Solved

DHCP Broadcast needs to be plugged

Posted on 2008-06-11
17
636 Views
Last Modified: 2012-05-05
Hi,

We have a DHCP Server running in our domain and we have three subnets - 192.168.1.x, 192.168.0.x and 192.168.5.x. The first has static IP address and the second is dynamic (from the DHCP Server running on Windows 2003 Server OS). The third is a secured network with a different Subnet mask. What we would like to do is prevent DHCP broadcast to the secured network. Can this be done ? If yes, how?

Thanks in advance

Regards

Jagdish
0
Comment
Question by:jagdish1234
  • 9
  • 8
17 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21767211

Hi Jagdish,

The DHCP Server doesn't Broadcast, the client does. The DHCP Server just replies. Do you have a Router between the DHCP Server and the Secure Subnet? It's more of a case of preventing client broadcasts leaving the secure network.

Chris
0
 

Author Comment

by:jagdish1234
ID: 21767235
Hi Chris,

Thanks. There is no router. Though the cleint will broadcast DHCPDiscover, I dont want the DHCP server to send the DHCPOfer if it is not in the subnet.

Jagdish
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21767299

So all clients share the same broadcast domain? That is, they're on the same switch stack?

How is the Secure subnet split from the standard one? Is the DHCP server multi-homed?

The addresses on the Secure subnet are by static assignment? Or how is membership of the secure network determined?

Chris
0
 

Author Comment

by:jagdish1234
ID: 21767354
So many Questions !!

The clients share the same broadcast domain

Secured subnet is split at the router end. There is a PIX which acts as a gateway to the secured network. This PIX gets connected to the  firewall and the firewall routes it to the outside world. DHSCP server is not multi-homed

The Secured network will have a DHCP server of it s own and it will have some reservations for the clients. Currently clients are statically assigned.  

Jagdish
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21767486

Sorry, just trying to get a picture of where everything is plugged in :)

The DHCP server is plugged directly into the secure network?

The difficulty is, unless the secure subnet is on a separate broadcast domain you have no way of filtering. Presumably it's responding to clients with a 0.x address at the moment?

Chris
0
 

Author Comment

by:jagdish1234
ID: 21767867
Just Kidding Chris !

The DHCP Server (in other LAN) {henceforth named as DHCPServ1 for convenience} is connected to the network directly Via switch
The DHCP Server (in secured network) {henceforth named as DHCPServ2 for convenience} is not UP

Jagdish
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21767985

Okay, but DHCPServ1 is on the same Broadcast Domain as DHCPServ2. That is, there's no Firewall / Router between DHCPServ1 and the Secure network?

If there is, you just have to stop relaying Broadcast over.

Chris
0
 

Author Comment

by:jagdish1234
ID: 21768020
There is a firewall and a router between DHCPserv1 and DHCPServ2
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 70

Expert Comment

by:Chris Dent
ID: 21768051

Then it must be relaying Broadcast for the client requests to get as far as DHCPServ1?

Chris
0
 

Author Comment

by:jagdish1234
ID: 21768258
Now the issue is how to stop this relaying.
Just figured one solution for DHCPserv1. Populate all the DHCP IP and bind them to the MAC address. OR have just a range of address for the broadcast and have the range allotted to the clients. This way there will not be any Free IPs left for offer. What do you think ?

Is there any better way of doing this ?

Jagdish
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21768326

It would be better to stop it relaying :)

If you look at the configuration on the PIX there do you see a line like "dhcprelay enable ... " anywhere?

Chris
0
 

Author Comment

by:jagdish1234
ID: 21768373
Ha !! Now lies the issue.

The PIX was preconfigured and given to us bu our customer. We do not have any access to even read the config file.

Cant we do it on our side to stop relaying...
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21768511

Ouch, that's not so helpful.

Windows Server distributing addresses? That won't have a firewall (or at least not a useful firewall), so I bet we can't block it there...

And we can't block it on the client end because it's way too early in the process, long before the firewall comes on-line.

Hmm, there's no chance they can update the PIX configuration?

Chris
0
 

Author Comment

by:jagdish1234
ID: 21768560
I can give a try to coax them to update it.

Meanwhile, was just thinking of using a DHCP relay agent so that any request coming from the secured network can be warded off!

Jagdish
0
 

Author Comment

by:jagdish1234
ID: 21810026
Hi,

We have temporarily solved this issue. How ?

Now we have physically isolated the 1.x Network and the 5.x network so that the broadcast is totally prevented. But for this there was a tradeoff. Since 1.x and 5.x was spanning multiple buildings, we have to physically move the 5.x network to a different place so that they are directly under one switch which goes to a CISCO PIX (Gateway for 5.x) and then to the router.

Here comes one more catch !!!

Moving 5 or 6 PCs is ok. But tomorrow if the team grows, what next ?

I was thinking of having a bridge between 1.x and 5.x. This bridge will have tow NIC for each subnet. (1.x and 5.x). there will be a port forward / NAT to 5.x for all packets destined to 5.x from 1.x. Here again, we may have to have ACLs which will restrict only few IPs via the MAC address.
Is this possible to realize this ?

Thanks

Jagdish

0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 250 total points
ID: 21811535

You're static NATing on the 1.x source to a static 5.y destination? That would work, but a Bridge is the wrong device it would still be a router / firewall to perform NAT.

It makes sense though, and should work.

Chris
0
 

Author Closing Comment

by:jagdish1234
ID: 31466438
Thankyou Chris for the support
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now