Results 1 to 3 of 3
Hi, We currently have different DHCP servers serving numerous vlans for many types of CPE devices. These were setup at different times by several vendors. I have a server on ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 06-09-2009 #1
- Join Date
- Jun 2009
DHCPD discover on one subnet, offer another
We currently have different DHCP servers serving numerous vlans for many types of CPE devices. These were setup at different times by several vendors. I have a server on another network that I have translated these vlans into. I can get the dhcp discovers, but my DHCP server will not give out an IP as I don't have a range defined for these subnets.
Basically I want to setup a sandbox/catchall/honeypot DHCP server for our customer networks so if it gets a mac address that is not one of the denied ones (since they are allowed on another server), i want to allow all the unknown clients.
The trouble is, I don't want to carve up my existing subnets on the other servers to allocate so many IP's for all this extra gear.
MAC locking is not an option on the customer facing equipment as well.
Can DHCP allow a discover through our dhcp helper on our cisco (say subnet 10.2.2.0) and give out a completely different IP in say (10.50.0.0/16?)
Is this possible?
I always get no free leases if I have the subnet defined but no range.
If I don't list the subnet of 10.2.2.0 at all, it says unknown subnet.
I can't find anywhere that someone has setup a sandbox/catchall dhcp server to lock down all unknown traffic on a dhcp network, and assign it a different ip range where they can't get anywhere.
Any help would be greatly appreciated.
- 06-09-2009 #2
My question is how do you propose this to work? How are you going to determine valid dhcp requests from invalid? A customers device from non-customers device?
The adventure of a life time.
Linux User #296285
- 06-09-2009 #3
- Join Date
- Jun 2009
In the other services, we have the first 6 digits of the mac address matched and only those devices belonging to that OUI are allowed. If they are not, they are denied.
So each DHCP server already on these vlans will respond to valid CPE devices on those subnets/vlans. I took all these definitions on this new box, and put explicit deny from each of these devices in this sandbox server. That way since the other servers know these devices are valid, this is the exact opposite, where I define what I do know, and deny all of those, and then allow unknown-devices.
It works quite well on a local subnet, but because the router address is in the dhcp discover, and it knows what vlan it came in on, it only wants to give out an address already in that subnet, instead of a totally different one.