On 2007-11-05, Nori <noridotjabi@gmail.com> wrote: > Hello everyone. I am a college student, and at the college I go to, > we receive our internet connection thought the Local Area Network. > Our LAN uses DHCP to assign IP addresses. The DHCP server only > assigns IP addresses to peoples who have their MAC address registered > with the system admin and entered into this database. Of the late, > several people have been hard coding their IP addresses. This has > become a problem since people who are receiving IP addresses from the > DHCP server are frequently loosing internet connectivity due to IP > address conflict. The admin needs to change his approach, me thinks. We've started to put machines on separate VLAN's according to wether they have a 'valid' MAC address or not. The valid MAC's are put on the main LAN, and get an IP for it. Those that aren't, are switched on a VLAN that leads only to the Net, and they get an 192.168.x.x. This allows visitors to go get their mail, without being inside the company's network. Also easier for them, because that 'outside' VLAN has no proxy. -- There is an art, it says, or rather, a knack to flying. The knack lies in learning how to throw yourself at the ground and miss. Douglas Adams

On 2007-11-06, Joe Pfeiffer <pfeiffer@cs.nmsu.edu> wrote: > Rikishi 42 <skunkworks@rikishi42.net> writes: >> >> We've started to put machines on separate VLAN's according to wether they >> have a 'valid' MAC address or not. The valid MAC's are put on the main LAN, >> and get an IP for it. Those that aren't, are switched on a VLAN that leads >> only to the Net, and they get an 192.168.x.x. This allows visitors to go get >> their mail, without being inside the company's network. Also easier for >> them, because that 'outside' VLAN has no proxy. > > But if a visitor sets the IP, by hand, to one of the 'official' ones, > what happens? Say the 'real' network distributes IP addresses from the 123.x.x.x range to the valid MAC addresses. And say other MAC's get an 192.168.0.x address. Those are routed to the Net. The visitor manually encodes 123.45.67.89 in his machine. But since the MAC is invalid, the machine will still be connected (by the switch) to the 'externals' VLAN. But from that VLAN, only the 192.168.0.x addresses get routed to the Internet. So, his machine can't even get there. It's trapped, unable to communicate with any machine, unless there is another such clown who did the same thing. Of course, it's possible to redefine a MAC address. But that's another story. And physically locating the little bugger isn't *that* difficult. Neighter is kicking him out of the building, with his USB stick firmly embedded where the light don't shine. :-) (allways wear gloves when applying that LART) PS: I wasn't involved in the deployment of that system. Therefore not all details are known to me. I might have - for instance - wrongly used the term VLAN. But you get the general drift of what was done. -- There is an art, it says, or rather, a knack to flying. The knack lies in learning how to throw yourself at the ground and miss. Douglas Adams

Nori <noridotjabi@gmail.com> wrote in news:1194236239.555668.193060 @o3g2000hsb.googlegroups.com: > Hello everyone. I am a college student, and at the college I go to, > we receive our internet connection thought the Local Area Network. > Our LAN uses DHCP to assign IP addresses. The DHCP server only > assigns IP addresses to peoples who have their MAC address registered > with the system admin and entered into this database. Of the late, > several people have been hard coding their IP addresses. This has > become a problem since people who are receiving IP addresses from the > DHCP server are frequently loosing internet connectivity due to IP > address conflict. > > Basically I recently began to realize how big a deal this actually > is. Several of my professors and the Executive Director have all lost > internet connectivity. The method that these hard coders are using is > as follows. > > Everyone at my college has an domain name which is in the form > {lastname}{first letter of first name}.domain.edu. (For examply > williamsw.foobar.edu). Essentially what has been happening is > students have been pinging the domain names of their targets and > hardcoding that IP address to prevent the rightful owner of that IP > from gaining internet connectivity. The system admin does not know > how to catch these "hardcoders" so he has chosen to disable internet > from 12:00 AM to 5:00 PM as a punishment to everyone until the > culprits are caught. I intend to catch them. > > Our server is some sort of Linux and I run Debian Etch. I am pretty > sure all of the people doing this hard coding run Windows XP or > Windows Vista. Essentially I have some idea of what I need to do to > attain the MAC addresses of the hardcoders but am not quite sure. > > I would greatly appreciate help from anyone in this endeavor. Thanks > in advanced. > > Nori > If your switches support 802.1X you could try that. It isn't invulnerable but is a possibility. http://en.wikipedia.org/wiki/IEEE_802.1X I believe a certain computer software company (name beginning with the letter M ) had problem with visitors plugging into network ports and carrying out nefarious activities ;-). Their solution was to allow their bona fide servers and workstations to only talk to each other using IPSec IIRC.