Solved

DHCP Broadcast needs to be plugged

Posted on 2008-06-11
17
635 Views
Last Modified: 2012-05-05
Hi,

We have a DHCP Server running in our domain and we have three subnets - 192.168.1.x, 192.168.0.x and 192.168.5.x. The first has static IP address and the second is dynamic (from the DHCP Server running on Windows 2003 Server OS). The third is a secured network with a different Subnet mask. What we would like to do is prevent DHCP broadcast to the secured network. Can this be done ? If yes, how?

Thanks in advance

Regards

Jagdish
0
Comment
Question by:jagdish1234
  • 9
  • 8
17 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21767211

Hi Jagdish,

The DHCP Server doesn't Broadcast, the client does. The DHCP Server just replies. Do you have a Router between the DHCP Server and the Secure Subnet? It's more of a case of preventing client broadcasts leaving the secure network.

Chris
0
 

Author Comment

by:jagdish1234
ID: 21767235
Hi Chris,

Thanks. There is no router. Though the cleint will broadcast DHCPDiscover, I dont want the DHCP server to send the DHCPOfer if it is not in the subnet.

Jagdish
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21767299

So all clients share the same broadcast domain? That is, they're on the same switch stack?

How is the Secure subnet split from the standard one? Is the DHCP server multi-homed?

The addresses on the Secure subnet are by static assignment? Or how is membership of the secure network determined?

Chris
0
 

Author Comment

by:jagdish1234
ID: 21767354
So many Questions !!

The clients share the same broadcast domain

Secured subnet is split at the router end. There is a PIX which acts as a gateway to the secured network. This PIX gets connected to the  firewall and the firewall routes it to the outside world. DHSCP server is not multi-homed

The Secured network will have a DHCP server of it s own and it will have some reservations for the clients. Currently clients are statically assigned.  

Jagdish
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21767486

Sorry, just trying to get a picture of where everything is plugged in :)

The DHCP server is plugged directly into the secure network?

The difficulty is, unless the secure subnet is on a separate broadcast domain you have no way of filtering. Presumably it's responding to clients with a 0.x address at the moment?

Chris
0
 

Author Comment

by:jagdish1234
ID: 21767867
Just Kidding Chris !

The DHCP Server (in other LAN) {henceforth named as DHCPServ1 for convenience} is connected to the network directly Via switch
The DHCP Server (in secured network) {henceforth named as DHCPServ2 for convenience} is not UP

Jagdish
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21767985

Okay, but DHCPServ1 is on the same Broadcast Domain as DHCPServ2. That is, there's no Firewall / Router between DHCPServ1 and the Secure network?

If there is, you just have to stop relaying Broadcast over.

Chris
0
 

Author Comment

by:jagdish1234
ID: 21768020
There is a firewall and a router between DHCPserv1 and DHCPServ2
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 70

Expert Comment

by:Chris Dent
ID: 21768051

Then it must be relaying Broadcast for the client requests to get as far as DHCPServ1?

Chris
0
 

Author Comment

by:jagdish1234
ID: 21768258
Now the issue is how to stop this relaying.
Just figured one solution for DHCPserv1. Populate all the DHCP IP and bind them to the MAC address. OR have just a range of address for the broadcast and have the range allotted to the clients. This way there will not be any Free IPs left for offer. What do you think ?

Is there any better way of doing this ?

Jagdish
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21768326

It would be better to stop it relaying :)

If you look at the configuration on the PIX there do you see a line like "dhcprelay enable ... " anywhere?

Chris
0
 

Author Comment

by:jagdish1234
ID: 21768373
Ha !! Now lies the issue.

The PIX was preconfigured and given to us bu our customer. We do not have any access to even read the config file.

Cant we do it on our side to stop relaying...
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21768511

Ouch, that's not so helpful.

Windows Server distributing addresses? That won't have a firewall (or at least not a useful firewall), so I bet we can't block it there...

And we can't block it on the client end because it's way too early in the process, long before the firewall comes on-line.

Hmm, there's no chance they can update the PIX configuration?

Chris
0
 

Author Comment

by:jagdish1234
ID: 21768560
I can give a try to coax them to update it.

Meanwhile, was just thinking of using a DHCP relay agent so that any request coming from the secured network can be warded off!

Jagdish
0
 

Author Comment

by:jagdish1234
ID: 21810026
Hi,

We have temporarily solved this issue. How ?

Now we have physically isolated the 1.x Network and the 5.x network so that the broadcast is totally prevented. But for this there was a tradeoff. Since 1.x and 5.x was spanning multiple buildings, we have to physically move the 5.x network to a different place so that they are directly under one switch which goes to a CISCO PIX (Gateway for 5.x) and then to the router.

Here comes one more catch !!!

Moving 5 or 6 PCs is ok. But tomorrow if the team grows, what next ?

I was thinking of having a bridge between 1.x and 5.x. This bridge will have tow NIC for each subnet. (1.x and 5.x). there will be a port forward / NAT to 5.x for all packets destined to 5.x from 1.x. Here again, we may have to have ACLs which will restrict only few IPs via the MAC address.
Is this possible to realize this ?

Thanks

Jagdish

0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 250 total points
ID: 21811535

You're static NATing on the 1.x source to a static 5.y destination? That would work, but a Bridge is the wrong device it would still be a router / firewall to perform NAT.

It makes sense though, and should work.

Chris
0
 

Author Closing Comment

by:jagdish1234
ID: 31466438
Thankyou Chris for the support
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
NSD FAIL 2 25
Raising the domain level - can i do this during production 17 34
Computers Wont Join Domain 5 28
DNS Woes 7 15
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now