Assigning fixed IP to generated VDI desktops
Simon Hobson
dhcp1 at thehobsons.co.uk
Tue Nov 1 14:20:28 UTC 2016
Miloslav Hůla <miloslav.hula at gmail.com> wrote:
>> You will need to ensure that your assignment logic supports it. IFF you can be sure that no other host will have a host name "office-nn" then it is sufficient to define a class matching on that. However, since it is easy to set a hostname then someone could upset that.
>> Presumably the MAC addresses all fall within one OUI (or a small number of OUIs), so you could extend the matching to that and thus exclude anything not running as a VM with that hypervisor type.
>
> That's the plan. But it is still weak place for security, mainly for WiFi access. On the other hand, WiFi is in another VLAN so attacker will be without connectivity with such stolen IP.
Don't forget that, unless you get the config very badly wrong, a device in a different network just won't match the subnet at all. So if your WiFo users are on a different VLAN (ie different network) then they won't be considered for your VDI pools at all even if they match the class statements. Thus they won't be able to "steal" an IP.
More information about the dhcp-users
mailing list