DHCP and 2 subnets
Simon Hobson
dhcp1 at thehobsons.co.uk
Mon Apr 7 22:18:34 UTC 2008
Chris Arnold wrote:
> >OK, then your router is a complete waste of time and gives you zero
>>security between these two subnets
>
>There is security as we have intra-zone policies. And we have IDP
>configured. We have not seen a problem yet. Any device on any
>network is protected using that router/firewall.
First, your interzone policies will do nothing, zilch, for traffic
that doesn't go through the router/firewall. ANY device can be
configured to go in either subnet (note that DHCP is not a security
protocol), so any device can be configured to be wherever someone
wants it to be. Your IDP 'may' detect it, it may not ...
Does you IDP link to the DHCP ? If not, then it has no way of knowing
what devices should be in a particular subnet, and as long as a
device doesn't trigger your IDP then you would know nothing about it.
> >You have two choices, either declare these two subnets as a shared
>>subnet, or properly segregate them on two different switches on
>>different router interfaces (either real or VLAN).
>
>After talking it over with the boss, we are going to do a shared
>network thing. There are too many things already hooked up and
>working in this current config. Also, the juniper/netscreen device
>is kind of old and does not have but 2 ports, 1 untrust and 1 trust.
>We will need to find a device that will give us an "optional/dmz"
>port.
>
>>With no config, the
>>server will treat the two subnets as equal and will be free to assign
>>any client to either subnet. To change this will involve using some
>>mechanism to identify which clients go where.
>
>What mechanisms can we use? Are there some that can fit into the
>dhcp.conf file. Like defining a MAC and based on that MAC assign an
>IP from a specific subnet?
Simplest is probably using classes, there's a section in "man
dhcpd.conf" about classes and subclasses that gives an example of
assigning devices to classes based on MAC address. All you need to do
is "allow" a class in one subnet, and "deny" it in the other - then
list all the members of that class. You don't need to list all
clients, only the ones to be in the 'non default' subnet.
But really, using classes you can do it based on anything you can
write a match expression for.
More information about the dhcp-users
mailing list