[K12OSN] deny IP based on MAC address....how?

["Terrell Prudé, Jr."]

David Trask wrote:

>Hi all,
>
>I have a situation....I have an IP address that I believe is infected with
>a worm that putting significant traffic on my network.  The IP address is
>internal and I don't for the life of me know where it is.  I've tried
>everything to find it.  I know the MAC address from the logs on my DHCP
>server....what I'd like to do is prevent that MAC address from even
>getting an IP address.   Is this possible?  I'm using an FC 1 server as my
>DHCP server (that's all that particular server does...just DHCP).  I have
>no desire to populate my entire dhcpd.conf file with all the MAC addresses
>in my building....there's too many.  What I simply want to do is deny
>giving an IP address to a particular machine (whose MAC address I
>know)....and/or deny access to my network (from inside) to that IP
>address.  (I've statically assigned that IP to that MAC in my dhcpd.conf
>so I can at least track it, but now I need to shut it down)  Any ideas?
>
>David N. Trask
>Technology Teacher/Coordinator
>Vassalboro Community School
>dtrask at vcs.u52.k12.me.us
>(207)923-3100
>  
>

We run into this exact issue all the time.  You've got Amer.com 
switches, right?  You can block that MAC address in the switch, at their 
switch port.  Thus, if they try statically assigning themselves an IP 
address, it won't matter.  :-)  Of course, they could go walking around 
till they find a drop that doesn't block them (we have people do this 
all the time).  So, you also block their MAC at the right Gigabit trunk, 
i. e. the one right before you get to the segment with the 
router/important servers, and they can't do nada!  Then they *have* to 
come to you and get themselves disinfected.

Sneaky, I know, but boy, does it work.

--TP
_____________________
Do you GNU!? <http://www.gnu.org>
Be virus- and spam-free with Free/Open Source Software (FOSS). Check it 
out! <http://www.mozilla.org/thunderbird>