Hej hej,
Others may not agree with my opinion however here is what I do...
On Aug 11, 2010, at 11:48 AM, David wrote:
> Here is what I have to work with:
> - the MACs of the company workstations/laptops/Voip phones
> - Switches are 3Com Baseline 2924-pwr Plus
> (http://support.3com.com/infodeli/tools/switches/baseline/3Com_Baseline-Switch-2924-PWR-Plus_User-Guide.pdf)
> - IPs are assigned via dhcp (ISC dhcpd). Some equipment gets fixed IPs,
> but workstations and voip phones are plain dhcp.
I dont know about ISC, but using dhcp3 you can server unknown MACs the "elvis
network".
DHCP3 idea ( there are a lot of options not mentioned, geeks can get around
this )
First you need to know every MAC ( you can assign then fixed ip's, if
you use the firewall to help* )
Second place "deny unknown-clients;" in the "known host" subnet
Third make an "elvis network" and give it a false route and IP range
*Finally if you have given all of the devices static addresses, make a
firewall rule only allowing the list of known IPs ( keep the IPs close it'll be
easier )
IIRC it should look something like this,
# known hosts
# here we give valid IPs
subnet 10.10.1.0 netmask 255.255.255.0 {
deny unknown-clients;
host voip { hardware ethernet 00:11:11:11:11:10; fixed-address
10.10.1.20;}
host printer { hardware ethernet 00:11:11:11:11:11; fixed-address
10.10.1.21;}
...
}
# elvis ( have switched ignore the IP )
# here we furnish IPs that the switches with ignore or quarantine
subnet 127.0.0.1 netmask 255.255.255.0 {
option broadcast-address 127.0.0.255;
option routers 127.0.0.1;
allow unknown-clients;
}
Helde
Hro
> I stopped assigning static ips to the workstations and voip phones
> because it was becoming a pain to manage at 100+. However, I'm starting
> to wonder if I should assign all known mac addressed to a fixed range,
> and assign a second range by dhcp. Then when an unknown client "plugs
> in", they will get an IP in the dhcp range, which I should be able to
> block at the switch.
Here I suggest LDAP.
DHCP and LDAP still doesn't work out of the box that cleanly, however
it will make your life easier in the long run :)
I use it for autofs, dhcp, email user web ssh auth, etc...
Cheers!
dale
_______________________________________________
mlug mailing list
[email protected]
https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca