Find the answer to your Linux question:
Results 1 to 3 of 3
Hi, We currently have different DHCP servers serving numerous vlans for many types of CPE devices. These were setup at different times by several vendors. I have a server on ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2009
    Posts
    2

    DHCPD discover on one subnet, offer another


    Hi,

    We currently have different DHCP servers serving numerous vlans for many types of CPE devices. These were setup at different times by several vendors. I have a server on another network that I have translated these vlans into. I can get the dhcp discovers, but my DHCP server will not give out an IP as I don't have a range defined for these subnets.

    Basically I want to setup a sandbox/catchall/honeypot DHCP server for our customer networks so if it gets a mac address that is not one of the denied ones (since they are allowed on another server), i want to allow all the unknown clients.

    The trouble is, I don't want to carve up my existing subnets on the other servers to allocate so many IP's for all this extra gear.
    MAC locking is not an option on the customer facing equipment as well.

    Can DHCP allow a discover through our dhcp helper on our cisco (say subnet 10.2.2.0) and give out a completely different IP in say (10.50.0.0/16?)
    Is this possible?
    I always get no free leases if I have the subnet defined but no range.
    If I don't list the subnet of 10.2.2.0 at all, it says unknown subnet.
    I can't find anywhere that someone has setup a sandbox/catchall dhcp server to lock down all unknown traffic on a dhcp network, and assign it a different ip range where they can't get anywhere.

    Any help would be greatly appreciated.

    Thanks!

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    My question is how do you propose this to work? How are you going to determine valid dhcp requests from invalid? A customers device from non-customers device?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Jun 2009
    Posts
    2
    Hi,

    In the other services, we have the first 6 digits of the mac address matched and only those devices belonging to that OUI are allowed. If they are not, they are denied.

    So each DHCP server already on these vlans will respond to valid CPE devices on those subnets/vlans. I took all these definitions on this new box, and put explicit deny from each of these devices in this sandbox server. That way since the other servers know these devices are valid, this is the exact opposite, where I define what I do know, and deny all of those, and then allow unknown-devices.

    It works quite well on a local subnet, but because the router address is in the dhcp discover, and it knows what vlan it came in on, it only wants to give out an address already in that subnet, instead of a totally different one.

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •