Help me design a college DHCP network !

[zappo303]

Hi there,

Thanx for reading this. Here is the scenerio:
I work for a college, with about 300 users, 70 staff rest students. There is also an on campus hostel with thin clients provided to students . I have two domains on Win2kServer, one for staff other for students. All the systems are properly locked down, and are currently on static IP. We are planning to put up a DHCP server for the whole college. The only problem is I do not wanna give access to students who bring in thier own personal computer or if I do, only to the internet and not the internal network. with DHCP they could easily get an IP off the server and could try to get into the network. What could I do to either block them or stop them from browsing the network. All I wanna give them at the max is internet access.

Also is it possible to have two seperate DHCP servers which could dole out seperate IP address to the students and staff seperately ? I have them on the 192.168.6.x and 192.168.7.x subnet at present, and I would like to keep it that way. I am wondering, won't the DHCP servers give out IP to any computers which requests an IP whether they are staff or student, as both the domains are on the same physical network.

Your help would be very appreciated.

Zappo

 

[Tallgeese]

One DHCP server could easily handle the load you describe.
Here's the way I would accomplish what you want to do:

* Keep the staff machines and student machines on distinct subnets.
* Allow only the staff subnet access to the internal network.
* Allow both subnets access to the Internet.
* Create separate DHCP scopes for each subnet.
* Configure any intermediate routers to pass DHCP requests/responses.

 

[dexter333]

How would you differentiate between staff and student computers? No matter how a staff computer is configured, a student can configure their computer the same way. You could only allow access with MAC address checking, but some cards can clone MAC addresses.

 

[Saltin]

<< No matter how a staff computer is configured, a student can configure their computer the same way. >>



At this point, it comes down to physical security. Only staff should have access to the LAN points (drops) that can pull a lease from the staff DHCP scope.
Also, even if a student manages to pull a lease from the staff scope/subnet, that does not give them any privliges to the staff domain. That's an authentication issue, and a strong password policy should cover any issues.
A 2k client uses Kerberos to authenticate in a domain. Even if someone were to sniff the authentication packets, as far as I know, it's close to un-crackable/not worth the effort.

 

[Hoober]

We ran into the same problem a number of years ago where I work. We were on an NT DC then and have since moved to AD and one domain. Anyway, I digress. Registering MAC addresses has worked splendidly for us and we haven't run into any problems. I haven't heard of a single issue with students attempting to clone a MAC address in order to access certain parts of the network. The security isn't set up that way anyway. They simply have to register their MAC address in order to pull a routeable IP from the DHCP server... a static one. Network security is handled through domain authentication and the generation of scripts on the lab computers. We have not had a problem with security, and I hope we never do.

 

[SaigonK]

MAC based registration is a great way to secure your network...frankly you might see some rogue user who knows how to clone an address, but it would probably be a rarity as most would get discouraged once they coudnt get an IP.
For those who do spoof a MAC address you will have to be more diligent in the physical realm....meaning watch who comes and goes....
Realistically they would need to be able to get onto a local pc...get a MAC address then spoof it...since one pc will only be allowed to use on MAC you would most likely get complaints form other users who cannot get on with a certain PC.
Thus you would have to track down the offender.....
We are currently using MAC address registration and it works rather well....

You could forsee how many users you have and then setup your IP-Pool according to that amount...
IFor example if you have 370 users...then setup just that many addresses....setup the lease time to be permanent, that way once they get an IP they will always (most likely) go and get the same one each time they start up...this will make it easier.