cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
m_bk
Level 9
Report Inappropriate Content
Message 1 of 12

RSD / uncovered subnets

i have deployed the RSDs on alll the DHCP servers in my network, but only DHCP servers subnets are covered in the Detected Seyetems tab,

and all the the other subnets are shown as uncovered..... so can anybody explain for me the reason??

11 Replies

Re: RSD / uncovered subnets

RSD sensors 'record' broadcast messages on the network, and capture DHCP requests, which are also broadcast messages. 


If you have subnets/networks which do not have DHCP clients the RSD sensor will not see the broadcast messages. 


Ideally you could place an RSD sensor in each subnet on a server to capture all your clients. 


Regards

Rich

McAfee Volunteer Moderator

Certified McAfee Product Specialist - ePO

m_bk
Level 9
Report Inappropriate Content
Message 3 of 12

Re: RSD / uncovered subnets

hi Richard,

i can understand what you wrote, but let us consider that, there is a subnet and all of the systems there are DHCP clients, and i installed the RSD on the DHCP server, then install McAfee agent on the system, my problem is that subnet will be shown as uncovered subnet, wheli only the DHCP server is shown as covered, so please explain it for me??

please, while i have about 150 subnets in my network, so i will not install the RSD on all the subnets...

Thanks,

Re: RSD / uncovered subnets

Ideally you want to put at least one RSD on each subnet, I have over 300 subnets and that's how we do it

another option ( I don't have instructions handy right now) is to have a server with RSD on it, you could configure a span port to that server and flood that server with all your network traffic. That should pick up all your subnets. You would have to research if you need a port tap or port Port aggregatpor and how many NICS you would need to handle spanning all your local traffic

Re: RSD / uncovered subnets

Hi. 


Is your RSD deployed in DHCP mode?

m_bk
Level 9
Report Inappropriate Content
Message 6 of 12

Re: RSD / uncovered subnets

hi,

no, because according to McAfee rogue system detector product guide 5.0.1 its relevant to RSD 4.x, and my sensor RSD 5.0.2,

for that i didn't enable it. so should i enable it ??

Re: RSD / uncovered subnets

Reading page 21 of the manual:


  
   
    

DHCP servers

    

If you use DHCP servers in your network, you can install sensors on them. Sensors installed on DHCP servers provide full visibility only for covered subnets, which are subnets where the DHCP servers have an IP address configured directly. Using sensors on DHCP servers can reduce the number of sensors you must install and manage on your network to ensure coverage. It does not, however, eliminate the need to install sensors to network segments that are not directly covered by the DHCP servers. 

   
  


This seems to indicate that the DHCP server still needs an IP address in the same broadcast subnets. 


So if you are using IP forwarders on you network this would appear to say that the newer V5 RSD will not detect these DHCP Req and Ack messages. 


I can test this on our network in a few weeks when get back to work. 


Regards

Rich

m_bk
Level 9
Report Inappropriate Content
Message 8 of 12

Re: RSD / uncovered subnets

hi,

i have deployed 4 RSD on 4 DHCP servers distributing different IP ranges to my network, and that helped me a lot by detecting thousands of machines, but my concern is seeing those subnets as covered so no missed machines...

anyway i appreciate your help a lot, but pleeeeease if you got the answer, share it with me

Regards,

m_bk
Level 9
Report Inappropriate Content
Message 9 of 12

Re: RSD / uncovered subnets

hi,

i enabled the DHCP monitoring feature, but unfortunately nothing happened

Thanks

geek
Level 10
Report Inappropriate Content
Message 10 of 12

Re: RSD / uncovered subnets

According to: Product Guide McAfee Rogue System Detection 5.0.1

"DHCP servers

If you use DHCP servers in your network, you can install sensors on them. Sensors installed on DHCP servers provide full visibility only for covered subnets, which are subnets where the DHCP servers have an IP address configured directly."

Page21.

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community