cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1665
Views
0
Helpful
4
Replies

Adding additional IP-helper(non-DHCP server IP) can affect existing setup

rupesh00111
Level 1
Level 1

Hello Experts,

 

We are deploying ForeScout server in our global environment to prevent unauthorized clients connection in the network. For this purpose it is required to add ForeScout server IP as IP-helper address on all VLANs SVI configured on Core Switches so that Forescot server will have visibility to DHCP requests from each client.

 

I am little worried about adding ForeScout server IP as IP-helper address as it is not going to act as DHCP server but only monitor DHCP request. (for sure I will be it as secondary IP-helper entry. But on few VLANs do not have any IP-helper entry currently on such vlan this new IP-helper will be the only one )

So please help me to understand if adding this ForeScout server IP as additional IP-helper address can have any impact on working Production environment ?.

 

Any experts comments are appreciated.

 

Best Regards,

Rupesh

4 Replies 4

Andrew Khalil
Spotlight
Spotlight

Hello @rupesh00111,

Greetings,

I am not sure that I have understood your question or not,

but the IP helper command is used to forward broadcast network traffic from a client machine on one subnet to a server in another subnet. Usually it is used when you have a DHCP server connected to a router and you would like to pass its broadcast to the other subnet! 

 

Also, if you have 2 DHCP servers, you can configure DHCP snooping trust to the server you would like it to distribute IPs while the other will be considered untrusted, so it will not work as a DHCP server! 

To configure such a solution:

#ip dhcp snooping

#ip dhcp snooping vlan 10,11,12,....

#int f0/1           (the interface that is connected to the server)

#ip dhcp snooping trust

 

That's it!

 

Please, don't forget to rate all helpful responses and mark solutions!

Bst Rgds,

Andrew Khalil

Hello

 


@rupesh00111 wrote:

Hello Experts,

 

We are deploying ForeScout server in our global environment to prevent unauthorized clients connection in the network. For this purpose it is required to add ForeScout server IP as IP-helper address on all VLANs SVI configured on Core Switches so that Forescot server will have visibility to DHCP requests from each client.

 

I am little worried about adding ForeScout server IP as IP-helper address as it is not going to act as DHCP server but only monitor DHCP request. (for sure I will be it as secondary IP-helper entry. But on few VLANs do not have any IP-helper entry currently on such vlan this new IP-helper will be the only one )
.


TBH I have never come across platform before but after a quick lookup up it seems this Forescout server runs inline with a client plugin

 

"For remote dhcp servers DHCP traffic is replicated to a CounterACT device acting as an additional, or secondary, DHCP server"

Now its not clear if you need to point the client towards this ACT server via the plugin or you do indeed require to add an additional dhcp relay address, Now if the latter I am aware by default cisco dhcp relay will forward dhcp requests to its specified primary dhcp relay server first so not so sure the how this forescout act server would interpret the receives replicated dhcp messages.

 

But in any case I cannot see at this time adding an additional dhcp relay for this forescout interrupting the active dhcp service for your network


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi paul,

there will be unauthorised users where plugin will be missing. for such user DHCP request forwarded to Forscoute will be useful.

 

Also

I believe  in Cisco switches, switch will send DHCP request to all IP-Helper address in configuration primary, secondary, tertiary etc ... isn't it.

 

Best Regards

Rupesh

Hello

 


@rupesh00111 wrote:

Hi paul,

there will be unauthorised users where plugin will be missing. for such user DHCP request forwarded to Forscoute will be useful.

 

Also

I believe  in Cisco switches, switch will send DHCP request to all IP-Helper address in configuration primary, secondary, tertiary etc ... isn't it.

 

Best Regards

Rupesh


Yes correct requests will to be all specified dhcp servers but only the valid one will answer in your case the specified primary, However as I said not sure how your forescout interprets the received messages though, but it shouldn't interrupt you active dhcp service as it isnt a valid dhcp server


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Review Cisco Networking for a $25 gift card