Hello again,<br><br>many thanx for all your answers. English is not my native language but I will try best as I can to point out one particular part of my problem.<br><br>I have about 30 K Clients. In case of a client error where the Client start spamming the server with DHCP requests I dont know which Client it is. It can be any client in the network. So I dont know the client´s MAC address. The 2nd problem is that the clients are mostly not in the same network. So I use an IP-helper on the router and the client has the MAC address of the router in its MAC-field.<br>
<br>The only place where you can see the clients real mac-address is in the dhcp header.<br><br>So I look for a solution that dynamically looks in every packet - especially in the dhcp header - that arrives at the server and prohibit that there come too many dhcp requests from the same machine. In this case the server should ignore any packet from this client - which can be any client of the 30 K I mentioned before. The easiest way would be that intelligent is in the isc dhcp server because the server knows the real client address. But this server has no possibility of traffic control - except reducing the general rate which would limit my dhcp server in total.<br>
<br>So I cannot work with a fix client address. <br><br>I dont know if its true but I was told that iptables is so intelligent that you can limit a traffic that comes from the same mac all the time. So you can limit flooding from the same host.<br>
<br>Hope this makes my problem a bit clearer.<br><br>thanx a lot,<br>cheers,<br>Juergen<br><br><br><br><div class="gmail_quote">2011/2/7 Juergen Northe <span dir="ltr"><<a href="mailto:juergen.northe@googlemail.com">juergen.northe@googlemail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Since the DHCP requests are relayed through an udp-helper iptables<br>
rules are "crutches". If you do not want to leave this path, perhaps<br>
you can use shorewall and ask Tom Eastep for help.<br>
If your edge switches are 801.x capable you might have a look at<br>
freeradius where you can not only control network access via MAC but<br>
even push an ip-address with the accept packet. In this case you'll<br>
push your issue to the authenticator and the authenticaiton server. So<br>
your printer can only be a member of your network with a valid IP and<br>
this one he'll get at the entrance.<br>
<br>
<br>
2011/2/7 Friesen, Don SSBC:EX <<a href="mailto:Don.Friesen@gov.bc.ca">Don.Friesen@gov.bc.ca</a>>:<br>
<div><div></div><div class="h5">><br>
>>><br>
>>> That won't work because all his dhcp queries come with the same<br>
>>> MAC address - the router which is forwarding them.<br>
>>><br>
>>><br>
>><br>
>>Then you might try adding a limit test and -j ACCEPT .<br>
>><br>
>>--limit rate[/second|/minute|/hour|/day]<br>
>>Maximum average matching rate: specified as a number, with<br>
>>an optional ‘/second’, ‘/minute’, ‘/hour’, or ‘/day’ suffix; the default<br>
>>is 3/hour.<br>
>><br>
>>Dave<br>
><br>
> Periodically we had printers spam our servers with requests faster that the servers we were using at the time could respond to. The solution was to block all traffic from the router for a few seconds. Two or three seconds was all it took for the printers to reset. Then the traffic was turned up again. We did this manually on the router by removing the helper addresses. So the rate limiting would be better, as automation good... yes :)<br>
><br>
> This was prior to our adopting ISC DHCP. I haven't seen it since. Our only issue now is that Corp Headquarters is enforcing a managed power-off overnight with an automated power-up at 7am. When 30,000 machines turn on within a few seconds, the DHCP traffic is a bit excessive, and even our new ISC based servers can't keep up. Any such rate limiting would play havoc with our DHCP service at that time of the day, as it already takes 30 minutes to fully service all the machines. And yes, we have suggested that they stagger the start-up, but it falls on deaf ears.<br>
><br>
><br>
> Don Friesen<br>
><br>
> _______________________________________________<br>
> dhcp-users mailing list<br>
> <a href="mailto:dhcp-users@lists.isc.org">dhcp-users@lists.isc.org</a><br>
> <a href="https://lists.isc.org/mailman/listinfo/dhcp-users" target="_blank">https://lists.isc.org/mailman/listinfo/dhcp-users</a><br>
<br>
<br>
<br>
</div></div>--<br>
<div class="im"><br>
<br>
<br>
mit freundlichem Gruss<br>
Jürgen Northe<br>
</div><div><div></div><div class="h5">_______________________________________________<br>
dhcp-users mailing list<br>
<a href="mailto:dhcp-users@lists.isc.org">dhcp-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/dhcp-users" target="_blank">https://lists.isc.org/mailman/listinfo/dhcp-users</a></div></div></blockquote></div><br>