Is it a good idea to use DHCP for point to point connections ?
Gary Gatten
Ggatten at waddell.com
Thu Oct 14 18:47:01 UTC 2010
I *think* PVLANs are open standard, other vendors may support. DHCP snooping and/or ACL's can address rogue issue.
Used Ci$co hardware is "cheap". Check out "Nework Hardware Resale" or just google. 2960's support PVLANs, but only significant to each switch. If you want distributed PVLANs, 3750's would work.
Is this a "requirement" or nice to have? With host based firewalls and/or proper disclosure may not need this level of isolation. Simply having a switch is a fair amount of isolation, especially with port level MAC security, sticky/static ARP's, etc.
I don't mind, but probably off topic for this list.
----- Original Message -----
From: owner-freebsd-questions at freebsd.org <owner-freebsd-questions at freebsd.org>
To: freebsd-questions at freebsd.org <freebsd-questions at freebsd.org>; nathan at vidican.com <nathan at vidican.com>
Sent: Thu Oct 14 12:56:19 2010
Subject: Re: Is it a good idea to use DHCP for point to point connections ?
Le 14/10/2010 16:33, Nathan Vidican a écrit :
> On Thu, Oct 14, 2010 at 9:16 AM, Jerome Herman<jherman at dichotomia.fr>wrote:
>
>
>> Le 13/10/2010 22:25, Elliot Finley a écrit :
>>
>> we did this with DSL customers. But instead of using a unique gateway for
>>
>>> each Client, just use IP Unnumbered and proxy arp for your loopback
>>> interface.
>>>
>>>
>>>
>> I was about to say that this solution seemed extremely sensitive to
>> spoofing. But I figured out that my solution was not necessarily better.
>> Looks like I will have to go for hardware solution after all...
>> I am currently checking on Cisco private vlan system. But I am not a big
>> fan of Cisco (Well to be perfectly honest I love the hardware...). Does
>> anyone know of an alternative ?
>>
>> Jerome Herman
>>
>>
>>
>> On Wed, Oct 13, 2010 at 9:02 AM, Jerome Herman<jherman at dichotomia.fr
>>
>>>> wrote:
>>>>
>>>
>>>
>>>> Hello,
>>>>
>>>> Given the price (an tedious management) of layer 3 switches I was
>>>> thinking
>>>> about using modified DHCP to distribute addresses with a /32 netmask
>>>> (255.255.255.255)
>>>>
>>>> The Idea : Create a cheap (and preferably not dirty) way to have client
>>>> isolation, without creating tons of vlan.
>>>>
>>>> Pratictal overview : The DHCP server will be serving IP addresses and
>>>> gateways with a /32 mask.
>>>> Client1 would recieve IP adress of 241.0.0.1 with a netmask of
>>>> 255.255.255.255 and a gateway of 240.0.0.1
>>>> Client2 would recieve IP adress of 241.0.0.2 with a netmask of
>>>> 255.255.255.255 and a gateway of 240.0.0.2
>>>> Client3 would recieve IP adress of 241.0.0.3 with a netmask of
>>>> 255.255.255.255 and a gateway of 240.0.0.3
>>>> etc.
>>>>
>>>> Of course the gateway will have to have as many IP as there are clients
>>>> (Unless I am mistaken)
>>>>
>>>> The questions :
>>>> - Is there something similar already existing ? It must not require any
>>>> configuration on the client side other than activating DHCP.
>>>> - Would this work ? I do not see why it would not, though I am a little
>>>> anxious about having tens of point to point connections going to the same
>>>> physical port.
>>>> - I could not find anything forbidding it in RFC2131, but then again I
>>>> might be wrong. Am I ?
>>>> - One problem remains that is solved by vlan isolation but not by DHCP
>>>> isolation : rogue DHCP servers. Any Idea to crush those ?
>>>>
>>>> I hope it is not inappropriate to post this on this list. But it is an
>>>> interesting problem (I think).
>>>>
>>>> Jerome Herman
>>>> _______________________________________________
>>>> freebsd-questions at freebsd.org mailing list
>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>> To unsubscribe, send any mail to "
>>>> freebsd-questions-unsubscribe at freebsd.org"
>>>>
>>>>
>>>>
>>>>
>>> _______________________________________________
>>> freebsd-questions at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> To unsubscribe, send any mail to "
>>> freebsd-questions-unsubscribe at freebsd.org"
>>>
>>>
>>>
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "
>> freebsd-questions-unsubscribe at freebsd.org"
>>
>>
>
> Around here (Ontario, Canada) - almost all DSL providers use PPPoE... just a
> thought, but might be a lot easier.
>
It is indeed a lot easier. Unfortunatly it cannot be used in this case.
Basically it is an hotel that is already wired in CAT.6. We ant the
clients to be able to connect through wire without resorting to routers
or DSL modem, with just DHCP set up.
The hotel is composed of 33 small residences connected with fiber. The
idea is to avoid the part where we buy 33 layer3 switches at 3000$ a piece.
Jerome Herman
> --
> Nathan Vidican
> nathan at vidican.com
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>
More information about the freebsd-questions
mailing list