Q: Controlling access at the Ethernet level
Gleb Smirnoff
glebius at cell.sick.ru
Sun Apr 4 12:33:05 PDT 2004
On Sun, Apr 04, 2004 at 09:22:33PM +0300, Adrian Penisoara wrote:
A> We have thought about using static MAC entries per port on managed
A> switches installed at the client endpoints, but that would require a
A> overwhelming budget. We are also thinking about L2TP and PPPoE, but I
A> am uncertain about compatibility.
PPPoE is a working solution. mpd from ports can serve PPPoE at wirespeed.
However is has some disadvantages:
- Traffic from host A to host B flows thru access concentrator.
- All hosts share bandwidth of access concentrator
- mpd in PPPoE mode does not work under CURRENT
- PPPoE gives authentication for access outside your LAN, it does not
prevent someone plugging into a port of dumb switch and flooding your
LAN with broadcasts, or performing any other kind of ethernet DoS.
A> I also heard about 802.1x technology and seems to be an interesting
A> and professional alternative; I just don't know how well supported is
A> on the server side, namely FreeBSD.
Theoretically, 802.1x is best solution. But client side is supported only in
Windows XP, and I've been told that it has numerous weird bugs. In 802.1x
the server side is ethernet switch itself, which authenticates clients
on RADIUS server. So upgrading all switches in your LAN is required. The
cheapest one with 802.1x support is D-Link DES-3226, AFAIK.
--
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE
More information about the freebsd-isp
mailing list