IOS DHCP Server

Unanswered Question
Jun 27th, 2008

Is it possible to have some sort of DHCP MAC address filter? Lets say someone connects a laptop to the network and the MAC address isn't in a allowed mac address list. So the DHCP server won't hand out an IP. I've been searching for an easy solution for this and not just in Cisco IOS. Microsoft has a "calloutdll" extension but i could never get it to work. So I'd like to try it with IOS. Like i said, I'd like to block a "rogue" MAC address unless it is in a allowed list. Port security is an option but we have a very large network (up to 800 devices).

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Edison Ortiz Fri, 06/27/2008 - 07:08

You have two options:

1) You can configure the DHCP server with "IP Address reservation" and map the MAC Address to an invalid IP within your network (blackhole).

2) You can use "mac-address-table static drop" in your switches:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_se/command/reference/cli1.html#wp2299728

Note.- Even if the DHCP does not assign an IP address, the client (usually seen in Windows) will assign itself an IP in the 169.254.x.x range.

__

Edison.

Please rate helpful posts

cowetacoit Fri, 06/27/2008 - 09:21

let me rephrase this.....

Lets say i have a list of "allowed" MAC addresses that i want to allow on the network. I'm worried that someone could bring a laptop from home. I'm asking if there is a way to list known mac's and block unknown mac's.

I have already used mac-address-table static drop in a few cases but I'm looking for a less administrative work overall.

Sushil Kumar Katre Fri, 06/27/2008 - 10:09

Hi,

Why don't you try usng a MAC ACL with a list of permitted MACs only and block the communication for rest of the MACs.

Use this on the switch.

This might not be a direct solution at a DHCP level but should help you not to allocate DHCP address to unwanted MACs.

-> Sushil

cowetacoit Fri, 06/27/2008 - 10:16

OK, That maybe a solution for some of my smaller sites. on the overall network I'd like to implement some type of DHCP MAC Auth or NAC. I'm looking into Cisco NAC and Meta SAFE DHCP server, but both are very expensive solutions. I'm more or less looking for a temporary solution. mac ACL's may work like i said on some of my smaller edge switches

cowetacoit Fri, 06/27/2008 - 10:28

If i put the MAC ACL on a layer 2 edge switch with 2 or 3 different vlans on it, where would I apply the ACL?

Actions

This Discussion