I am currently using a SonicWall Pro 2040 with DHCP enabled, but only with static IPs mapped to specific MAC addresses. There is no dynamic IP scope being used. Currently, no DHCP request will resolve an IP, as desired.
However, if a server or workstation network interface is still configured with a user-defined, static IP address, it works fine. I would like potential users who assign their machines with static IPs to not work.
Is there a way to deny these types of connections whose MAC address is not approved?
答案1
There is no way to configure a DHCP server to deny static IP addresses. If you think about it, there is a direct path between hosts on the network that simply does not go through the SonicWall:
SonicWall
LAN Port
^
|
v
HostA <----> Switch <----> HostB
So if you want to filter on MAC address to stop HostA from advertising an IP address on the network, you need to do so at the switch. As an example, if your switch is a Cisco, the command to use is switchport port-security
.
答案2
Short answer (on the switch):
- Disable all ports that aren't connected device receiving a reserved IP
- Setup port-security using sticky macs
The following commands will set an interface to allow only currently connected device to use that switchport:
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address sticky
source: Cisco port security config documentation
Long answer:
这是一个由两部分组成的问题。第一部分是分配地址,第二部分是禁止未在 DHCP 中从 Sonic Wall 分配“保留地址”的计算机访问。我认为您已经在 SonicWall 上解决了第一部分问题。第二部分需要在您的交换机上解决。
就像@Tom Shaw 所说的那样,在 cisco 交换机上使用 port-security 命令是个好主意。但是,它并不完整,您需要指定可从该端口发出的最大设备 MAC 地址数量switchport port-security maximum 1
(前提是该端口上没有其他交换机或集线器)。
为了节省您输入 MAC 地址的时间,您可以switchport port-security mac-address sticky
在打开端口安全后使用它来将当前连接设备的 MAC 地址添加到批准列表中,而无需手动输入。