Access Control Lists & DHCP

Question

Please take a look at this image right here.

In the image above you can see a virtual netwerk simulation program (CISCO Packet Tracer 6.0) where I'm trying to setup a network and secure it.

However I've come to the point where I want to use Access Control Lists in combination with DHCP. However, I haven't managed to find a way to bind certain MAC addresses to specific IP addresses (If anyone would know how to do this in this program... please let me know). So I figured out that that might bring me future problems. Where a lease would be released and a new IP is handed out. When a computer then tries to access certain parts of the network, the ACL might block them...

Would anyone be able to hand me some information on how to deal with this so that if I connected a "attacker" computer to this network, it gets blocked. But when a computer in the network receives a new IP adres, it doesn't block it?

You might be thinking: Use port-security... However, for me to understand ACL's better I would like to find a way to use it in this network.

Thank you in advance! Dempsey

score 0 · Answer 1 · answered May 22 '13 at 18:27

0

However, I haven't managed to find a way to bind certain MAC addresses to specific IP addresses (If anyone would know how to do this in this program... please let me know).

Yes, you can do that. Imagining you want client Gnouc, MAC address xxxx.yyyy.zzzz will have IP 192.168.1.100, then you do this in router:

ip dhcp pool Gnouc
host 192.168.1.100
hardware-address xxxx.yyyy.zzzz ieee802
client-name Gnouc

Try and feedback.

Would anyone be able to hand me some information on how to deal with this so that if I connected a "attacker" computer to this network, it gets blocked. But when a computer in the network receives a new IP adres, it doesn't block it?

I think ACL can not do that, you must use mac access-list.

answered May 22 '13 at 18:27

cuonglm

2,386
2
16
20

I presume this is based on using the router as a DHCP server? – Dempsey FoxDie Van Assche May 22 '13 at 18:54
Yes, it is not you want? – cuonglm May 22 '13 at 19:00
Sure that could work :) However, I've been told that if you have a server using DHCP, if a router is using DHCP it will disable the one running on a server. – Dempsey FoxDie Van Assche May 22 '13 at 19:10
Don't understand what you want? If you want ACL for DHCP, i.e MAC address, it is impossible, use `mac access-list` instead. – cuonglm May 22 '13 at 19:13
The idea you gave me is good, i'll test it out first thing in the morning. However, in my current setup i have a server dedicated for DHCP... long story short... i'll remove the dedicated DHCP to avoid conflicts. I will give you feedback on the outcome tommorrow. – Dempsey FoxDie Van Assche May 22 '13 at 19:27
I'm unable to use these commands in the routers that are provided in this network simulator. The routers available in this simulator are: 1841, 1941, 2620XM, 2621XM, 2811, 2901, 2911.. all cisco. – Dempsey FoxDie Van Assche May 23 '13 at 10:21
Refer this `http://www.uptimekeeper.net/2011/01/configuring-cisco-ios-dhcp-reservation/` – cuonglm May 23 '13 at 10:45

Access Control Lists & DHCP

1 Answers1