1 2 Previous Next 11 Replies Latest reply on Feb 25, 2016 12:56 AM by geek

    RSD / uncovered subnets

    good friend

      i have deployed the RSDs on alll the DHCP servers in my network, but only DHCP servers subnets are covered in the Detected Seyetems tab,

      and all the the other subnets are shown as uncovered..... so can anybody explain for me the reason??

        • 1. Re: RSD / uncovered subnets
          Richard Carpenter

          RSD sensors 'record' broadcast messages on the network, and capture DHCP requests, which are also broadcast messages. 


          If you have subnets/networks which do not have DHCP clients the RSD sensor will not see the broadcast messages. 


          Ideally you could place an RSD sensor in each subnet on a server to capture all your clients. 


          Regards

          Rich

          McAfee Volunteer Moderator

          Certified McAfee Product Specialist - ePO

          • 2. Re: RSD / uncovered subnets
            good friend

            hi Richard,

            i can understand what you wrote, but let us consider that, there is a subnet and all of the systems there are DHCP clients, and i installed the RSD on the DHCP server, then install McAfee agent on the system, my problem is that subnet will be shown as uncovered subnet, wheli only the DHCP server is shown as covered, so please explain it for me??

            please, while i have about 150 subnets in my network, so i will not install the RSD on all the subnets...

            Thanks,

            • 3. Re: RSD / uncovered subnets
              Richard Carpenter

              Hi. 


              Is your RSD deployed in DHCP mode?

              • 4. Re: RSD / uncovered subnets
                good friend

                hi,

                no, because according to McAfee rogue system detector product guide 5.0.1 its relevant to RSD 4.x, and my sensor RSD 5.0.2,

                for that i didn't enable it. so should i enable it ??

                • 5. Re: RSD / uncovered subnets
                  Richard Carpenter

                  Reading page 21 of the manual:


                    
                     
                      

                  DHCP servers

                      

                  If you use DHCP servers in your network, you can install sensors on them. Sensors installed on DHCP servers provide full visibility only for covered subnets, which are subnets where the DHCP servers have an IP address configured directly. Using sensors on DHCP servers can reduce the number of sensors you must install and manage on your network to ensure coverage. It does not, however, eliminate the need to install sensors to network segments that are not directly covered by the DHCP servers. 

                     
                    


                  This seems to indicate that the DHCP server still needs an IP address in the same broadcast subnets. 


                  So if you are using IP forwarders on you network this would appear to say that the newer V5 RSD will not detect these DHCP Req and Ack messages. 


                  I can test this on our network in a few weeks when get back to work. 


                  Regards

                  Rich

                  • 6. Re: RSD / uncovered subnets
                    good friend

                    hi,

                    i have deployed 4 RSD on 4 DHCP servers distributing different IP ranges to my network, and that helped me a lot by detecting thousands of machines, but my concern is seeing those subnets as covered so no missed machines...

                    anyway i appreciate your help a lot, but pleeeeease if you got the answer, share it with me

                    Regards,

                    • 7. Re: RSD / uncovered subnets
                      good friend

                      hi,

                      i enabled the DHCP monitoring feature, but unfortunately nothing happened

                      Thanks

                      • 8. Re: RSD / uncovered subnets
                        ninjaneer68

                        Ideally you want to put at least one RSD on each subnet, I have over 300 subnets and that's how we do it

                         

                        another option ( I don't have instructions handy right now) is to have a server with RSD on it, you could configure a span port to that server and flood that server with all your network traffic. That should pick up all your subnets. You would have to research if you need a port tap or port Port aggregatpor and how many NICS you would need to handle spanning all your local traffic

                        • 9. Re: RSD / uncovered subnets
                          geek

                          According to: Product Guide McAfee Rogue System Detection 5.0.1

                          "DHCP servers

                          If you use DHCP servers in your network, you can install sensors on them. Sensors installed on DHCP servers provide full visibility only for covered subnets, which are subnets where the DHCP servers have an IP address configured directly."

                          Page21.

                          1 2 Previous Next