How to correctly implement the prohibition of issuing addresses in DHCP?

V

Vasya Pupkin2019-05-21 12:56:31

System administration

Vasya Pupkin, 2019-05-21 12:56:31

There is a domain on windows 2016. There is DHCP which is raised where AD DS is. In DHCP, there are a couple of areas in which you need to prohibit the connection of left devices. Those. sockets are placed in the cabinets, where PCs are connected, there are many free ones. We need to exclude the option that someone brought their laptop / modem / PC, etc., and stuck into our network, having received an address from DHCP.
Now it is implemented simply: I just added absolutely all *.1-254 addresses to the exceptions for issuance and that's it. When I need it, I just add the required MAC to the reservation and the car gets the address. In my opinion, this is a crutch, rather than a special functionality that is designed for this.
How else can the ban be enforced? If we exclude the option with a switch and disable the necessary ports.
Is there any feature in domain roles?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

D

Dmitry Shitskov, 2019-05-21
@Desert-Eagle

In fact, the best option is to issue static addresses via RADIUS and authorize computers, for example, using certificates + MAC via 802.1x in the same RADIUS.

S

Sasha Odarchuk, 2019-05-21
@Fanta

The ban on DHTsP - protection from fools. True hacker will prescribe IP with his hands)
You need to "extinguish" ports that are not used on switches or use port security;)

B

blackbeard, 2019-05-21
@Black_beard_ast

802.1x, but it's expensive)