On Wed, 27 Oct 2004, Howard Lowndes wrote: > If you are running a DHCP server on a network and have a block of IP > addresses which you make available, how can you stop a (reasonably) > knowledgeable luser from explicitly grabbing an address from that block > by explicitly configuring their box with that address, thus preventing > that IP address from being recorded in the leases, and hence you not > immediately knowing that that box has been attached to the network.
You can't. If the luser knows the underlying network design, they can assign themselves any IP address they want within the IP range, and provided it's not allocated elsewhere it'll work fine. What you *can* do is to implement a lower level filter - I stop this kind of behaviour by using MAC access lists in my switches - if the switch sees a MAC address connected that's not in the specific access list for that port, the port goes into blocking mode - no matter what IP address is used, the port doesn;t forward traffic. Unfortunately, this requires an intelligent, manageable switch - I run Cisco kit exclusively, so can do it easily - but not all switches are capable of doing this. You could go down the old security by obfuscation method and not let the lusers know the IP addressing involved, but that doesn't work for long. DaZZa -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
