I have working NT 4.0 server running DHCP - how I can block a MAC address? We have some users bring in their personal laptop, and they can connect to our network illegally. Can the DHCP lock the MAC by itself?
The bigger issue here is how manageable a solution will you have. In order to block MAC addresses, you must first know all the permissible MAC addresses in the enterprise. Then, if possible in the DHCP implementation, you must disable all other MAC addresses from getting an IP address. This can be a manageable process if there are relatively few systems in the environment. But think of the overhead and process that must be in place to make this continue. Every time a new system is purchased, the DHCP must be changed to allow its MAC address. What about vendors and consultants who may be allowed access while one site? How do you administer these? Do they need a separate subnet, and DHCP range with other restrictions? These are the issues that have to be addressed. Does the solution scale well? Does a different DHCP solution better solve the problem? Also what is the underlying security policy driving the need to block by MAC address? Are employees specifically banned from bringing in personal laptops? If there isn't a clear security policy banning this, your efforts may lack support needed to make blocking happen.
This was first published in September 2003