Re: DHCP and VLANs
- From: Bob Simon <nobody@xxxxxxxxxxx>
- Date: Sun, 11 Mar 2007 17:39:12 -0500
On Sun, 11 Mar 2007 16:57:39 -0500, "Herb Martin"
<news@xxxxxxxxxxxxxx> wrote:
Herb,
Thanks for the reply. I didn't think my original message got posted
so I sent it again with slightly different info. You may want to look
at it to get a better understanding of what I want to do. In the mean
time, I have a few questions, inline.
"Bob Simon" <nobody@xxxxxxxxxxx> wrote in message
news:jeq8v2dma3iajgv3ca2ims0e76u9susmg3@xxxxxxxxxx
We use Window Server 2003 for DHCP. There are three classes of users:
wired, wireless trusted (employees), and wireless guests. The company
wants to permit wireless guests access to the Internet but not to
servers or computers on our network.
The access points we're using are layer 2 devices and they don't do
DHCP. Can Windows Server differentiate DHCP requests from wired hosts
vs wireless hosts if we put the access points on a separate VLAN?
Yes, as long as the hosts are in different Broadcast Domains (which
includes but is not limited to VLANs).
This is the normal "scope" of DHCP configuration, and in fact is why
the term scope is used to descripe a configuration set associated with
an IP subnet or broadcast domain.
Does this require two NICs in the server? If I have a single NIC that
supports 802.1Q tags, can Windows associate a scope with a particular
VLAN?
If
so, I suppose the wireless employees could then be given static IP
addresses via a MAC reservation
Works.
..and we could create a new scope for
untrusted clients (guests) from VLAN2.
They would be in the same "scope" as other (trusted) stations which
are on the same broadcast domain (this is unlikely to actually be a
VLAN but "broadcast domain" is likely what you mean here anyway.)
To create different scopes for trusted vs. untrusted stations would
require you to use different broadcast domains -- likely different
access points -- for the stations so that each could be assigned
different scopes, or even rules such as 802.1x authentication onto
different devices.
Actually, I was hoping to put the guests on a separate VLAN from the
wireless employees. Here's how I envision this working:
Both types of hosts would come in to the server from the AP. DHCP
would assign employees to the 192.168.2.0 subnet based on reservation.
All other wireless hosts (guest access) would get an address in the
192.168.3.0 subnet. The switch would then put the guests in VLAN 3
based on subnet.
If this is not feasible, what concept am I missing?
Will this idea work?
Yes, but it isn't truly secure as hardward/MAC address can be spoofed.
It would prevent casual or accidental abuse however.
I understand, but am not too worried about someone configuring the
LAA. I don't think our data would be all that valuable to steal.
Is there a better way to put guests on a
separate subnet. (We don't want anyone to have to set a static IP
address.)
If you were willing to run two separate (sets of) wireless access points
then you could require 802.1x or merely different WPA access keys,
even do RADIUS authentication and force the "guests" to actually
use a different access point, receive different IP ranges, and thus
be subject to much more secure restrictions.
More sophisticated access points might let you do this, i.e., separate
broadcast domains -- perhaps different wireless channels, with a single
device -- this would be MUCH closer to actual idea of VLANs on
a sophisticated wired switch.
This would be a lot more practical if we weren't already on four
floors. But it's a problem that can be simply solved if funded.
.
- Prev by Date: DHCP and VLANs
- Next by Date: Attn: Phillip Windell
- Previous by thread: DHCP and VLANs
- Next by thread: Attn: Phillip Windell
- Index(es):
Relevant Pages
|
