gmklabischMemberApr 24, 2016 at 8:19 am #166314
I currently have have one Scope with an IP range of 192.168.0.1-192.168.1.255 with a subnet mask of 255.255.254.0 as someone suggested to me for the private school I support as a volunteer. I would like to force all non-school supplied equipment (I-phones, Ipads, etc.) to get their IP from the 192.168.1.1-192.168.1.255 range. I don’t have a strong network background, so I’m looking for help. I read about using a DHCP policy, but it was not as clear as I need. One way I read about was segregating by MAC address and I could identify MAC prefixes that we use, but again I’m not clear on how to implement if this is the correct approach. I use Reservations for all our printers, access points, server, etc. in the 126.96.36.199-192.168.0.255 range and this is the range I want all the school supplied equipment to obtain their IP address from. Since I’m a network neophyte, I need some very specific examples. I looked at super scopes, but am not sure if this is the right approach. Finally, I want to make sure if for whatever reason a school supplied laptop got an address in the 192.168.1.x range that they could still access the server and the printers in the 192.168.0.x range. Thanks in advance for any assistance you can provide!!Apr 24, 2016 at 4:15 pm #385632
I was able to use DHCP policy segregating by MAC address prefixes to get most of what I wanted to accomplish. As I see other MAC addresses that correspond to phones, etc., I’ll add to my policy. I used 2 policies, one to force school equipment into subnet 0 and a separate policy to force all non school equipment into subnet 1. As I find more MAC addresses that are not school equipment, I will add those to the 2nd policy.Apr 25, 2016 at 8:02 pm #245429
Can’t you use VLAN’s? This scenario is pretty much what they are designed to do, segregate traffic.Apr 26, 2016 at 7:27 pm #245435Apr 27, 2016 at 8:02 am #385634
I’m sorry, but I really have no Cisco knowledge and would feel uncomfortable playing with the ASA5505 appliance we have. Is there any way to accomplish my goals through DHCP policies? I’m working on setting up reservations for all the school equipment which will all be on subnet 0. If we do allow any other devices, I would want them on subnet 1 and would like to limit their bandwidth. This is the ultimate goal.Apr 27, 2016 at 4:12 pm #245437
You are making a massive amount of work for yourself.
I have personally not done this using DHCP but you would probably need to create reservations for the required devices.
How are you handling routing between these networks? You may get away with creating 2 scopes and setting an IP helper address on the router.
Are the networks segregated in any way?Apr 28, 2016 at 5:34 am #385635
Thank you wullieb1 for the time and effort in trying to guide and help me and I want you to know it is greatly appreciated. I’m a retired senior IT manager that had staff to do these things, so my knowledge is just peripheral. I’m now volunteering my support to help save money for our school & church. Through googling, I created a batch GPO user logon script that is recording the computer name & MAC address of all our equipment. I had already reserved IP addresses for our printers, server, routers, and access points. The only thing I will be missing are the MAC addresses of the grade 1-3 iPads that someone donated, which don’t logon, but, only use the Internet. I plan to isolate these on a weekend to record their MAC addresses. I’m probably not using the correct terminology when I say subnet 0 and subnet 1, but what started this whole thing was that with all the extraneous devices we exceeded the IP pool and I changed the DHCP scope to 192.168.0.1 to 192.168.1.254 to give us the extra IP’s with a mask of 255.255.254.0. This got us out of the limitation. However, we occasionally run into bandwidth issues during the day and I suspect it may be from streaming to one of these extraneous devices. So if I can isolate them and hopefully be able to control their bandwidth usage, this would be ideal. I really am not in a position to learn the whole Cisco router thing, so that is why I’m trying to stay within the DHCP policies & GPO world that I have some knowledge in. I realize you are trying to save me work, but with my limited expertise, I feel more comfortable in the areas I know something about. Also, as I mentioned, I am retired and have some extra time. Again thanks for your help.
BloodModeratorApr 28, 2016 at 8:26 am #337102
If you will only be allowing equipment that is directly under your control then once you have the MAC addresses of those devices you can, as you say, use reservations to ensure they always get an address from the 192.168.1.xxx range.
VLANs serve to isolate traffic completely so that you can have 192.168.0.xxx on VLAN1 and 192.168.1.xxx on VLAN2. You assign VLAN Nos to dedicated ports on the router. Anything plugged into those ports is then forced to stay on that subnet (or VLAN).
If the devices are switched on and connected to the network you can also get their MAC addresses using nbtstat -a computername – but you need to know the computer name.Apr 28, 2016 at 9:08 am #385636
Thanks for responding Blood! If you can show me how to setup VLANs on a Cisco ASA5505 router, I’d have some interest. Since I know next to nothing about our Cisco ASA5505 router, I would need help in providing the configuration to you so you would have a base. I have an Icon,an ID and a password for the router, but I’m afraid to do anything with it without guidance. I know we have VPN defined because I can log in from home. So if you are willing to help me, let me know. If not, I will understand.
BloodModeratorApr 28, 2016 at 9:34 am #337104
I’ve never used VLAN’s but understand how they work in principle – I manage a small network for a charity and we use unmanaged switches. If you do not have many devices then using the MAC address to reserve a DHCP address will work fine. I would recommend that you document the MAC addresses of the devices in question so you don’t need to find them again.Apr 29, 2016 at 4:32 am #245438
How to configure on an ASA 5500.
I still think you need to have a think about what you’re trying to achieve. If you are trying to segregate the traffic between your students and teachers then VLAN’s are the way to go IMO. Once you get the traffic segregated you can then start to look at limiting the bandwidth available to each device. It would also appear that you are using Wireless connections as well. How are these connecting? What equipment are you using to managing these?
Sorry i’m not up to speed on Cisco equipment but the principals are the same across devices.
You must be logged in to reply to this topic.