What you are looking for is "network admission control" (NAC). You can do a poor man's NAC using Cisco port security, but it is imperfect. In many ways it is more trouble than it's worth, but it is "free"--assuming that you have switches that support it and time to handle the issues that arise. Cisco has a NAC solution, but it is not inexpensive. There are other ways of doing it, but I am not terribly familiar with anything else.
Bill Mayo -----Original Message----- From: Matthew W. Ross [mailto:mr...@ephrataschools.org] Sent: Thursday, July 23, 2009 1:59 PM To: NT System Admin Issues Subject: RE: DHCP and multiple Subnets; Multiple DHCP server or DHCP-Relays? This answers my question exactly. Thank you. If I did decide to drop reserving each-and-every computer, what other methods (and probably stronger methods) of preventing unauthorized computers from getting on the network? We have a lot of older switches which cannot handle 802.1x, which looks like it will do what I want... but does anybody know of a different solution that works with unmanaged switches? --Matt Ross Ephrata School District ----- Original Message ----- From: Mayo, Bill [mailto:bem...@pittcountync.gov] To: NT System Admin Issues [mailto:ntsysad...@lyris.sunbelt-software.com] Sent: Thu, 23 Jul 2009 10:54:10 -0700 Subject: RE: DHCP and multiple Subnets; Multiple DHCP server or DHCP-Relays? > Do you mean that you are creating reservations in DHCP (you say > "statically assign")? If that is the case, then what you will have to > do is create a reservation in EACH subnet that a given user would hit. > Since they are in different subnets, though, it would mean different > addresses (or else networking wouldn't work). > > If you want to simply use DHCP, you have to create different scopes > for each subnet and then turn on DHCP relay on the switches. When the > switch relays the DHCP request, it tells DHCP from where the request > came and DHCP will then give out an address in the appropriate scope. > > Bill Mayo > > -----Original Message----- > From: Matthew W. Ross [mailto:mr...@ephrataschools.org] > Sent: Thursday, July 23, 2009 1:38 PM > To: NT System Admin Issues > Subject: DHCP and multiple Subnets; Multiple DHCP server or DHCP-Relays? > > Hey list. > > Since nobody had a good network mailing list, I'll as my question here. > > We have a large flat network which I'm looking at splitting up. It was > 10.x.x.x/8, looking to bring it to several 10.20.x.x/16s. I've got my > configuration of the router figured out, except DHCP. We statically > assign our IPs to individual machines... but I don't see how that's > possible with a routed network like this... especially for mobile > users who move across subnets from time to time. > > I could install a DHCP server for each subnet, but this could be > tedious. Using my switch's DHCP-Relay seems like a good idea, but if a > user moves to a different subnet, won't that user get an invalid IP > address? > > Any other ideas on how to get past this? > > > --Matt Ross > Ephrata School District > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~