• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 647
  • Last Modified:

DHCP Broadcast needs to be plugged

Hi,

We have a DHCP Server running in our domain and we have three subnets - 192.168.1.x, 192.168.0.x and 192.168.5.x. The first has static IP address and the second is dynamic (from the DHCP Server running on Windows 2003 Server OS). The third is a secured network with a different Subnet mask. What we would like to do is prevent DHCP broadcast to the secured network. Can this be done ? If yes, how?

Thanks in advance

Regards

Jagdish
0
jagdish1234
Asked:
jagdish1234
  • 9
  • 8
1 Solution
 
Chris DentPowerShell DeveloperCommented:

Hi Jagdish,

The DHCP Server doesn't Broadcast, the client does. The DHCP Server just replies. Do you have a Router between the DHCP Server and the Secure Subnet? It's more of a case of preventing client broadcasts leaving the secure network.

Chris
0
 
jagdish1234Author Commented:
Hi Chris,

Thanks. There is no router. Though the cleint will broadcast DHCPDiscover, I dont want the DHCP server to send the DHCPOfer if it is not in the subnet.

Jagdish
0
 
Chris DentPowerShell DeveloperCommented:

So all clients share the same broadcast domain? That is, they're on the same switch stack?

How is the Secure subnet split from the standard one? Is the DHCP server multi-homed?

The addresses on the Secure subnet are by static assignment? Or how is membership of the secure network determined?

Chris
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
jagdish1234Author Commented:
So many Questions !!

The clients share the same broadcast domain

Secured subnet is split at the router end. There is a PIX which acts as a gateway to the secured network. This PIX gets connected to the  firewall and the firewall routes it to the outside world. DHSCP server is not multi-homed

The Secured network will have a DHCP server of it s own and it will have some reservations for the clients. Currently clients are statically assigned.  

Jagdish
0
 
Chris DentPowerShell DeveloperCommented:

Sorry, just trying to get a picture of where everything is plugged in :)

The DHCP server is plugged directly into the secure network?

The difficulty is, unless the secure subnet is on a separate broadcast domain you have no way of filtering. Presumably it's responding to clients with a 0.x address at the moment?

Chris
0
 
jagdish1234Author Commented:
Just Kidding Chris !

The DHCP Server (in other LAN) {henceforth named as DHCPServ1 for convenience} is connected to the network directly Via switch
The DHCP Server (in secured network) {henceforth named as DHCPServ2 for convenience} is not UP

Jagdish
0
 
Chris DentPowerShell DeveloperCommented:

Okay, but DHCPServ1 is on the same Broadcast Domain as DHCPServ2. That is, there's no Firewall / Router between DHCPServ1 and the Secure network?

If there is, you just have to stop relaying Broadcast over.

Chris
0
 
jagdish1234Author Commented:
There is a firewall and a router between DHCPserv1 and DHCPServ2
0
 
Chris DentPowerShell DeveloperCommented:

Then it must be relaying Broadcast for the client requests to get as far as DHCPServ1?

Chris
0
 
jagdish1234Author Commented:
Now the issue is how to stop this relaying.
Just figured one solution for DHCPserv1. Populate all the DHCP IP and bind them to the MAC address. OR have just a range of address for the broadcast and have the range allotted to the clients. This way there will not be any Free IPs left for offer. What do you think ?

Is there any better way of doing this ?

Jagdish
0
 
Chris DentPowerShell DeveloperCommented:

It would be better to stop it relaying :)

If you look at the configuration on the PIX there do you see a line like "dhcprelay enable ... " anywhere?

Chris
0
 
jagdish1234Author Commented:
Ha !! Now lies the issue.

The PIX was preconfigured and given to us bu our customer. We do not have any access to even read the config file.

Cant we do it on our side to stop relaying...
0
 
Chris DentPowerShell DeveloperCommented:

Ouch, that's not so helpful.

Windows Server distributing addresses? That won't have a firewall (or at least not a useful firewall), so I bet we can't block it there...

And we can't block it on the client end because it's way too early in the process, long before the firewall comes on-line.

Hmm, there's no chance they can update the PIX configuration?

Chris
0
 
jagdish1234Author Commented:
I can give a try to coax them to update it.

Meanwhile, was just thinking of using a DHCP relay agent so that any request coming from the secured network can be warded off!

Jagdish
0
 
jagdish1234Author Commented:
Hi,

We have temporarily solved this issue. How ?

Now we have physically isolated the 1.x Network and the 5.x network so that the broadcast is totally prevented. But for this there was a tradeoff. Since 1.x and 5.x was spanning multiple buildings, we have to physically move the 5.x network to a different place so that they are directly under one switch which goes to a CISCO PIX (Gateway for 5.x) and then to the router.

Here comes one more catch !!!

Moving 5 or 6 PCs is ok. But tomorrow if the team grows, what next ?

I was thinking of having a bridge between 1.x and 5.x. This bridge will have tow NIC for each subnet. (1.x and 5.x). there will be a port forward / NAT to 5.x for all packets destined to 5.x from 1.x. Here again, we may have to have ACLs which will restrict only few IPs via the MAC address.
Is this possible to realize this ?

Thanks

Jagdish

0
 
Chris DentPowerShell DeveloperCommented:

You're static NATing on the 1.x source to a static 5.y destination? That would work, but a Bridge is the wrong device it would still be a router / firewall to perform NAT.

It makes sense though, and should work.

Chris
0
 
jagdish1234Author Commented:
Thankyou Chris for the support
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 9
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now