Filtering RAS DHCP Requests With CNR [Cisco Network Registrar]

Document ID: 13394

Introduction
Prerequisites
      Requirements
      Components Used
      Conventions
RAS Requires Excessive DHCP Addresses
CNR Blocks RAS Requests Through Extensions
Related Information

Introduction

This document provides a solution for filtering out DHCP lease requests from Remote Access Services (RAS), a Windows NT and Windows 2000 service through which users can log onto a corporate network from remote sites and access such things as applications and printers as if they were on the local LAN. It can easily be set up on any NT or 2000 machine and is often configured by default. This can be a major problem for DHCP, because every time RAS starts up, it requests a block of IP addresses. Multiply this by the number of users on a LAN and soon all your addresses are used up by these RAS servers. Cisco Network Registrar (CNR) is equipped with a set of extensions to block RAS DHCP lease requests.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

Cisco Network Registrar 5.0
Windows NT
Windows 2000

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

RAS Requires Excessive DHCP Addresses

When the service starts up, RAS automatically does DHCPREQUESTs and asks for a certain number of IP addresses (in the case of Windows 2000, it takes a block of 10 addresses and stores them in the registry). Once the first set of addresses is used, RAS requests another block of addresses (for Windows 2000, 10 more). This process continues as addresses are used. When the RAS service is stopped, all addresses that it requested are released.

RAS DHCP request packets are formatted differently from regular DHCP request packets. In Windows NT, you can find a RAS packet with the hardware length (16, not the usual 6 for Ethernet) and the first four bytes of the MAC address (52:41:53:20, which is hex for RAS). The Windows 2000 format changed completely. It is set the hardware length to the standard Ethernet 6, and the special 52:41:53:20 value is not tacked onto the chaddr field. Instead, Windows 2000 RAS packets have the string, RRAS.Microsoft, hardcoded into the dhcp-user-class-id field.

CNR Blocks RAS Requests Through Extensions

Cisco Network Registrar 5.0 handles this problem by filtering out RAS packets through the tcldropras or dexdropras extension, which is included as part of the standard Network Registrar 5.0 installation. These extensions now handle Windows NT and Windows 2000 RAS packets. The tcldropras extension is included in your Network Registrar installation directory, in the examples/dhcp/tcl/tclextension.tcl file. The dexdropras extension is included when you compile the files in examples/dhcp/dex into a DLL (the dexextension.dll file is already located in the extensions/dhcp/dex directory; see the readme.dex file in examples/dhcp/dex).

To define the extension and attach it at the post-packet-decode extension point you must us use the tcldropras extension.

Copy the tclextension.tcl file to the extensions/dhcp/tcl directory.

Note: The dexdropras extension code is already in the extensions/dhcp/dex directory.

Run these commands, by the extension you use:

nrcmd> extension tcldropras create tcl tclextension.tcl tcldropras
nrcmd> dhcp attachExtension post-packet-decode tcldropras 

nrcmd> extension dexdropras create dex dexextension.dll dexdropras 
nrcmd> dhcp attachExtension post-packet-decode dexdropras

Related Information

Updated: Oct 26, 2005

Document ID: 13394

Hierarchical Navigation

Cisco Network Registrar