hello all,

i need help with something, i want to restrict non domain compuers from obtaining ip addresses on my network, i use cisco 2950 switches with 2800 series ISR router.

i really need this, can someone help

For a computer to successfully join a domain, it means it has a valid IP address. A system without a valid IP or no IP configuration cannot be joined into a domain. Thus, DHCP servers issue IP configuration to any system that sends an "IP configuration request" on the network segment where the server is located. Thus, you cant restrict which system receives an IP or not.

The only "un-realistic" approach is to create reservations for all the systems you want to have on your network and then take out unused IP. This would prevent unwanted systems picking up IPs , but this would require a physical visit to all the systems you want on your network to retrieve their MAC addresses!(Imagine how crazy this would be when you have 100+ systems )

if u use static IP addressing then u could disable DHCP i think

Maleeq:

For a computer to successfully join a domain, it means it has a valid IP address. A system without a valid IP or no IP configuration cannot be joined into a domain.

First of all, what is a valid IP address, an address request would be made if the network card of the system is configured to automatically obtain valid ip addresses.

Maleeq:

Thus, you can't restrict which system receives an IP or not.

I believe there is a way

Maleeq:

The only "un-realistic" approach is to create reservations for all the systems you want to have on your network and then take out unused IP. This would prevent unwanted systems picking up IPs , but this would require a physical visit to all the systems you want on your network to retrieve their MAC addresses!(Imagine how crazy this would be when you have 100+ systems )

Something close to that was considered but we have 200+ systems.

what we wanted to do was to get the MAC addresses of all the systems and put it into the mac address table for all the switches we have on the domain so the switches allow dhcp requests against the mac address table in the switch, this has to be done on like 5 switches as we do not VTP.

Please note we run MS active directory and the domain controller is the DHCP server so it has to be an active directory thing, hardware is out of it already,

wormedup:

if u use static IP addressing then u could disable DHCP i think

That is totally out of line,

static addresses for 200 plus systems then what the hell do we have a DHCP server for

lordimpaq:

First of all, what is a valid IP address, an address request would be made if the network card of the system is configured to automatically obtain valid ip addresses.

What I meant by "valid IP address" is that the IP address on the system matches your network's scheme, and thus they can communicate. Check this, 192.168.1.0/24 could be considered invalid on a 192.168.2.0/24 network scheme.

lordimpaq:

I believe there is a way

Please, let us know when you find a way around this, if you find a way!

lordimpaq:

Something close to that was considered but we have 200+ systems.

what we wanted to do was to get the MAC addresses of all the systems and put it into the mac address table for all the switches we have on the domain so the switches allow dhcp requests against the mac address table in the switch, this has to be done on like 5 switches as we do not VTP.

Please note we run MS active directory and the domain controller is the DHCP server so it has to be an active directory thing, hardware is out of it already,

It is "technically the same thing if you create reservations on the DHCP server or you use the MAC Address Table on the switches approach. Bottom line is that YOU WILL NEED TO GET THE PHYSICAL (MAC) ADDRESSES OF ALL THE SYSTEMS.
Though not efficient, but if you feel comfortable with this approach, carry on. It would easier to maintain than the switches MAC address table approach.

It's only logical, follow these question/answers(you provide answers too) to see why it's not feasible(with current technology at least):
Q-Why does a system request an IP config?
A-It does not have configuration already set and It's set to AUTO config

Q-To join a domain, the system MUST be able to contact the Domain Controller(DC). How does it do this?
A-It must have a valid IP to get to the DC.

Q-How does it pick up a valid IP?
A-Either manually configured or assigned by the DHCP server.

setup an arp server. that helps to obtain the hardware address of the system requesting ip, also try naming the systems in your network. it helps a great deal in handling unwarranted connection to your domain

kayodus:

setup an arp server. that helps to obtain the hardware address of the system requesting ip, also try naming the systems in your network. it helps a great deal in handling unwarranted connection to your domain

i'm assuming the arp server would have to be a member of the domain,

and sorry but am asking, i neva knew there was an arp server, now that i know i'll check up on it,

my understanding of arp is that it is being handled by the router, on which you can check address resolutions,

anyways thanks, is there any software i can use.

Guys can anyone help me with how i can get an ARP server up and running

Maleeq:

The only "un-realistic" approach is to create reservations for all the systems you want to have on your network and then take out unused IP. This would prevent unwanted systems picking up IPs , but this would require a physical visit to all the systems you want on your network to retrieve their MAC addresses!(Imagine how crazy this would be when you have 100+ systems )

Have you considered scripting?

Kpop-Ham:

Have you considered scripting?

Wow, I never knew scripts could make "PHYSICAL" [/b]visits to systems to be joined into a domain!. Scripting would only work when the systems are connected and assigned IPs, but then it would be unnecessary because you can simply query the arp table[b] to get the IP-to-MAC resolutions

An arp server is used to intercept and reply hosts on a physical network segment's request for other hosts MAC address mostly on ATM(Asynchronous Transfer Mode) networks. I t would still be irrelevant to your cause here becos the arp server must already have the IP-to-MAC resolutions in its unit tables, plus your network is TCP/IP not ATM and we dont have any IP yet.

ARP server are used to to implement IP over ATM. Check this link out for a full description of the ARP server:
ARP Server Patents Description

Maleeq, welcome to scripting technologies; you could write a script that retrieves all your computer names from Active Directory and then methodically connects to each of those computers, checking to see if that MAC address can be found - two kobo

Better still here's a network tool; 'CC Get MAC Address' you can download from http://www.youngzsoft.net

Good Luck

Kpop-Ham:

Maleeq, welcome to scripting technologies; you could write a script that retrieves all your computer names from Active Directory and then methodically connects to each of those computers, checking to see if that MAC address can be found - two kobo

I have been a Systems Administrator for about 2years now. I know the power of scripting. Obviously, you know it too but you seem not to understand what the poster needs here.
Tell me, o scripting lord:
- How would you query the AD to retrieve information about a system not yet on that domain
- How would you "methodically connect to a system without a valid IP assigned to it yet
- How would you retrieve MAC address without being able to reach the system via an IP address

Try this:
If you have a network, take one system out, clear it's IP config. Purge the ARP cache. Then use your CC Get Mac or write any script to retrieve the MAC address or System Name. Let me know when you succeed.

Kpop-Ham:

Better still here's a network tool; 'CC Get MAC Address' you can download from http://www.youngzsoft.net

Good Luck

Excerpt from the link you gave:

"CC Get MAC Address is a handy tool for finding MAC address and computer name from IP address."

For your "CC Get MAC Address" software tool to work, the systems MUST already have an IP Address! The poster here does not want to assign IPs to unauthorized systems. How then would your tool/script work?

Maleeq, this is beginning to sound like 'phone tag' . Okay; you had mentioned previously

"The only 'un-realistic' approach is to create reservations for all the systems you want to have on your network and then take out unused IPs. This would prevent unwanted systems picking up IPs , but this would require a physical visit to all the systems you want on your network to retrieve their MAC addresses!(Imagine how crazy this would be when you have 100+ systems"

. . and so, I'm inclined to think that this dude has pretty much solved this puzzle except for his problem of having to go round 100 network cards (that are already on the network with valid IP addresses) to get their mac addresses, so that he can implement his well thought out solution of creating reservations and taking out unused IPs.

See? I know what the poster is looking for, and you have already started solving it. I'm only enabling you to help the poster, DIG?

Speaking of which; if the technology weren't availlable to find those mac addresses and it meant physically visiting those 100+ systems to get the darn mac addresses - then so be it.

@Kpop-Ham
Okay, maybe I didn't state completely what I meant in that quote.

@poster
Yes, scripting would would work if all the systems currently on your network are those you want(those on your domain). You could retrieve their MAC addresses via scripts and then create reservations via scritps. Remove unused IPs afterwards.

All Correct. 

if there is a script to do this can someone please send it to me,

Let me write one out for ya.

How can i recover my cisco 3845 router having enabled NO PASSWORD RECOVERY MODE. . . ?

NOTE: The problem is the router is not accepting break-keys during booting process.

Contact your services providers and domain sellers, Also try this site http://www.thewebpole.com/ for your safest domain with your pc s, also they provides some more free services from here @ reliable costs,

ever heard of dhcp snooping?

Hello,

What you are looking for is called 802.1x.

http://en.wikipedia.org/wiki/IEEE_802.1X

It can be done via a managed switch (such as Cisco Catalyst), a RADIUS server (Such as Cisco ACS or MS IAS) and a user authentication database (Such as MS Active Directory).

Hope this helps