- Posts: 81
- Thank you received: 0
How routing works?
18 years 3 weeks ago #18546
by Brandonh
Replied by Brandonh on topic Re: How routing works?
Ive done reservations but what im talking about is blocking dhcp through use of mac addresses
18 years 3 weeks ago #18551
by Smurf
Sorry Brandon but i dont quite understand what you want to do here ? Can you give a little more of an explination of what you are trying to acheive and why ?
Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: How routing works?
Ive done reservations but what im talking about is blocking dhcp through use of mac addresses
Sorry Brandon but i dont quite understand what you want to do here ? Can you give a little more of an explination of what you are trying to acheive and why ?
Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
18 years 3 weeks ago #18596
by Brandonh
Replied by Brandonh on topic Re: How routing works?
Well the idea seems possible to me but Windows 2003 being able to do it would be another story. well i have two subnets and dhcp servers for both so any pc could get dhcp from either one but say that i wanted certain computers to only get dhcp for the subnet i want. Is there a way i can enter say theese MAC addresses cannot receive dhcp from this dhcp then the other dhcp server would pick them up? so put a filter based on mac addresses to prevent them obtaining dhcp from a certatin server. then the other available one would pick up on those mac addresses automatically. I know there is a dhcp relay agent i havent tried configuring a relay agent maybe thats what i need to look into ?
18 years 3 weeks ago #18598
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: How routing works?
Hi Brandon,
Thats what i thought you were getting at just wanted to make sure.
I am not 100% on this with RRAS however with a router you don't usually allow bradcast traffic through. For this reason, you would have the two subnets completely seperate on each side of the router with 2 seperate broadcast domains. This would mean that your DHCP Server located on one side of the router would then only work for clients located on that physical subnet.
In order to then get the DHCP Server from accepting requests for the other clients in the other subnet, you then introduce the DHCP Relay Agent which will then detect the DHCP Broadcast request and forward to the DHCP server on the other side of the router. The DHCP server would see the ip range that the request has come from and then know to give it a lease from the correct IP Subnet.
I am not sure if you could get the RRAS server to do the DHCP requests, then depending which side of the network the request came from (i.e. which interface saw the dhcp request) the correct address would be issued from the two scopes.
You need to ensure that you have the two subnets physically seperated by either multiple switches that are only for one side of the LAN's or using VLAN's to segments the traffic.
Hope it helps
Thats what i thought you were getting at just wanted to make sure.
I am not 100% on this with RRAS however with a router you don't usually allow bradcast traffic through. For this reason, you would have the two subnets completely seperate on each side of the router with 2 seperate broadcast domains. This would mean that your DHCP Server located on one side of the router would then only work for clients located on that physical subnet.
In order to then get the DHCP Server from accepting requests for the other clients in the other subnet, you then introduce the DHCP Relay Agent which will then detect the DHCP Broadcast request and forward to the DHCP server on the other side of the router. The DHCP server would see the ip range that the request has come from and then know to give it a lease from the correct IP Subnet.
I am not sure if you could get the RRAS server to do the DHCP requests, then depending which side of the network the request came from (i.e. which interface saw the dhcp request) the correct address would be issued from the two scopes.
You need to ensure that you have the two subnets physically seperated by either multiple switches that are only for one side of the LAN's or using VLAN's to segments the traffic.
Hope it helps
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
18 years 3 weeks ago #18599
by Brandonh
Replied by Brandonh on topic lan to lan
Well I have a cable connecting the lans so wouldnt all the switches see both dhcp servers? the two subnets cannot comunicate if i take out the lan cable thats how the information passes between them. Before I had the two dhcp servers on different physical servers im thinking of putting them on the same server as the RRARS having both interfaces a dhcp server inside the same server. Do you think then if one MAC has a reserve then it will go to the one with the reserve. Do you think the reserve would be applied then instead of a non reserve dhcp assingment from the other dhcp server interface or could i put two scopes that apply to different subnets ? and then maybe the scopes would see each others reserves and allow for the reserve assignment .I guess the question then really comes down to at what point can a scope or server see the other scopes or servers reserves to allow proper assingment?
obviously two different physical servers cant see each others reserves what about two interfaces on the same physical server or perhaps two scopes on the same physical server and interface. But could you have two scopes in different subnets on the same interface?
obviously two different physical servers cant see each others reserves what about two interfaces on the same physical server or perhaps two scopes on the same physical server and interface. But could you have two scopes in different subnets on the same interface?
18 years 3 weeks ago #18601
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: How routing works?
Hi Brandon,
The main reason for using a router and two seperate subnets is to seperate the broadcast domains on the network. As you introduce more and more clients on a network, the number of broadcasts start to increase and then after so many you start to get more and more collisions until it causes issues.
This is one of the reasons to segment the traffic. If you don't have too many clients then there is probably no need to setup the RRAS and have the two segments.
If on the other hand you do require the two segments, if you just have all the switches linked together, you still end up having the single broadcast domain, you just have to different subnets operating at layer 3 on these switch. As you probably know, broadcasts will go out on each port as this is its nature, the TCP/IP stack will then know if its a broadcast on this IP Subnet or not and start to broadcast the traffic. Since the switch isn't usually aware of the Layer3 information, the broadcast will still go out on the ports. (Well, thats my understanding anyway)
In order to segment the traffic to create two broadcast domains, you need to seperate them physically. You would either use 1 (or multiple) switch for one segment and then another one for the other segment. You would then plug the RRAS into both switches to route between them. (Althernativly you can use VLAN's to physically segment the switches, this will only broadcast onto ports in the same VLAN).
So, once they are physically segmented, when a DHCP client boots up and broadcast for an IP address, the DHCP server on that physical network will then see that packet and respond. This is why i said if you physically seperate them and use the RRAS as DHCP on both cards, you will then be able to setup two scopes with your two subnets and then the machines will get the correct ones because it will depend on the interface its received on.
If you current are only doing a sort of logical seperation using Layer 3 IP Addresses to stop machines from talking directly to each other, you will still have these DHCP broadcasts seen by every port in your network, therefore you cannot guarantee what you will be giving out.
I have never tried a single DHCP server with two subnets and then specifying a reservation in the subnet that you want the machine to pick from, this may work but i don't know since it may struggle to see which address it was receive on.
Hope it makes sense to you
Cheers
The main reason for using a router and two seperate subnets is to seperate the broadcast domains on the network. As you introduce more and more clients on a network, the number of broadcasts start to increase and then after so many you start to get more and more collisions until it causes issues.
This is one of the reasons to segment the traffic. If you don't have too many clients then there is probably no need to setup the RRAS and have the two segments.
If on the other hand you do require the two segments, if you just have all the switches linked together, you still end up having the single broadcast domain, you just have to different subnets operating at layer 3 on these switch. As you probably know, broadcasts will go out on each port as this is its nature, the TCP/IP stack will then know if its a broadcast on this IP Subnet or not and start to broadcast the traffic. Since the switch isn't usually aware of the Layer3 information, the broadcast will still go out on the ports. (Well, thats my understanding anyway)
In order to segment the traffic to create two broadcast domains, you need to seperate them physically. You would either use 1 (or multiple) switch for one segment and then another one for the other segment. You would then plug the RRAS into both switches to route between them. (Althernativly you can use VLAN's to physically segment the switches, this will only broadcast onto ports in the same VLAN).
So, once they are physically segmented, when a DHCP client boots up and broadcast for an IP address, the DHCP server on that physical network will then see that packet and respond. This is why i said if you physically seperate them and use the RRAS as DHCP on both cards, you will then be able to setup two scopes with your two subnets and then the machines will get the correct ones because it will depend on the interface its received on.
If you current are only doing a sort of logical seperation using Layer 3 IP Addresses to stop machines from talking directly to each other, you will still have these DHCP broadcasts seen by every port in your network, therefore you cannot guarantee what you will be giving out.
I have never tried a single DHCP server with two subnets and then specifying a reservation in the subnet that you want the machine to pick from, this may work but i don't know since it may struggle to see which address it was receive on.
Hope it makes sense to you
Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.146 seconds