Solved

DHCP Broadcast needs to be plugged

Posted on 2008-06-11
17
640 Views
Last Modified: 2012-05-05
Hi,

We have a DHCP Server running in our domain and we have three subnets - 192.168.1.x, 192.168.0.x and 192.168.5.x. The first has static IP address and the second is dynamic (from the DHCP Server running on Windows 2003 Server OS). The third is a secured network with a different Subnet mask. What we would like to do is prevent DHCP broadcast to the secured network. Can this be done ? If yes, how?

Thanks in advance

Regards

Jagdish
0
Comment
Question by:jagdish1234
  • 9
  • 8
17 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21767211

Hi Jagdish,

The DHCP Server doesn't Broadcast, the client does. The DHCP Server just replies. Do you have a Router between the DHCP Server and the Secure Subnet? It's more of a case of preventing client broadcasts leaving the secure network.

Chris
0
 

Author Comment

by:jagdish1234
ID: 21767235
Hi Chris,

Thanks. There is no router. Though the cleint will broadcast DHCPDiscover, I dont want the DHCP server to send the DHCPOfer if it is not in the subnet.

Jagdish
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21767299

So all clients share the same broadcast domain? That is, they're on the same switch stack?

How is the Secure subnet split from the standard one? Is the DHCP server multi-homed?

The addresses on the Secure subnet are by static assignment? Or how is membership of the secure network determined?

Chris
0
Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

 

Author Comment

by:jagdish1234
ID: 21767354
So many Questions !!

The clients share the same broadcast domain

Secured subnet is split at the router end. There is a PIX which acts as a gateway to the secured network. This PIX gets connected to the  firewall and the firewall routes it to the outside world. DHSCP server is not multi-homed

The Secured network will have a DHCP server of it s own and it will have some reservations for the clients. Currently clients are statically assigned.  

Jagdish
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21767486

Sorry, just trying to get a picture of where everything is plugged in :)

The DHCP server is plugged directly into the secure network?

The difficulty is, unless the secure subnet is on a separate broadcast domain you have no way of filtering. Presumably it's responding to clients with a 0.x address at the moment?

Chris
0
 

Author Comment

by:jagdish1234
ID: 21767867
Just Kidding Chris !

The DHCP Server (in other LAN) {henceforth named as DHCPServ1 for convenience} is connected to the network directly Via switch
The DHCP Server (in secured network) {henceforth named as DHCPServ2 for convenience} is not UP

Jagdish
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21767985

Okay, but DHCPServ1 is on the same Broadcast Domain as DHCPServ2. That is, there's no Firewall / Router between DHCPServ1 and the Secure network?

If there is, you just have to stop relaying Broadcast over.

Chris
0
 

Author Comment

by:jagdish1234
ID: 21768020
There is a firewall and a router between DHCPserv1 and DHCPServ2
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21768051

Then it must be relaying Broadcast for the client requests to get as far as DHCPServ1?

Chris
0
 

Author Comment

by:jagdish1234
ID: 21768258
Now the issue is how to stop this relaying.
Just figured one solution for DHCPserv1. Populate all the DHCP IP and bind them to the MAC address. OR have just a range of address for the broadcast and have the range allotted to the clients. This way there will not be any Free IPs left for offer. What do you think ?

Is there any better way of doing this ?

Jagdish
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21768326

It would be better to stop it relaying :)

If you look at the configuration on the PIX there do you see a line like "dhcprelay enable ... " anywhere?

Chris
0
 

Author Comment

by:jagdish1234
ID: 21768373
Ha !! Now lies the issue.

The PIX was preconfigured and given to us bu our customer. We do not have any access to even read the config file.

Cant we do it on our side to stop relaying...
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21768511

Ouch, that's not so helpful.

Windows Server distributing addresses? That won't have a firewall (or at least not a useful firewall), so I bet we can't block it there...

And we can't block it on the client end because it's way too early in the process, long before the firewall comes on-line.

Hmm, there's no chance they can update the PIX configuration?

Chris
0
 

Author Comment

by:jagdish1234
ID: 21768560
I can give a try to coax them to update it.

Meanwhile, was just thinking of using a DHCP relay agent so that any request coming from the secured network can be warded off!

Jagdish
0
 

Author Comment

by:jagdish1234
ID: 21810026
Hi,

We have temporarily solved this issue. How ?

Now we have physically isolated the 1.x Network and the 5.x network so that the broadcast is totally prevented. But for this there was a tradeoff. Since 1.x and 5.x was spanning multiple buildings, we have to physically move the 5.x network to a different place so that they are directly under one switch which goes to a CISCO PIX (Gateway for 5.x) and then to the router.

Here comes one more catch !!!

Moving 5 or 6 PCs is ok. But tomorrow if the team grows, what next ?

I was thinking of having a bridge between 1.x and 5.x. This bridge will have tow NIC for each subnet. (1.x and 5.x). there will be a port forward / NAT to 5.x for all packets destined to 5.x from 1.x. Here again, we may have to have ACLs which will restrict only few IPs via the MAC address.
Is this possible to realize this ?

Thanks

Jagdish

0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 250 total points
ID: 21811535

You're static NATing on the 1.x source to a static 5.y destination? That would work, but a Bridge is the wrong device it would still be a router / firewall to perform NAT.

It makes sense though, and should work.

Chris
0
 

Author Closing Comment

by:jagdish1234
ID: 31466438
Thankyou Chris for the support
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question