Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

DHCP Broadcast needs to be plugged

Posted on 2008-06-11
17
Medium Priority
?
644 Views
Last Modified: 2012-05-05
Hi,

We have a DHCP Server running in our domain and we have three subnets - 192.168.1.x, 192.168.0.x and 192.168.5.x. The first has static IP address and the second is dynamic (from the DHCP Server running on Windows 2003 Server OS). The third is a secured network with a different Subnet mask. What we would like to do is prevent DHCP broadcast to the secured network. Can this be done ? If yes, how?

Thanks in advance

Regards

Jagdish
0
Comment
Question by:jagdish1234
  • 9
  • 8
17 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21767211

Hi Jagdish,

The DHCP Server doesn't Broadcast, the client does. The DHCP Server just replies. Do you have a Router between the DHCP Server and the Secure Subnet? It's more of a case of preventing client broadcasts leaving the secure network.

Chris
0
 

Author Comment

by:jagdish1234
ID: 21767235
Hi Chris,

Thanks. There is no router. Though the cleint will broadcast DHCPDiscover, I dont want the DHCP server to send the DHCPOfer if it is not in the subnet.

Jagdish
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21767299

So all clients share the same broadcast domain? That is, they're on the same switch stack?

How is the Secure subnet split from the standard one? Is the DHCP server multi-homed?

The addresses on the Secure subnet are by static assignment? Or how is membership of the secure network determined?

Chris
0
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

 

Author Comment

by:jagdish1234
ID: 21767354
So many Questions !!

The clients share the same broadcast domain

Secured subnet is split at the router end. There is a PIX which acts as a gateway to the secured network. This PIX gets connected to the  firewall and the firewall routes it to the outside world. DHSCP server is not multi-homed

The Secured network will have a DHCP server of it s own and it will have some reservations for the clients. Currently clients are statically assigned.  

Jagdish
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21767486

Sorry, just trying to get a picture of where everything is plugged in :)

The DHCP server is plugged directly into the secure network?

The difficulty is, unless the secure subnet is on a separate broadcast domain you have no way of filtering. Presumably it's responding to clients with a 0.x address at the moment?

Chris
0
 

Author Comment

by:jagdish1234
ID: 21767867
Just Kidding Chris !

The DHCP Server (in other LAN) {henceforth named as DHCPServ1 for convenience} is connected to the network directly Via switch
The DHCP Server (in secured network) {henceforth named as DHCPServ2 for convenience} is not UP

Jagdish
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21767985

Okay, but DHCPServ1 is on the same Broadcast Domain as DHCPServ2. That is, there's no Firewall / Router between DHCPServ1 and the Secure network?

If there is, you just have to stop relaying Broadcast over.

Chris
0
 

Author Comment

by:jagdish1234
ID: 21768020
There is a firewall and a router between DHCPserv1 and DHCPServ2
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21768051

Then it must be relaying Broadcast for the client requests to get as far as DHCPServ1?

Chris
0
 

Author Comment

by:jagdish1234
ID: 21768258
Now the issue is how to stop this relaying.
Just figured one solution for DHCPserv1. Populate all the DHCP IP and bind them to the MAC address. OR have just a range of address for the broadcast and have the range allotted to the clients. This way there will not be any Free IPs left for offer. What do you think ?

Is there any better way of doing this ?

Jagdish
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21768326

It would be better to stop it relaying :)

If you look at the configuration on the PIX there do you see a line like "dhcprelay enable ... " anywhere?

Chris
0
 

Author Comment

by:jagdish1234
ID: 21768373
Ha !! Now lies the issue.

The PIX was preconfigured and given to us bu our customer. We do not have any access to even read the config file.

Cant we do it on our side to stop relaying...
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21768511

Ouch, that's not so helpful.

Windows Server distributing addresses? That won't have a firewall (or at least not a useful firewall), so I bet we can't block it there...

And we can't block it on the client end because it's way too early in the process, long before the firewall comes on-line.

Hmm, there's no chance they can update the PIX configuration?

Chris
0
 

Author Comment

by:jagdish1234
ID: 21768560
I can give a try to coax them to update it.

Meanwhile, was just thinking of using a DHCP relay agent so that any request coming from the secured network can be warded off!

Jagdish
0
 

Author Comment

by:jagdish1234
ID: 21810026
Hi,

We have temporarily solved this issue. How ?

Now we have physically isolated the 1.x Network and the 5.x network so that the broadcast is totally prevented. But for this there was a tradeoff. Since 1.x and 5.x was spanning multiple buildings, we have to physically move the 5.x network to a different place so that they are directly under one switch which goes to a CISCO PIX (Gateway for 5.x) and then to the router.

Here comes one more catch !!!

Moving 5 or 6 PCs is ok. But tomorrow if the team grows, what next ?

I was thinking of having a bridge between 1.x and 5.x. This bridge will have tow NIC for each subnet. (1.x and 5.x). there will be a port forward / NAT to 5.x for all packets destined to 5.x from 1.x. Here again, we may have to have ACLs which will restrict only few IPs via the MAC address.
Is this possible to realize this ?

Thanks

Jagdish

0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 1000 total points
ID: 21811535

You're static NATing on the 1.x source to a static 5.y destination? That would work, but a Bridge is the wrong device it would still be a router / firewall to perform NAT.

It makes sense though, and should work.

Chris
0
 

Author Closing Comment

by:jagdish1234
ID: 31466438
Thankyou Chris for the support
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question