I have a Class C network 129.9.1.0/255.255.255.0.  My goal is to place
a computer on that network as 129.9.1.190.  It must be this IP
address.  The computer must NOT receive or see any broadcasts on the
129.9.1.0 network.  The only traffic is should ever see is when
someone is specifically trying to connect to it.  How can I block
broadcasts/multicasts from being seen by a computer if it is on a
Class C network with 200 other hosts?  The other hosts that need to
connect to it are also on the 129.9.1.0 network.

---

Request for Question Clarification by maniac-ga on 06 Jun 2003 05:00 PDT

Hello Routerx,

What you are asking for is possible, but may require some special
equipment or software. A few alternatives include:

 - filter the traffic to 192.9.1.190 at the switch / router. Doing
this depends on the equipment - I can suggest a switch capable of
this, but your existing equipment may do fine. Which model network
switch is connected to this machine?
 - put a filtering PC between the network and the machine to respond
as 129.9.1.190. It would look something like...
  Network -- Filter PC -- Target Machine
The filter PC would need two Ethernet interfaces and appropriate
software. It would basically tunnel the data to/from 192.9.1.190 to
the target machine & discard everything else (in both directions). A
Linux PC would run as low as $500 new or you could use a spare (older)
PC to do this for less. Let me know if you want to try something like
this.
 - put filtering software on the Target PC to ignore unwanted traffic.
 On Linux, a method such as netfilter or iptables
(http://www.netfilter.org/) can be used to implement this. With
iptables, it can be done as easy as a one line directive such as
  iptables -A INPUT -d 0.0.0.255/0.0.0.255 -j DROP
which ignores all broadcast messages (those with all one's in the last
byte). If this is suitable, I would need to know the operating system
you are using.

It may be easier to implement by changing the IP address of the target
machine but you explicitly ruled that out. If this restriction
changes, I can describe more general methods.

Please advise how to proceed.

  --Maniac

---

Clarification of Question by routerx-ga on 06 Jun 2003 08:02 PDT

Okay.. here's my update:  We are using Catalyst 2924 Series Switches
and Catalyst 1924 Series Switches.  The IP addressing cannot be
changed unfortunately.  My thoughts were that we could block the
broadcasts from coming in on a switchport, but obviously Switches are
L2 and I don't think this could be done to drop L3 broadcasts.
So, if you could base your info on that, I think we're close to an
answer.  Almost wondering if there is a L3 device I could connect to
the NIC of the computer that blocks broadcasts from being received.
My other thought was to put the computer behind it's own router.  But,
since it MUST be on the 1 subnet, other computers would not bother
trying to get to a default gateway to speak to it because they would
believe it's on their local subnet.  I've tried adding in a manual
route on the other computers:
route add 129.9.1.90 mask 255.255.255.0 129.9.11.1
11.1 is the router with 1.90 on the other side of the router.  The
problem, as you can see, is that the command is invalid for a computer
already on the 1 subnet.

---

Request for Question Clarification by maniac-ga on 07 Jun 2003 12:20 PDT

Hello Routerx,

I agree with your assessment of the switch (Cisco 1924 and 2924)
capabilities. The don't have the capability to do the filtering you
need.

I also understand the issue related to attempts to use the manual
route. You *could* have a machine on the 192.9.1.0/24 LAN that
responds to 129.9.1.190 addresses; bridges do that to connect the two
parts of the network. Bridges also default to sending broadcasts, so
as-is, they won't work.

What you describe as the "L3 device" sounds like adding a filter to a
bridge or as a combination bridge / router. I did some searches on
that concept and the closest I came up with was the following:

  http://www.intel.com/support/si/routers/integrator/150/chap_52.htm
Describes a product that bridges across a leased line and has some
filtering enabled. I found a number of similar products when searching
for "brouter", but they all were for SOHO use; connecting your local
LAN to the Internet via ISDN, dial up, DSL, or leased line. I will
look some more for Ethernet to Ethernet brouters.

  http://www.ibiblio.org/mdw/HOWTO/mini/Bridge+Firewall+DSL-2.html
Describes how a Linux machine can do a combination of Bridge,
Firewall, and filtering capabilities. Note that the bridge filtering
was developed in the 2.2 time frame, but is not a standard part of the
Linux kernel in 2.4. It is implemented in 2.5, but that is still
pretty much for development use, not production. If you are willing to
build your own Linux kernel, I can walk you through the references /
how to on this.

  http://www.inebriated.demon.nl/pf-howto/html/pf-howto.html
  http://www.openbsd.org/faq/pf/index.html
  http://www.openbsd.org/faq/faq6pf.html
  http://www.jp.daemonnews.org/200109/network.html
It appears OpenBSD is more mature in this area. The Packet Filtering
HOWTO provides explanations for bridge filtering as well as a number
of related functions. I find it helpful that the packet filter can
also keeps track of session state - that may be needed for your
application. The last reference is pretty basic, but has some good
illustrations of the setup necessary.

Let me know if you want to pursue one of these alternatives.

  --Maniac

Hello Routerx,

Based on the information you provided, I am submitting the following
answer to your question.

To summarize the situation:
 - You are using a class C network 129.9.1.0/24
 - You want to prevent broadcasts to 129.9.1.190 and cannot change
this address
 - The existing switches (Cisco 1924 and 2924) will not filter
broadcasts

Based on this situation, the best solution is to add a bridge with
filtering, often called a brouter (bridge / router).

Most brouters available are designed for Small Office / Home Office
(SOHO) use. As a result, they provide open connections on the local
LAN and filter the data being sent to the Internet. One of these may
be adaptable for your use but a more comprehensive solution would be
to configure a PC to act as the brouter. The remainder of the answer
addresses that kind of solution.

OpenBSD [and NetBSD] appears to have the most mature solution for
this. This is described in the documentation as "Packet Filtering".
Several on line references are at:
  http://www.inebriated.demon.nl/pf-howto/html/pf-howto.html 
  http://www.openbsd.org/faq/pf/index.html 
  http://www.openbsd.org/faq/faq6pf.html 
  http://www.jp.daemonnews.org/200109/network.html 
This last reference is pretty basic, but includes some good
illustrations to show the connections necessary to implement the
brouter capability. You can search for additional references with
phrases such as
  OpenBSD packet filtering
  netbsd packet filtering
  openbsd network bridge filter
and so on.

Linux has had a similar solution as a patch to the kernel for a few
years. The original patch was created for 2.2 kernels, but an updated
patch is incorporated for 2.4 kernels. There is a further patch
incorporated in the 2.5 series (ebtables), however the 2.5 kernels are
not recommended for production use.  Either solution should be
suitable now. Perhaps the best explanation of this capability is at
    http://www.ibiblio.org/mdw/HOWTO/mini/Bridge+Firewall+DSL-2.html 
which describes the typical SOHO solution, but the implementation is
quite flexible and can be adapted for your use. Other references
include:
  http://bridge.sourceforge.net/
  http://www.linux-kongress.org/2002/papers/lk2002-spenneberg.pdf
The first being the site supporting the bridge / filter patch. Pre
built utilities and kernels are available at this first site. The
second is a technical reference that describes the approach.

Searches for further information on this include
  network bridge filter 2.4 linux patch
  network bridge filter ebtables

Both of these solutions provide for stateless and "state full"
filtering, allowing you to fine tune the filtering.

As I mentioned before, if any of this is unclear, you want feedback on
your solution, or you need some additional references on this topic,
please make a request for clarification so I can respond. Good luck
with your work.

  --Maniac

what your trying to acomplish should be pretty simple if you use the
correct hardware and the Correct IP class with Subnet.  Now for a
simple process, your using the incorrect ip address.  I will explain
you mention that your setting up a class C network, and a class C
octet starts at 192.(not saying you can't have it the way you have it
now, but your then face to do some calulation on your part) if you ask
me I would setup my network with the simplest class C network such as
192.9.1.0/24.  Then start working of blinding the rest of the network
from a single Node.  Now the way I had mines don was, (I'm not sure of
other products, but I use a Cisco Cat.3150 Switch), okay you would
need a manage switch, its a little bit more expensive than the
unmanage switch.. anyway, assume you choose to purchase that switch,
your able to manage the switch to block broadcast from that port.

As you already know, switches are Layer 2 devices and cannot break up
broadcast domains.  If you want to break up broadcast domains, I
believe a Layer 3 device, i.e. router, will be the most logical device
to utilize.  I understand that the IP addressing scheme must remain
the same, however, is it OK to change the subnet information?  I would
get a router with two fast ethernet ports.  I would connect the sole
workstation 129.9.1.90 to one interface and have the other devices
connect to the other fast ethernet interface.  The important thing to
remember here is that you would have to create an additional subnet to
make this work.  I would assign the subnet mask 255.255.255.252 for
the workstation with the IP address 129.9.1.90 and make its default
gateway 129.9.1.90.  I would then assign 129.9.1.91 255.255.255.252 to
the fast ethernet interface.  Then on the other interface, you can
assign the rest of the subnets you need.  You can use the secondary
command on the fast ethernet interface on cisco devices to add more
than one subnet.

CORRECTION:  I would assign the subnet mask 255.255.255.252 for
the workstation with the IP address 129.9.1.90 and make its default
gateway 129.9.1.91 <-------

I cannot change subnet mask.

I really want to thank everyone for their comments.  I think I can
create something from this information.
I'd like to close this and pay, but I'm not sure how it will work with
so many people responding.  Do I just click "close question"?
I think we're all set on my end, just want to make sure payment goes
through.

Hello Routerx,

To answer your last comment:
 - payment is automatically made when a researcher answers the
question (and I have done so). Once an answer is made, you have the
opportunity to review the answer, get further clarification, rate the
answer, and so on.
  http://answers.google.com/answers/faq.html#whenbilled
 - comments and requests for question clarification are offered at no
charge. The comments may be submitted by other registered Google
Answer users (like yourself)
 http://answers.google.com/answers/faq.html#answervscomment
Use close question only if you do not want to make a payment on a
question.
  http://answers.google.com/answers/faq.html#cancel

  --Maniac