Isolate DHCP Leases

Simon Hobson dhcp1 at thehobsons.co.uk
Mon Mar 30 08:02:27 UTC 2009 

CARTWRIGHT, CORY C (ATTSNET) wrote:

>If I under stand you want to isolate the clients from each other? 
>If this is correct, I don't believe you can do this via DHCP if the 
>clients are all on the same network / vlan.  I think the proper way 
>to do this is isolate each port on your switch in a different vlan 
>and switching is handled on the router / software side, similar to 
>how wireless is handled.  This however does not scale as well and 
>requires managed switches and trunking to your router.


Taking that as a starting point, I can see a way to do that without 
separate VLANs and subnets - but it will be a nightmare to administer 
and will require high-end switches.

As long as your switches support it, you could configure each port 
with a filter to block all traffic except :
IP traffic between the client and the router/any servers on the subnet.
ARP requests from the client for said devices (and the devices responses).
ARP requests from those devices to the client (and the clients responses).
DHCP traffic between clients and the DHCP server(s) or relay agent(s).

To do this means knowing every MAC-IP-Port triplet, restricts you to 
just one device per port (so no port multiplying switches under 
desks), and without a lot of automated updating of switches* will 
entirely prevent any device mobility.

* To allow device mobility (and bear in mind I haven't thought this 
all the way through so there may be holes) I think you would need to 
configure any unused switch ports to only permit DHCP traffic. Once a 
client gets a lease, you would then need to build a filter for that 
clients port to allow the other traffic. When a client unplugs, you 
will need to change the filter again to only allow DHCP traffic.


I do however find myself asking why this would be required. If it's 
for a hotel type setup and you don't want guests to be able to access 
each others computers, then I'd suggest just using multiple RFC1918 
subnets - if using the 10.0.0.0/8 subnet then there are 65 thousand 
/24 subnets available.

-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

More information about the dhcp-users mailing list