How big a network for DHCP

[iolair]

How many nodes should be on a network before you stop using static addressing and start using DHCP? I have a small (55 node) network that is statically addressed. I had a DHCP server at one point, but visitors were able to use our network (wirelessly) because they were getting an address, so I went back to static to stop that problem. Setting up wireless to stop visitors is just as intensive or more so than static addressing.

So far, 55 nodes is not unmanageable, but we could grow, and I would want it back, but I would have to figure out a way to stop "guests" from using bandwidth. Any suggestions other than AD or using the wireless WPA or Radius?

Iolair MacWalter
Network Engineer

 

[pagy]

Personally I'd use DHCP for even very small networks, I'm talking even 3 or 4 pcs.

Check this out for an easy way to restrict what machines can get an IP address from your DHCP server

http://www.petri.co.il/filter-mac-address-windows-server-2008-dhcp-server-callout-dll.htm

Paul
VCP4

https://www.mcpvirtualbusinesscard.com/VBCServer/PaulP/profile

RFC 2795 - The Infinite Monkey Protocol Suite (IMPS)

http://www.faqs.org/rfcs/rfc2795.html

Difficult takes a day, impossible takes a week

 

[iolair]

Thanks!

Iolair MacWalter
Network Engineer

 

[acent]

I concur with pagy. My network is micro - on 4 stations in the office at a given time and I do use DHCP. Since all but 1 station is a laptop, I have found it easier to do that than to try and get Alternate configuration working. We also have wireless access points in the buildings, configured to use the DHCP server for addresses.

As for someone seeing your network wirelessly... sounds like you have a security issue with the way you are configuring the access points - and that would be a HUGE security problem. Research TJ Maxx and how they got themselves hacked to crap because of insecure wireless access points. My advice on securing the WAPs is to use WPA or WPA2 with TKIP/AES encryption.

Hope this helps.

"If it's stupid but works, it isn't stupid."
-Murphy's Military Laws

 

[rsacorp]

I agree with pagy and acent - even if you need "static" IPs (other than your gateway or firewall), you're usually better off doing DHCP reservations rather than statically defining addresses. I have a client who statically defined EVERYTHING (workstations and all), and when he outgrew his subnet, it took quite a bit of engineering to get it resolved and done right; fortunately, we got paid by the hour on that job.

Here are a few extra tips on wireless:

* Acent is right - ALWAYS configure security on your network - WPA2 is ideal, but I have seen some workstations not playing as well with WPA2 as opposed to WPA. If it's your network, you can ensure clients are updated; if it's a public hotspot, consider WPA - but never open/unsecured.
* If you need a public hotspot (in a public waiting room, for example), I would still recommend using WPA, or leave it unsecured (ONLY if necessary), but keep it as a 100% isolated network - no access to your business infrastructure whatsoever. Give the network its own router and Internet connection (DSL lines are cheap, and even basic routers like Linksys/D-Link will be just fine). As an added security measure, sign up for a DNS filtering service (OpenDNS is free, and very powerful), so you can block inappropriate content.

Also be aware of where your signal is going, and how far away from your business the signal is going - no need for your next-door neighbors to have access to the Internet service you are paying for. In addition, "war drivers" (translated: geeks with signal amplifiers on their cars) have been known to find unsecured WAPs and either post your location to the world, or even hack your network. These geeks do this for fun - they usually won't do anything severe to your network (maybe change your desktop image), but I wouldn't want to take the chance.

Just my two cents - hope that helps...

Mike Molenda
TAC Analyst

RSA Corp - Houston, TX
Technical Assistance Center

http://www.rsacorp.com

 

[iolair]

Thanks for all the great replies. I have WPA2 configured, but in a school environment, even with changing the passwords weekly, I still get rogue users. Maybe I need to change passwords daily, dunno.

The student network is isolated from the main network, but it is physically connected as we use the same router to access the AT&T network. Students being students, they love to try and hack the system, even when in class............

The wireless bridge system that connects buildings is secure, and as far as I know, no one has hacked that...yet. I know it's just a matter of time, we're using Aironet 1310 for that, with WPA2 again.

Iolair MacWalter
Network Engineer

 

[58sniper]

Students have nothing but time to try and circumvent your network. What you should look into is something like Cisco's Clean Access, which can evaluate machines when they connect (such as domain membership, AV protection, SP level, etc), and put them on the correct network.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[iolair]

I've heard of CCA, guess I need to look into it more. Thanks for the tip!

Iolair MacWalter
Network Engineer