Block DHCP from traversing bridge

I have two buildings that are connected via a LightPoint HyBridge (1.25GB).  This is essentially a long GB Ethernet connection between buildings.  One network is 10.10.10.x /24 and the other is 192.168.1.x/24.  I would like to remain on the same physical network so the networks can share resources, do backup routines, etc.  We have demonstrated that the networks can co-exist with the exception of DHCP traffic.  There are DHCP servers on either side of the network and that is a problem (one on a Sonicwall and one on a 2008 R2 server respectively).  I would like to stop DHCP traffic from traversing the bridge (which the device is incapable of doing).  I would like to do this in the least complicated manner as is possible.  Adding an intermediary network, using VLANs or introducing DHCP snooping are all possibilities.  However, I would like to simply block ports 67 and 68 at a single point in the network (preferably where the bridge is connected to either side of the network.  Is there any way to do this?  I want to make sure that all traffic continues to flow with the exception of these well known DHCP ports and I would prefer not to 'flatten' the network.
LVL 1
turnkeyAsked:
Who is Participating?
 
nociSoftware EngineerCommented:
Bridges [ layer-2] are meant to spread all traffic far & wide...
You need to route between the networks [ using layer-3 ].

DHCP is a layer 3 negiotiation. Bridges cannot help here to filter data.
[ If you could filter DHCP discover packets, you would also criple all kind of other network functions, as they are general Layer2 broadcasts ]
0
 
turnkeyAuthor Commented:
network diagram
Network.pdf
0
 
Miguel Angel Perez MuñozCommented:
You are using same broadcast segment on two different networks. When one computer on side 1 request an IP, broadcast travel across your brigde and responses DHCP on the other side. You really need broadcast travel crossing your brigde? maybe brigding configuration is not best option to this scenario and this configuration. Consider this options:
- Use same IP addressing on all net.
- Segment your network and place a router between two sites, creating all routes on sonicwall to let workstations communicate between site 1 and site 2.
- Create a MAC filter address on DHCP servers. This is terrible bad idea, but technically works. Add a MAC blacklist on site 1 with all MAC address computers on the other side and vice versa.
0
 
TimotiStDatacenter TechnicianCommented:
Agree with @Drashiel, filtering DHCP packets in the middle might work, but it's a defective design inviting disaster.
Suggesting redesign to either 2 VLANs spanning both building and routing, or routing between buildings.
0
 
turnkeyAuthor Commented:
Routing is what we did.  10 network to 172 network to 192 network and back.  Routes created to communicate through 'bridge network', local DNS populated.  Solution found.  Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.