason: dhcp, sbs, static

  • #2
    Re: DHCP server - static only

    The only way to get DHCP to stop handing out addresses is to turn it off. You can try segmenting and isolating part of your network, but as far as I know, there's no way to stop DHCP from listening to requests.

    Comment


    • #3
      Re: DHCP server - static only

      If all addresses were either excluded or reserved, this should work - basically exclude all IP addresses as separate exclusions, then unexclude each address as you add the reservation.

      PITA to manage, though.

      Why don't you want other devices to get IPs, and why could you not dispense with DHCP and use static IPs (which of course someone with local admin permissions could set up anyway)?
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: DHCP server - static only

        It seem like too much works to reserve clients IP by MAC. if you have a very small environment like 10 PCs then it might be fesible. It its can become very messy on a large scale.

        Comment


        • #5
          Re: DHCP server - static only

          Thanks for your inputs.


          @Ossian: Static ip addresses are out of the question technically.

          @Humannetwork: 30 stations network


          ..I still need to decide on the best solution. No way to tell the server to ONLY give away 1.1.1.2 to PC-1 and 1.1.1.3 - to PC-2?

          Comment


          • #6
            Re: DHCP server - static only

            Yes there is - see my previous post

            Exclude all addresses except the 30 you need, then reservations for each of those.

            Still begs the question, why do you need to do this (what is business case/security reason)?
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: DHCP server - static only

              I too am utterly at a loss for why you'd want to do this, given that the D in DHCP stands for dynamic.

              Anyway, the only way I can think of doing this other than Ossian's suggestion would be to use 802.1x authentication so that no unauthorised device could get an IP address. For a 30 client SBS network that's massive overkill though.
              BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
              sigpic
              Cruachan's Blog

              Comment


              • #8
                Re: DHCP server - static only

                @Ossian no need to beg mate... its either this solution or some sort of a NAC ...right?

                @cruachan: The preference is to keep stations free of a static ip configured on the NIC, thus the dynamic part of dhcp must be accomplished.

                Comment


                • #9
                  Re: DHCP server - static only

                  you could also use the mac-filtering call out, and deny everything but specifically known mac addresses.
                  might be a bit easier.

                  although it's not foolproof. if your aim is security, it's not going to work, anyone with half a mind will just sniff traffic, then spoof.
                  and it wouldn't stop someone putting their own computer ont he network and creating an ip conflict.


                  I thin kthe reason Ossian "begged" is because depending on what you're trying to acheive and why, there may be some things that are better suited, or less suited.

                  For isntance - if your actual desired aim is to have ONLY approved computers, that always get a known address via DHCP an dnothing else on your network, then you wouldn't go this way, because it can be breached....
                  if I can get a computer on the network in promiscous mode and sniff your traffic, I can find a mac address and it's IP very quickly
                  then i can fake the mac address, run dhcp to get issued the address, or just assign a static address that matches what it would have been assigned..

                  or, just for shits and giggles.. i can fake teh mac address of your DHCP server and bring it all crashing down.....
                  Last edited by tehcamel; 6th March 2014, 07:43.
                  Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                  Comment


                  • #10
                    Re: DHCP server - static only

                    I still don't understand why no static IPs. I can think of a lot of reasons for having them, but other than cutting down on the management headache, can't think of many reasons for why they HAVE to be dynamic. Being able to document the workstations down to the IP doesn't sound like a bad thing.

                    I think whoever is making these requirements is messing with you.

                    Comment


                    • #11
                      Re: DHCP server - static only

                      Other option is to only allow 30 IPs and set a long lease e.g. 90 days. If PC number 31 connects then there are no free IPs for them to have unless you have a workstation that has been down for 3 months and the lease has expired.
                      1 1 was a racehorse.
                      2 2 was 1 2.
                      1 1 1 1 race 1 day,
                      2 2 1 1 2

                      Comment


                      • #12
                        Re: DHCP server - static only

                        Hey,
                        I think i'll go with mac-filtering call out.

                        @Bertmax: Some stations have specific fw rules set to their ip address, so a static ip must be assigned to them (or a long lease like biggles77 suggested).

                        Comment


                        • #13
                          Re: DHCP server - static only

                          I hate to differ with my learned friends in this forum, but I can see a valid reason for handling the network this way.
                          1) No desktops need to be touched, it is all handled from the server
                          2) The DHCP effectively documents your "quasi-static" IP addresses
                          3) In "normal" situations, only authorised endpoints connect to your network - assuming no-one applies a sniffer and spoofs MAC addresses.
                          4) If there is a wireless access point, all the i-/smartphones in the building and outside proximity don't get a free ride or jam up the network.

                          Just a thought :-!
                          TIA

                          Steven Teiger [SBS-MVP(2003-2009)]
                          http://www.wintra.co.il/
                          sigpic
                          Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

                          We donít stop playing because we grow old, we grow old because we stop playing.

                          Comment


                          • #14
                            Re: DHCP server - static only

                            I would agree that having a DHCP-based quasi-static IP setup beats manually configuring each node, but:
                            Originally posted by teiger View Post
                            3) In "normal" situations, only authorised endpoints connect to your network - assuming no-one applies a sniffer and spoofs MAC addresses.
                            All a person would need to do to bypass this "security" measure, is to manually configure an IP address on his/her system.

                            Filtering by IP addresses only ever works if you're filtering traffic on a network basis (allow/disallow entire networks), and you control the router and can prevent spoofing. It also kinda works for routable IP addresses, but the lack of egress filtering by most ISPs means IP addresses can be successfully blind-spoofed on many networks.

                            Comment

                            Working...
                            X