DHCP, as we all know, is a broadcast protocol (shame on you if you don’t know that already !!) which normally works only on the same Layer 2 broadcast domain. Does this mean that you need to have your DHCP Server connected to the same network subnet as the DHCP clients? If this was the case it would not be flexible or economical at all. What if you have segmented your internal network into many different subnets and you have DHCP clients in all those subnets. Would this mean that you must have a DHCP server for every subnet? Fortunately, you don’t need to have this situation. With the Cisco “ip helper-address” command configured on the Layer3 interface which receives the client’s DHCP broadcast, you can transform the broadcast request into a unicast and send it to a centralized DHCP server which can be located to a different subnet in your network. The unicast DHCP request will be routed normally to the destination DHCP Server within the network, even if the server is far away from the DHCP client.

The DHCP server must have an appropriate IP Pool scope configured for the specific subnet from where the DHCP request came. Using this IP scope, the server will assign an appropriate IP address to the requesting client. For example, if the DHCP client subnet is 192.168.1.0/24, then the remote DHCP server must have an IP Pool configured to assign addresses within the range 192.168.1.0/24. The source DHCP client subnet is determined by the IP address assigned to the Layer3 interface which has the ip helper-address configured.

Let’s see an example scenario below with a configuration snapshot.

From the network diagram above, two DHCP client PCs are located behind Router A. Interface Fe0/0 of the router has IP address 192.168.1.1/24. The DHCP clients will start broadcasting DHCP requests in order to get their IP address information assigned from a server. By default, these DHCP broadcast requests will be confined within Switch A and will never reach any other subnet beyond Router A. By configuring an “ip helper-address 10.10.10.1” under interface Fe0/0 of Router A, we tell the router to turn the DHCP broadcast into a DHCP unicast and send it to destination DHCP server 10.10.10.1. The server will see that the DHCP request came from source subnet 192.168.1.0/24 and will therefore assign an appropriate IP address from a configured IP pool scope within the range 192.168.1.0.

Configuration on Router A

RouterA# conf t
RouterA(config)# interface fastethernet0/0
RouterA(config-if)# ip address 192.168.1.1 255.255.255.0
RouterA(config-if)# ip helper-address 10.10.10.1

Some other important considerations for ip helper-address

By default, the ip helper-address command forwards also some other broadcast protocols in addition to the DHCP (BOOTP) protocol. It forwards by default the following eight UDP broadcast protocols:

• UDP 37 (Time protocol)
• UDP 49 (TACACS)
• UDP 53 (DNS)
• UDP 67 (DHCP Server)
• UDP 68 (DHCP Client)
• UDP 69 (TFTP)
• UDP 137 (NetBios)
• UDP 138 (NetBios Datagram service)

If you want to add more broadcast protocols to be forwarded, or even remove some of the default forwarded protocols, you can use the “ip forward-protocol” command under global config mode.

Example: Remove the NetBios protocols (137,138) from being forwarded by default, and add NTP protocol 123 to be forwarded by ip helper-address.

RouterA(config)# no ip forward-protocol udp 137
RouterA(config)# no ip forward-protocol udp 138
RouterA(config)# ip forward-protocol udp 123

I was reading a security statistics report the other day and it seems that web vulnerabilities take up the majority of the pie. SQL injections, Cross Site Scripting, Code injections etc are found everywhere in web applications. Unfortunately secure coding (not only for HTML but for any software application) is not yet widely adopted, so we end up with applications that are vulnerable to all sorts of attacks. And because everyone is using the Web, we consequently find that security holes are more prevalent on Web Applications compared with anything else.

Legacy security architectures were designed with just perimeter and network security in mind. In the past, security experts were thinking that by installing a network firewall and maybe an Intrusion Detection System would provide all the required security. This is not true at all for protecting against modern attacks. Indeed a high-speed dedicated hardware firewall is still needed to provide low-level inspection and filtering (catching various attacks on the network and transport layers). After the legacy security infrastructure devices do their job (allowing only clean traffic to pass to the applications), an application firewall is also required for deeper inspection of incoming data and for discovering more complex application attacks that a regular firewall is not able to detect.

The ACE Web Application Firewall is a security appliance that is intended for deployment inside the DMZ segment, where your Web Applications are located. It fulfills all the requirements for companies that want to comply with PCI DSS regulations (companies that store and process credit card data) and combines deep Web application analysis with high-performance Extensible Markup Language (XML) inspection and management to address the full range of these threats. It secures and protects Web applications from common attacks such as identity theft, data theft, application disruption, fraud, SQL injection attacks, XSS attacks etc.

For more information of the ACE Web Application Firewall visit the Cisco link HERE.

The latest Cisco IOS version was 12.4 until recently when Cisco IOS version 15.0 was introduced. Have you noticed the jump from version 12 to 15? Do you wonder why versions 13 and 14 were skipped? Well, rumors say that Cisco avoided those version numbers because 13 is considered unlucky in the Western Culture and 14 is also considered unlucky in the Asian culture !!

As with any version upgrade, there are many new features on this release, most of them you will never use them in your life!! This is a characteristic of IOS anyway. It includes all features under the sun related with networking. It offers much flexibility, but also a lot of unnecessary stuff that you will never user them.

Before upgrading to version 15, I strongly recommend to use the Cisco Feature Navigator tool from cisco.com site in order to verify memory requirements (most important) and also to identify which features are supported.

Here are the release notes for IOS 15.0M and HERE is the main page for this release.

Cisco announced a new security appliance model, the SA500 series, which is focused for the small business market. Cisco tried to fill the gap of the UTM (Unified Threat Management) appliance market in which other competitors (such as Fortinet, Checkpoint etc) were already ahead. Following the philosophy of the UTM appliance, the SA500 offers an all-in-one security solution combining firewall, virtual private network (VPN) and optional email and web security capabilities. The SA500 is most appropriate for businesses with less than 100 employees.

There are currently three models as following:

• SA520 : 200 Mbps Firewall Throughput, 4 LAN ports, 1 WAN port, 15,000 max connections, SSL and IPSEC VPN capabilities, Trend Micro ProtectLink Gateway.
• SA520w: Same as above but also supports WiFi.
• SA540: 300 Mbps Firewall Throughput, 8 LAN ports, 1 WAN port, 40,000 max connections, enhanced SSL and IPSec VPN performance, Trend Micro ProtectLink Gateway.

From the back panel of the SA500 appliance above you can see an “OPTIONAL” port in addition to the 4-port LAN interfaces and the WAN interface. The “OPTIONAL” port can be configured either as an additional LAN or WAN port but its main purpose is to configure it as a DMZ port to connect a public server (e.g Web or email Server).

The SA500 is easily managed with a web browser. Just connect your PC to an available LAN port on the back panel. You need to set your PC to obtain IP address dynamically from a DHCP. The security appliance will assign an IP address to your PC in the range 192.168.75.x. Just open your browser and enter in the Address bar the default IP of the SA500 which is 192.168.75.1. Log on with the default username/password (cisco/cisco) and you are ready to start configuring the appliance.