RSD sensors 'record' broadcast messages on the network, and capture DHCP requests, which are also broadcast messages.
If you have subnets/networks which do not have DHCP clients the RSD sensor will not see the broadcast messages.
Ideally you could place an RSD sensor in each subnet on a server to capture all your clients.
McAfee Volunteer Moderator
Certified McAfee Product Specialist - ePO
i can understand what you wrote, but let us consider that, there is a subnet and all of the systems there are DHCP clients, and i installed the RSD on the DHCP server, then install McAfee agent on the system, my problem is that subnet will be shown as uncovered subnet, wheli only the DHCP server is shown as covered, so please explain it for me??
please, while i have about 150 subnets in my network, so i will not install the RSD on all the subnets...
Is your RSD deployed in DHCP mode?
no, because according to McAfee rogue system detector product guide 5.0.1 its relevant to RSD 4.x, and my sensor RSD 5.0.2,
for that i didn't enable it. so should i enable it ??
Reading page 21 of the manual:
If you use DHCP servers in your network, you can install sensors on them. Sensors installed on DHCP servers provide full visibility only for covered subnets, which are subnets where the DHCP servers have an IP address configured directly. Using sensors on DHCP servers can reduce the number of sensors you must install and manage on your network to ensure coverage. It does not, however, eliminate the need to install sensors to network segments that are not directly covered by the DHCP servers.
This seems to indicate that the DHCP server still needs an IP address in the same broadcast subnets.
So if you are using IP forwarders on you network this would appear to say that the newer V5 RSD will not detect these DHCP Req and Ack messages.
I can test this on our network in a few weeks when get back to work.
i have deployed 4 RSD on 4 DHCP servers distributing different IP ranges to my network, and that helped me a lot by detecting thousands of machines, but my concern is seeing those subnets as covered so no missed machines...
anyway i appreciate your help a lot, but pleeeeease if you got the answer, share it with me
i enabled the DHCP monitoring feature, but unfortunately nothing happened
Ideally you want to put at least one RSD on each subnet, I have over 300 subnets and that's how we do it
another option ( I don't have instructions handy right now) is to have a server with RSD on it, you could configure a span port to that server and flood that server with all your network traffic. That should pick up all your subnets. You would have to research if you need a port tap or port Port aggregatpor and how many NICS you would need to handle spanning all your local traffic
According to: Product Guide McAfee Rogue System Detection 5.0.1
If you use DHCP servers in your network, you can install sensors on them. Sensors installed on DHCP servers provide full visibility only for covered subnets, which are subnets where the DHCP servers have an IP address configured directly."