DHCP Networking Question

Hi,

I've been asked to take our business LAN which uses MS DHCP and setup a parallel but isolated DHCP network for vistors. The idea is that when employees use the LAN the DHCP server will recognize them (perhaps through some sort of authentication) and provide them with an IP address for the business LAN with access to all our business resources, but if a visitor plugs into the LAN the DHCP server will recognize that the visitor is not an employee (perhaps because they do not get authenticated) and provide them with an IP address to the isolated LAN that only provides access to the external world (Internet).

Does anyone know how this can be accomplished or if there are any tools available that provide this sort of functionality?

Thanks in advance for any insight!

John

Scenario 1.
Setup certain ports ( wall jacks ) for the visitors to plug into, on your switch set these fools to be on a seperate vlan, set your dhcp server to push out another address range to this vlan. trunk your switch port that your router is going into and set an acl to block the traffic from your visitors vlan from going into your own. add secondary IP address on inside router interface going to the new vlan. (this is what I would do if you have managed switches. however, not for the networking newbie to understand)

Scenario 2.
add router or use existing routers second ethernet interface if there is one to another switch/hub and put certain wall jacks to this applying an acl to block traffic to your internal network with IP-helper added to allow dhcp traffic to come accross and set dhcp server to push out this second range. ( this idea is expensive but easy to understand)

scenario 3.
Ask for their MAC address before they get there and set the dhcp server to push out a specified address to that MAC and add secondary address to router for default gateway. (this idea blows no security and two networks on same media is not a good idea and what normal traveling sales dude would know what a MAC is.)

Scenario 4.
Buy a PIX 515 and put in a second ethernet interface set with security level 20, run to hub/switch to certain wall jacks enable dhcp on the pix for this network ( you are actualy putting them in a DMZ). This is actualy a good idea as it will give you added security to your existing network as you will put this behind your router and guard your internal network as it will sit behind your router on e0 and internal network on e1. Requires some extra public IPs though. This will give you VPN capability and the fixup protocols will guard against bad people. If you dont already have a real firewall this is my best suggestion.

Thanks for your response juniperr.

One of our CEOs goals is to not have to force visitors to use a specific wall jack. Yesterday I stumbled across a possible solution where we would register all employee's MAC addresses in the building with our DHCP server and only provides an IP address within the business LAN scope if your MAC is registered. If your MAC address is not registered you would be pushed over to another DHCP scope that only has access to the Internet. I suppose this scope could also be in the DMZ for added security.

One drawback I found is that I believe you need switches that support dynamic virtual IPs and currently ours do not.

Have you ever heard of anyone using this scheme?

Thanks,

John

This would not remotely be considered a DMZ, you are basicly sharing two networks on the same media which gives in reality nothing in security. it would be uncontrolled as anyone could just put a static on their PC and poof they are accessing all your internal resources. actualy a sniffer would not even care about the IP as they use MAC. If you are looking for anykind of security seperate wall jacks is the only way I am aware of seperating networks for security.