We are dealing with this right now. We are creating an "area" on each
floor that visitors can use. The ethernet ports in these areas will be
using a private vlan that provides IP connectivity and Internet access
only. These areas are ACL'ed off from our enterprise network. It is not
perfect, but since we have good physical security and all other ports on
the switch are disabled by default, it allows our vendors to use our
network as a transport service only. I hope this helps a little.
Chris Tillett
<wbjw@mindspri
ng.com> To: Rick Darsey <[EMAIL PROTECTED]>
Sent by: cc: jon kintner <[EMAIL PROTECTED]>,
wbjw@mindsprin [EMAIL PROTECTED],
g.com [EMAIL PROTECTED]
Subject: RE: Preventing DHCP from
allocating IPs
12/05/2002
02:58 PM
Please respond
to wbjw
Turning off DHCP does not solve anything. If you have fixed IP addresses,
and
the port is open, it does not take much work for someone with physical
access
to figure out your addressing scheme and grab an IP address.
Use managed switches and turn off unused ports will help. However, DHCP or
fixed IP, if they have physical access and the will, they will get access
to
your resources.
On Tue, 3 Dec 2002 14:04:55 -0600 Rick Darsey <[EMAIL PROTECTED]> wrote:
>
> I know this sounds like a really bad way of
> doing this, but it is the only
> way I can come up with off the top of my head:
>
> Turn of DHCP!! Statically assign all addresses
> in your LAN. If a visitor
> wants access to your network, they will have to
> come to you to obtain the
> address, or better yet, create a small DHCP
> pool that visitors can use, but
> limit the size to prevent users you do not want
> from accessing the network.
> The initial setup of the static addresses will
> take time, but the small DHCP
> pool will still allow visitors to plug in when
> needed.
>
> Rick
>
> -----Original Message-----
> From: jon kintner [mailto:[EMAIL PROTECTED]]
> Sent: Monday, December 02, 2002 1:04 PM
> To: [EMAIL PROTECTED];
> [EMAIL PROTECTED]
> Subject: Re: Preventing DHCP from allocating
> IPs
>
>
> I know mac addresses can be spoofed pretty
> easily, but could you setup an
> access list or filter that would disallow all
> mac addresses except for the
> ones specified on your network(s)?
> The initial setup would probably be tedious,
> but it's worked fairly well to
> keep most unauthorized logins off the network
> at the college I attend.
>
> -jon kintner
>
> ----- Original Message -----
> From: "Sarbjit Singh Gill"
> To:
> Sent: Monday, December 02, 2002 7:22 AM
> Subject: Preventing DHCP from allocating IPs
>
>
> > Greetings all,
> >
> > How do i prevent a client from getting an IP
> from my DHCP in an Ethernet
> > network. I know i could reserve IPs for all
> other clients and nobody gets
> an
> > IP unless reserved earlier, but i have
> hundreds of clients. I frequently
> > have visitors who need to plug in their
> laptops into the network and i
> have
> > visitors who are not allowed to plug in their
> laptops into the network and
> > get IPs. I do not want these visitors who are
> not allowed to access the
> > network to get an IP and start accessing
> internet through my network.
> >
> > What about in a wireless environment. How do
> i prevent it in a similar
> > capacity.
> >
> > Kind Regards
> > Gill
> >
>
>
>
