DHCP Option 43 and 60

Solved
Captain
Getting noticed

DHCP Option 43 and 60

Dear Experts,

 

I am looking into allowing DHCP only to certain devices by their OUI to match my needs.

 

Though my NIC OUI is FC:34:97:xx:xx:xx with the following DHCP configuration below I am still getting DHCP. 

There's no other DHCP server on the network, but the MX.

 

How can I get it working? 

 

Is there a way to apply for an OUI range for example 

 00:00:01 to 00:00:02

 

Captain_0-1724833267236.png

Kind Regards,

C.

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

You won't be able to restrict the DHCP server to only responding to specific OUIs.

View solution in original post

7 Replies 7
PhilipDAth
Kind of a big deal
Kind of a big deal

You won't be able to restrict the DHCP server to only responding to specific OUIs.

Captain
Getting noticed

This is disappointing. 

Are there any plans for adding this security feature to the security appliance device?

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

You can use the "Give Feedback" option in the bottom right hand corner of the Dashboard page to request a feature (do it from the DHCP servers page).

PhilipDAth_0-1724842726927.png

 

But I think your chances are very slim.  This is the first time in 25 years I have had someone ask for this.

PhilipDAth
Kind of a big deal
Kind of a big deal

What you could do is create a new VLAN, and put all the devices with the OUIs you want into it, and then configure DHCP to service just that VLAN.

Captain
Getting noticed

The problem is that it is installed in an environment where someone might unplug our device and connect his device and get DHCP.

 

I'd like only for authorized devices to be able to pull dhcp.

 

 

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

In that case, create a firewall rule blocking all access.

 

Then for hosts you want to authorise - apply the built in group policy "Allow list" to override the firewall and grant access.

 

I think all devices will still be able to get a DHCP address - but unauthorized devices wont be able to send traffic across layer 3 interfaces.

 

PhilipDAth_0-1724875245694.png

 

PhilipDAth
Kind of a big deal
Kind of a big deal

If you want something even tighter, then you could use 802.1x and a RADIUS server on the LAN ports, and actually authenticate each device (or you could do it by MAC address).  This method would prevent a client from being able to do DHCP until authenticated.

 

https://documentation.meraki.com/MX/Access_Control_and_Splash_Page/MX_Access_Policies_(802.1X)

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels