DHCP and 2 subnets

Simon Hobson dhcp1 at thehobsons.co.uk
Mon Apr 7 22:18:34 UTC 2008

Chris Arnold wrote:

>  >OK, then your router is a complete waste of time and gives you zero
>>security between these two subnets
>There is security as we have intra-zone policies. And we have IDP 
>configured. We have not seen a problem yet. Any device on any 
>network is protected using that router/firewall.

First, your interzone policies will do nothing, zilch, for traffic 
that doesn't go through the router/firewall. ANY device can be 
configured to go in either subnet (note that DHCP is not a security 
protocol), so any device can be configured to be wherever someone 
wants it to be. Your IDP 'may' detect it, it may not ...

Does you IDP link to the DHCP ? If not, then it has no way of knowing 
what devices should be in a particular subnet, and as long as a 
device doesn't trigger your IDP then you would know nothing about it.

>  >You have two choices, either declare these two subnets as a shared
>>subnet, or properly segregate them on two different switches on
>>different router interfaces (either real or VLAN).
>After talking it over with the boss, we are going to do a shared 
>network thing. There are too many things already hooked up and 
>working in this current config. Also, the juniper/netscreen device 
>is kind of old and does not have but 2 ports, 1 untrust and 1 trust. 
>We will need to find a device that will give us an "optional/dmz" 
>>With no config, the
>>server will treat the two subnets as equal and will be free to assign
>>any client to either subnet. To change this will involve using some
>>mechanism to identify which clients go where.
>What mechanisms can we use? Are there some that can fit into the 
>dhcp.conf file. Like defining a MAC and based on that MAC assign an 
>IP from a specific subnet?

Simplest is probably using classes, there's a section in "man 
dhcpd.conf" about classes and subclasses that gives an example of 
assigning devices to classes based on MAC address. All you need to do 
is "allow" a class in one subnet, and "deny" it in the other - then 
list all the members of that class. You don't need to list all 
clients, only the ones to be in the 'non default' subnet.

But really, using classes you can do it based on anything you can 
write a match expression for.

More information about the dhcp-users mailing list