You can use the Carnegie-Mellon University version of dhcpd which can
restrict handing out addresses to machines it knows about. That is,
you list the legit MAC addresses and it won't give an address to a MAC
address it isn't aware of. Also, you can hand out one set of
addresses to known machines, another set to unknown machines, and then
use access lists to restrict access to valuable servers.
Cisco Systems has a whole system that recognizes machines by MAC
addresses, assigning them to a particular VLAN or not allowing them on
the network at all.
We use the CMU version in certain locations to restrict access, though
of course, a savvy user can easily circumvent it.
The ISC version of dhcpd can also be configured this way.
I was under the impression you could also do this with the OS X Server
dhcpd? set up machines entries and configure it to not hand out to
unknown addresses?
We have ISC configured like this:
* hand out fixed addresses for permanent machines via MAC address.
* small dynamic pool, that can only be used by 'guests' that we've
entered their MAC address into the DHCPD config.
I've got a web interface I put together which lets computing staff add
machines to either of these pools, along with associated DNS entries.
I've also been considering implementing arpwatch to stop people
unplugging a machine and manually entering the same IP details in for
their own untrusted computer. Haven't had time to do this as yet
though.
nigel
--
Nigel Kersten Systems Administrator
College of Fine Arts, UNSW Sydney, Australia.
CRICOS Provider Code: 00098G
