<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Rune Kock wrote:
<blockquote
cite="mid:fa8654f10808221432h1f5de47ck61f780a2f32b75e7@mail.gmail.com"
type="cite">
<blockquote type="cite">
<pre wrap="">If you have the luxury of a level2 switch and
1-client per port, you could probably deny DHCPOFFER from any ports other
than your own DHCP (don't quote me on the actual DHCP message, just block
serve responses is the idea). Even if you have more than 1 client/port you
should enable such filtering to at least isolate the propagation of invalid
addresses.
</pre>
</blockquote>
<pre wrap=""><!---->So these switches have a kind of firewall on each port? I've never
used a really high-end switch, so I don't know what it can do. But
this would surely solve the problem. But if we are talking thousands
of dollars, it's probably too expensive.
</pre>
</blockquote>
I think he may mean a layer 3/4 switch (which is a bit like a
multi-port mutant router). A layer 2 switch just switches raw network
packets, doesn't look beyond the MAC address. It wouldn't know the
difference between a DHCP packet and any other kind, whereas a layer
3/4 switch would.<br>
<br>
<a href="http://en.wikipedia.org/wiki/LAN_switching">http://en.wikipedia.org/wiki/LAN_switching</a><br>
<br>
Yes, layer 3/4 switches are more exotic and expensive. If an
'enterprise grade' layer 2 switch with real SNMP support would be too
expensive, a layer 3/4 switch will only be more so.<br>
<br>
Here's a pretty twisted idea: Install OpenWRT on a cheap SOHO-class
router, and put one or more at key points in your network. The hardware
in those cheap routers usually includes at least a five port switch
(often the WAN port is just another port on the same switch with its
own VLAN tag). The processor has full access to control the switch
hardware. It can passively listen for rogue DHCP traffic, and if it
appears, shut down that port and notify the admin of the rogue MAC
address.<br>
<br>
Would require some hardcore software development to pull it off,
though. Sounds like fun, though I don't have the spare time at the
moment.<br>
<br>
-- Paul<br>
<br>
<snip><br>
<br>
</body>
</html>