dhcp help needed

[goodweb]

I have a dhcp server running (RH 7.0) assigning IP addesses from the top half of a C-Block. The other half of the C-Block is used by another business in another part of the building we are in. They "accidently" plugin PCs without assigning IP addresses out their block and end up "stealing" IP addresses utilizing my dhcp reserved IPs.

Is there anyway to kill service to those ip addresses once dhcp has assigned them to that box? I dont have access to their boxes or their connection.. All I have done is inadvertantly provided a working IP address.

One thought I had was to assign goofy, f**ked-up IPs so that when they renew, it would kill them that way.. Would this work?? Or would they keep the same IP when the leased expired?

Please!! Help me with this.. my IP addresses are valuable!!

GoOdwEb's Internet Cafe

http://www.goodwebs.net

 

[ifincham]

Hi,





The only way I know how to do this is to assign using mac-addresses for your 'good guys' and have 'deny unknown-clients' on so that unrecognised clients don't get assigned a lease from the pool. The problem is that, in some ways, you lose some of the advantages of using dhcp in the first place - however the client config is all done centrally so you still don't need to hop from desk to desk configuring static IPs. The following are the relevant bits of an example dhcpd.conf :





[snip]


deny unknown-clients;


deny bootp;



subnet 192.168.1.0 netmask 255.255.255.0 {


range 192.168.1.2 192.168.1.124;


}



host tux-01 {


hardware ethernet 00:10:4B:C11:B5; fixed-address 192.168.1.1;


}


host tux-02 {


hardware ethernet 00:10:4B:C11:62; fixed-address 192.168.1.2;


}


host tux-03 {


hardware ethernet 00:10:4B:C3:8E:3B; fixed-address 192.168.1.3;


}


host tux-04 {


hardware ethernet 00:10:4B:C117; fixed-address 192.168.1.4;


}




Hope this helps

 

[marsd]

Why don't you split the subnet?
It doesn't make sense to me that they can steal the ip addresses. In essence you have a "first come first serve"
nextwork addressing scheme with a shared block and too many machines.
What is actually happening is that the whole arrangement is badly misconfigured from the get go.

You need to arrange for your end to use the subnetted range starting at your end of the block of 128 addresses.
Either:
range 192.168.1.0-192.168.1.128 netmask 255.255.255.0/25
or the end range x.x.x.129-255, same netmask.
That way they can go ahead and try to grab whatever they want but you are still in firm possession of your half.

This is the the ONLY way to get piece of mind on this front, without vlans, or an ethers file like IF was
explaining.

 

[ifincham]

Hi,

The problem is that the rogue clients can't be discriminated against by IP address because they don't have one yet - its a catch 22. All they do is broadcast a DHCPDISCOVER or DHCPREQUEST message and the idea is to prevent this particular server making a DHCPOFFER to anyone that asks. Thats why you would need to identify them via something non-IP, i.e. the MAC address. You basically have to make the DHCP server less 'promiscuous'.

A vlan would certainly solve things if you have a suitable switch or you could isolate them via a router, etc. if you don't want to use the mac address option.

Regards

 

[goodweb]

All things would be settled if I could get access to the router... but the ISP techs are lame and want me to deal with the issue with the other company... who in fact.. are lamer than the ISP!!

So.. there is no way to discombobulate the IP lease renewal by making my dhcpd.conf all goofy.. I could manually assign IPs to my machines in the meantime... Is there a way to assign a workgroup, so that those machines show up on my Network and I could simply show the boobs next door... "LOOK!! you be inna my space!!"

I have considered using IPs from the 192.168.X.X but the problem is that we use a lot of services that require reverse lookup.. so..

Other ideas??

GoOdwEb's Internet Cafe

http://www.goodwebs.net

 

[marsd]

If the other guys are broadcasting for addresses in the
wrong broadcast domain; on the wrong network, then you
are safe.
Used a cidr based solution like this at a client site.
original Class C -; split the subnet;
one dhcp server for x.x.x.1-127; the other x.x.x.129-254; broadcast addresses 128 and 255. netmask is 25 bits.
Wrong broadcast domain and they are peeing into the wind.


As it is you could use a managed switch for your portion of the ip address range. This will solve some of your problems. Something like an HP OV compatible or cisco catalyst with RMON and logging could prove your point
to the isp guys. A graphical smnp system could provide graphical reinforcement for your arguments. But you would still have to map out the ether pairings for access lists
if you don't trust the other guys.
I think you will run into trouble with an unsophisticated dhcp server if you start to statically assign IP addresses. The dhcp server will probably not do an arp check for an address in it's range assuming it is the highest authority, so addresses get assigned more than once, etc...

 

[goodweb]

The leases are only for 48 hours.

(1) If I were to delete the dhcpd.leases and kill the dhcp server, when the rogue boxes attempted to renew, would it kill their connection or would they remain connected using the already aquired IPs?

(2) If I were to designate the mac and host of the rogue machines to some bizarre IP address in the dhcpd.conf, would those rogue machines disconnect from my IPs?

(3) If I were to limit the range of of the IPs in the dhcpd.conf to only one IP, would it screw up all the rogues when they tried to renew? or would they retain the origonal aquired IP they got from the lease file at boot?

GoOdwEb's Internet Cafe

http://www.goodwebs.net