3

I am currently using a SonicWall Pro 2040 with DHCP enabled, but only with static IPs mapped to specific MAC addresses. There is no dynamic IP scope being used. Currently, no DHCP request will resolve an IP, as desired.

However, if a server or workstation network interface is still configured with a user-defined, static IP address, it works fine. I would like potential users who assign their machines with static IPs to not work.

Is there a way to deny these types of connections whose MAC address is not approved?

splattne
  • 28,508
  • 20
  • 98
  • 148
BeepBoop
  • 283
  • 2
  • 10

2 Answers2

4

There is no way to configure a DHCP server to deny static IP addresses. If you think about it, there is a direct path between hosts on the network that simply does not go through the SonicWall:

            SonicWall
            LAN Port
                ^
                |
                v
HostA <----> Switch <----> HostB

So if you want to filter on MAC address to stop HostA from advertising an IP address on the network, you need to do so at the switch. As an example, if your switch is a Cisco, the command to use is switchport port-security.

Tom Shaw
  • 3,752
  • 16
  • 23
  • Thanks for the answer, Tom. I figured I was just missing something in my understanding here. I'm looking to get new hardware soon, but I'll see if my current switch supports this. – BeepBoop May 27 '11 at 17:18
2

Short answer (on the switch):

  1. Disable all ports that aren't connected device receiving a reserved IP
  2. Setup port-security using sticky macs

The following commands will set an interface to allow only currently connected device to use that switchport:

switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address sticky

source: Cisco port security config documentation

Long answer:

This is a 2 part problem. Part one assigning addresses, part to disallowing access to computers not assigned a "reserved address" in DHCP from the sonic wall. I think you've got part one solved on your sonicwall. The second part needs to be solved on your switch.

Like @Tom Shaw said using port-security command on cisco switchgear is a good idea. However it's incomplete you need to specify the max number of devices MAC addresses that can come from that port switchport port-security maximum 1 (provided there isn't another a switch or hub hanging off that port).

To save yourself from having to type in MAC addresses you can use switchport port-security mac-address sticky after you've turned on port security. to add the MAC address of the currently connected device to the approved list without having to type it in by hand.

JamesBarnett
  • 1,129
  • 8
  • 12
  • Do we need this much detail when the original poster hasn't even mentioned Cisco? I mentioned it in my answer just to show that it could be done. – Tom Shaw May 27 '11 at 14:41
  • Thanks for the great response. Although my switch is not currently Cisco, I am actually looking to acquire new hardware soon and this advice will help in any case. – BeepBoop May 27 '11 at 17:17