Find the answer to your Linux question:
Page 2 of 2 FirstFirst 1 2
Results 11 to 15 of 15
Originally Posted by Irithori I agree you want the same IP/hostname during the lifetime of a machine. Which can be achieved via the fixed-address option of isc dhcpd. This is ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #11
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, or in a galaxy far, far away.
    Posts
    11,159

    Quote Originally Posted by Irithori View Post
    I agree you want the same IP/hostname during the lifetime of a machine.
    Which can be achieved via the fixed-address option of isc dhcpd.
    This is done with *one* source-of-truth, which generated both dns zones and dhcpd config via puppet manifests.

    So you have both: A "static" mapping of mac-ip-hostname and a really simple and uniform network config for each node via dhcp.
    Good points Irithori, though not "intuitive" for most newbie network admins...
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  2. #12
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,221
    It took 2 senior admins and several days of writing manifests/templates/ruby code to do this.
    Plus an angry manager asking wth we are doing
    You must always face the curtain with a bow.

  3. #13
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, or in a galaxy far, far away.
    Posts
    11,159
    Quote Originally Posted by Irithori View Post
    It took 2 senior admins and several days of writing manifests/templates/ruby code to do this.
    Plus an angry manager asking wth we are doing
    Ah yes, the pointy-hair manager... Too bad we can't just give them a brain transplant!
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  4. #14
    Just Joined!
    Join Date
    Jun 2013
    Posts
    4
    i found the way as describe below, let me know does it perfect solution or no:
    I have a lab with 1 switch and 2 machines attached. One XP station and a debian lenny server. My debian runs dhcpd with this configuration:
    subnet 192.168.1.0 netmask 255.255.255.0 {
    range 192.168.1.31 192.168.1.254;
    default-lease-time 345600;
    max-lease-time 691200;
    option routers 192.168.1.1;
    option subnet-mask 255.255.255.0;
    option domain-name "lab.com";
    option domain-name-servers 192.168.1.12;
    option netbios-name-servers 192.168.1.12;
    option netbios-node-type 8;
    option broadcast-address 192.168.1.255;
    option ntp-servers 192.168.1.12;
    ddns-updates on;
    ddns-update-style interim;
    }

    I'm trying to restrict dhcp to only provide setting for a list of MAC addresses (about 300 macs)
    Using the following option is not good to me because I have not a pattern in my clients mac.

    class "private-hosts" {
    match if substring (option hardware,1,11) = "01:00:50:56";
    }
    pool {
    range 192.168.1.31 192.168.1.254;
    allow members of "private-hosts";
    }

    I've try using iptables with following configuration, but XP still getting IP from dhcpd:
    iptables -P INPUT DROP
    iptables -P FORWARD ACCEPT
    iptables -P OUTPUT ACCEPT
    # Full from Localhost to Localhost
    iptables -A INPUT -i lo -j ACCEPT
    # Full from My PC
    iptables -A INPUT -s 192.168.1.2 -j ACCEPT
    So I can't limit DHCP for specific macs.

    Regards,
    Mahdi

  5. #15
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,221
    As far as I understood from your first post, you are dealing with multiple users, multiple vmware player installations and VMs.
    In this case, separating by mac is flawed, because any user with enough knowledge can fake the mac and get into non-intended nets.
    So separating physical machines from VMs for security reasons doesnt work.

    Which leaves organizational reasons, which might or might not play a big role for you.
    I would probably drop the separation and just choose a big enough subnet to contain physical hosts + VMs

    However if you need to separate, then I would try to avoid maintaining a list of the macs of physical NICs.
    They are arbitrary and you will spend a lot of time with keeping the list complete.

    Instread focus on the vmware mac addresses.
    The first three bytes are well known and can be matched.
    This article explains it quite well: DHCP ranges by vendor - PeTUU


    I dont get the connection between the original post and post #14.
    The config shows a quite high lease time of 4 days. Imho 12h are already on the high side.
    No idea what the iptables rules shall achieve in the given context.

    If you want to allow only known and authenticated hosts, then you want a NAC and this is tricky.
    The easiest -but work intensive- method is the maintenane of a list of mac addresses you already know (and which is insecure)
    Then there is radius, but not all network devices support that.
    There are also proprietary solutions like CTA (CiscoTrustAgent)

    A more maintainable option might be to let people connect, but instead pay more attention that all services in the network are either non-critical (ntp, dns, etc) or properly secured via encryption and authentication (internal websites, network shares etc)
    You must always face the curtain with a bow.

Page 2 of 2 FirstFirst 1 2

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •