[Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the lan

richardvoigt at gmail.com richardvoigt at gmail.com
Tue Aug 26 17:59:46 BST 2008


On Tue, Aug 26, 2008 at 3:00 AM, Rune Kock <rune.kock at gmail.com> wrote:
> Hi Jima
>
> On Mon, Aug 25, 2008 at 16:38, Jima <jima at beer.tclug.org> wrote:
>>  Out of curiosity, around how many nodes does your network have?
>
> About 50.
>
>> Is the
>> network core centralized (i.e., mostly one big switch) or decentralized
>> (mish-mash of smaller switches)?
>
> Unfortunately, mish-mash describes it rather well.  Still, there are
> of couse a few switches that are particularly important.
>
>> Also, what speed is the majority of the
>> network (10, 10/100, gigabit)?
>
> Everything is 100 Mbit currently.
>
>>  I have a vague idea relating to a VLAN-capable switch married to a Linux
>> router, but it may or may not be terribly feasible depending on the network
>> topology and capacity. :-)

I've got a setup like that, which enables per-port packet filtering.
Of course, in our wireless environment you can't actually get
per-client filtering that way, unless the access point does the
filtering.  Still, it can limit the damage of a rogue DHCP server to a
single VLAN while you track the user down and revoke their access
(actively interfering with the service is grounds to cut off access,
at least temporarily, under most agreements).

Essentially:

split the switch ports into VLANs.
Attach the linux b-router to a "trunk port", defined as being a member
of all VLANs with 802.1q tagging enabled.
Use brctl to bridge all the ethx.n vlan virtual interfaces.
Configure iptables/ebtables/arptables.

The b-router also becomes a good place for NAT, IDS, bandwidth
throttling and QoS, and/or load balancing upstream links.

>
> Paul and Eric have brought forth some interesting ideas about advanced
> switches, too.  It seems a promising line to pursue (and one that I
> hadn't thought about previously).
>
> I would very much like to hear your ideas as well.  And even if they
> won't fit my lan, they may be of value to others on the list.  I doubt
> I'm the only one with this problem.
>
>
> Rune
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>



More information about the Dnsmasq-discuss mailing list