Re: Conflicting uses of "ip dhcp-server" -- design flaw?
- From: <Anthrax>
- Date: Mon, 15 Aug 2005 00:47:11 -0500
The DHCP process runs as a whole in the router/switch. If a dhcp server is
assigned via the ip dhcp server command and the server is reachable via the
routing table or directed connected interface and a the router/switch
interface is running as a client it will try to get it's ip address via that
server and any server that answers its query via broadcast in the interafce
itself. Since there was an specification of the dhcp server, the client
gives priority to its answer and gets that ip (if there was any). When the
proxy client service is initialized the router will assume that there's a
proxy in place for some interfaces (all async and still forwarding the
others but with no same priority the answer will be taken) ergo the ethernet
client is run gets both answers (if same time or around) and will get first
the address that comes from the interface itself. This is actually what the
developement team intended for the router/switch image otherwise is an
access server AS and not a router/swicth. Interesting is however that this
is not the first time that the products features tend to overlap. Regarding
your questions of what's better if inspect everything or less, well balance
is the key. the more tight the security is in your network the more useless,
the more relaxed the more functional and dangerous. The milestone is inspect
the applications and context critical in a security aspect. dissapointed of
not absolute answer? well, implementing security is nothing trivial and the
answer stills the same balance, for you to know exactly what you need to
inspect you need to understand first what the organization expects from
security and what apps they need to be secured.
Always follow SAFE for ECN.
here are some of my favorites to understand what can be achieve and
explaining the importance of balance.. enjoy..........
some new acquisition that really amuses..
http://newsroom.cisco.com/dlls/tln/execnet/shows/boston_busch/hi_bandwidth/index.html?Show=boston_busch&Connection=fast
the whole page
http://newsroom.cisco.com/dlls/tln/content/best_practice_sharing.html
defense in depth
http://www.cisco.com/en/US/about/ac123/ac114/ac173/ac253/about_cisco_packet_feature0900aecd800e0154.html
kenw@xxxxxxxx <kenw@xxxxxxxx> wrote:
> Interesting. You make it all sound so reasonable. But...
>
> The docs mention using "no peer default ip address" to prevent using
> dhcp proxy on a specific interface. Don't seem to be able to apply
> it to the WAN Ethernet interface. Kinda dumb. I really only want to
> use dhcp proxy on my WAN, and I know the server's address, but it I
> use it with dhcp-server, everything breaks. I'd rather not have my
> VPN clients advertising on the Internet for their settings. I stil
> think I should be able to specify a dhcp-server in a
> virtual-template. I can specify a helper-address, but that's not the
> same thing.
>
> Guess I can apply an outbound access rule.
>
> BTW, I'm configuring security and firewall stuff. Know of any "best
> practices" docs for CBAC "ip inspect" etc? Is it better to "ip
> inspect" everything, or as little as possible, disregarding
> load/performance concerns?
>
> And thanks, I certainly will mention your help!
>
> /kenw
>
>
> <Anthrax> wrote:
>>
>> Well, i have to say that i understand your frustration. The problem
>> is not that all of us are CCIEs or not, techonolgies (in side of
>> cisco) are a world literally, everyone is soo much specialized
>> (needed for the job) that sometimes knowledge for some other areas
>> are overlooked.
>>
>> from our docs...
>>
>>
>> http://www.cisco.com/en/US/products/ps6441/products_command_reference_chapter09186a00804a955c.html#wp1195367
>>
>>
>> " Defaults
>> The IP limited broadcast address of 255.255.255.255 is used for
>> transactions if no DHCP server is specified. This default allows
>> automatic detection of DHCP servers."
>>
>> It is "expected" that your interface will try to get an ip address
>> from the dhcp server specified (since you had specified with that
>> command). As the coding goes once you add the ip address-pool
>> dhcp-proxy-client, the proxy client status will be added only to all
>> async interfaces (and not to the ethernet and that' the reason why
>> is droped). Share your thoughts!
>>
>>
>>
>> P.S. If you don't mind i would like you to comment that clsalaza
>> helped you on this. The feedback is important for *me*.
>>
>>
>>
>>
>> kenw@xxxxxxxx <kenw@xxxxxxxx> wrote:
>>
>>> Well, it'd be nice to know how to reach someone at Cisco who knows
>>> what he's talking about. It's frustrating when I get that kind of
>>> answer. I guess they can't have CCIEs manning the phones, but the
>>> escalation could be a lot more effective.
>>>
>>> Had a problem with your "resource-pool disable" -- this router
>>> doesn't recognize "resource-pool". Guess that means it's
>>> permanently disabled, eh?. I'm running C1841-ADVSECURITYK9-M,
>>> Version 12.4(1a), which is what the router was shipped with. The
>>> configuration does list a "resource policy" line with no options.
>>> Digging through the docs isn't very illuminating, and certainly
>>> doesn't lead to anything appropriate for a single-router site.
>>>
>>> Further testing/sniffing: if I use "ip dhcp-server x.x.x.x", the WAN
>>> interface sends DHCP requests but ignores the responses. As soon
>>> as I removed it, the interface picked up an address. Once I added
>>> "ip address-pool dhcp-proxy-client" and tried a VPN connection, the
>>> VPN picked up an appropriate address from the LAN DHCP-server. WAN
>>> DHCP still works fine.
>>>
>>> Interestingly, I saw a VPN-triggered DHCP request packet on the WAN
>>> interface, with source IP address of the router's LAN interface.
>>> Looks like that command caused the router to proxy-forward the query
>>> on both WAN and LAN interfaces. Not at all clear from the docs I
>>> read.
>>>
>>> This reinforces my impression that Cisco documentation is
>>> chronically, miserably unclear. I'm beginning to wonder whether
>>> IOS is just a monster nobody can grasp. The various aspects of
>>> DHCP are spread all over, with little interconnection, and no
>>> reference at all to the kind of issue I encountered.
>>>
>>> And it looks like a bit of filtering is in order: I'm running NAT,
>>> so there's no way that inside source address should have gone
>>> outside.
>>>
>>> Thanks for your help!
>>>
>>> /kenw
>>>
>>>
>>>
>>> <Anthrax> wrote:
>>>
>>>> It can and it has. I do not know which of my colleages told you
>>>> that but maybe he was tripping in our world of cases.
>>>>
>>>> 1) You do not have to specify the second dhcp server address for
>>>> the ethernet interface to be able to get its ip.
>>>>
>>>> 2) add this...
>>>>
>>>>
>>>> resource-pool disable ip address-pool dhcp-proxy-client (this will
>>>> do the proxy for your windows server)3) let me know if worked (of
>>>> course i'll be not here until tomorrow hehe)4) if didn't work i
>>>> will need an sniffer capture (in .cap format) fro the ethernet
>>>> (wan side) and ethernet (lan side)when the negotiation is in
>>>> proceeding. let us know........... kenw@xxxxxxxx <kenw@xxxxxxxx>
>>>> wrote:
>>>>
>>>>> I have a 1841 I'm trying to configure as a VPN server to access a
>>>>> Windows domain-based network from the Internet.
>>>>>
>>>>> The key points:
>>>>>
>>>>> 1) the WAN Ethernet interface _must_ be configured as a DHCP
>>>>> client of the ISP. They do not assign true statics.
>>>>>
>>>>> 2) I'd much prefer that my VPN clients receive their settings via
>>>>> the DHCP server on the Windows domain controller on the LAN.
>>>>>
>>>>> I can do one or the other, but not both. The reason boils down to
>>>>> having to use "ip dhcp-server" to specify the LAN DHCP server for
>>>>> the VPN, and when I do that, the WAN Ethernet interface cannot
>>>>> receive its assignment from the ISP.
>>>>>
>>>>> I've been talking to Cisco support, but the people I'm getting
>>>>> seem to have trouble understanding the problem, let alone
>>>>> resolving it. They say things like IOS can't do point 2, which
>>>>> I've done for years.
>>>>>
>>>>> A bit more detail:
>>>>>
>>>>> Configuring a DHCP server for _serving_ my VPN clients:
>>>>>
>>>>> ip dhcp-server x.x.x.x
>>>>> interface Virtual-Template1
>>>>> peer default ip address dhcp
>>>>>
>>>>> COnfiguring my Ethernet WAN interface to act as a DHCP _client_ of
>>>>> my ISP:
>>>>>
>>>>> ip dhcp-server y.y.y.y
>>>>> interface FastEthernet0/1
>>>>> ip address dhcp
>>>>>
>>>>> Unfortunately, it appears it never occurred to Cisco's developers
>>>>> that a router might play both roles. The command "ip dhcp-server"
>>>>> has two uses which conflict with each other.
>>>>>
>>>>> I've looked at helper-address stuff, but it appears to be quite
>>>>> inappropriate.
>>>>>
>>>>> Anybody got any ideas for a workaround?
>>>>>
>>>>> /kenw
>>>>> Ken Wallewein
>>>>> K&M Systems Integration
>>>>> Phone (403)274-7848
>>>>> Fax (403)275-4535
>>>>> kenw@xxxxxxxx
>>>>> www.kmsi.net
>>> Ken Wallewein
>>> K&M Systems Integration
>>> Phone (403)274-7848
>>> Fax (403)275-4535
>>> kenw@xxxxxxxx
>>> www.kmsi.net
> Ken Wallewein
> K&M Systems Integration
> Phone (403)274-7848
> Fax (403)275-4535
> kenw@xxxxxxxx
> www.kmsi.net
--
2nd Law of Thermodynamics: Chaos will Reign.
///////////////////
--Anthrax--
//////////////////
Posted Via Usenet.com Premium Usenet Newsgroup Services
----------------------------------------------------------
** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **
----------------------------------------------------------
http://www.usenet.com
.
- References:
- Conflicting uses of "ip dhcp-server" -- design flaw?
- From: kenw
- Re: Conflicting uses of "ip dhcp-server" -- design flaw?
- From: Anthrax
- Re: Conflicting uses of "ip dhcp-server" -- design flaw?
- From: kenw
- Re: Conflicting uses of "ip dhcp-server" -- design flaw?
- From: Anthrax
- Re: Conflicting uses of "ip dhcp-server" -- design flaw?
- From: kenw
- Conflicting uses of "ip dhcp-server" -- design flaw?
- Prev by Date: Re: Vlan Hopping Anomaly
- Next by Date: Re: Issue with 836 not getting ISDN
- Previous by thread: Re: Conflicting uses of "ip dhcp-server" -- design flaw?
- Next by thread: Re: Conflicting uses of "ip dhcp-server" -- design flaw?
- Index(es):
Relevant Pages
|
