What equipment do real ISP's use?
Solution 1
What you want to consider as well is Private VLAN. You put all your users in an single "normal" VLAN but only allow them to speak between specific ports.
Basically, you emulate point to point between gateway and PC. Much more simple then any other solution mentionned here.
Solution 2
Most traditional ISPs use links that are inherently point-to-point (dial/T1/DS3/ATM); the current trend is an ethernet handoff to a router at the customer's location using static routes and a /30 subnet as an interconnect. For a MTU application like yours, you could do VLAN-per-customer using just about any VLAN-capable switch, although there are issues scaling that past 4000 users (you need to split into multiple VLAN universes across multiple routers, or do Q-in-Q). This is the only standards-compliant solution which addresses both of your issues.
Some switches also support client isolation (private vlan/general mode), although this by itself just prevents the offender's immediate neighbors from noticing a problem -- the typical application protects from edge ports transmitting to ports that aren't the switches uplink. Conflicts may still be possible between edge ports on different switches with a trunk port between them.
Fancier switches support DHCP snooping/filtering (and the IPv6 variant, ra-guard) as well as some IP spoofing protections, which can get most of the benefit of VLAN isolation without the use of extra IP space, but they frequently have vendor-specific quirks.
Solution 3
If your budget constrained (you said "Cheap 3Com Switches"), what about throwing a Linux machine in the mix and putting up PPPoE yourself?
Solution 4
It sounds like you want VLANs. This will allow you to segregate the network and filter broadcasts (e.g. DHCP broadcasts). VLANs can only communicate with each other unless a Layer 3 device is involved; thus, if Dorm 301 plugs in a DHCP server only the VLAN Dorm 301 is on gets hosed and other VLANs are unaffected.
Solution 5
Stick with the dhcp snooping and incorporate dynamic arp inspection and ip source guard. If any other host tries to send a packet with a source address of the gateway or tries to reply to an arp request asking for the gateway's mac address, the switch will drop the packets.
Related videos on Youtube
05 : 11
13 : 47
11 : 35
07 : 00
07 : 22
Allanrbo
Updated on September 17, 2022Comments
-
Allanrbo over 1 year
In a dormitory of 550 residents, people often mistakenly set up DHCP servers for the whole network by plugging in their private Wi-Fi routers wrongly. Also recently, someone mistakenly configured their PC to a static IP address being the same as that of the default gateway. We use cheap 3Com switches at the moment.
I know that more advanced switches support DHCP snooping to solve the DHCP problem, but that still does not solve the default gateway IP address takeover problem.
What sort of switch equipment do real ISP's use so their customers cannot break the network for the other customers?
Edit: What we ended up doing
In case anyone are courious, we ended up doing seperate VLANs for each user. And as a matter of fact, not just the 550 users, but for 2500 users (11 dorms). Here's a page describing the setup:
http://k-net.dk/technicalsetup/ (the section "Transparent firewall using VLANs").
There was no significant load on the router server as I feared in one of the comments below. Even at 800Mpbs.
-
McJeff about 14 years~550 VLANS? Isn't that a lot of tagging for his configuration?
-
Allanrbo about 14 yearsI have considered VLAN's. This would mean alot of tagging yes, and would mean a pretty heavy load on a server which would be configured with 550 virtual interfaces (using 802.1q). Is that normal? Would the server be able to handle the ~ 90 mbits of internet traffic generated at peak hours?
-
Allanrbo about 14 yearsThat is an OK idea. Though PPPoE would be more complicated for the users to set up... Would a single modern server running Linux be able to handle around 90 megabits of internet traffic at peak hours?
-
Allanrbo about 14 yearsI don't think I can just filter away all broadcast traffic. DHCP and ARP requests (not DHCP offers of course) should still be allowed - so I guess some sort of layer 3 analysis is needed? Our managed switches only have a "broadcast storm" property, which limits bandwidth of all broadcast traffic on a port - not very handy I think.
-
DevGambit about 14 years90mbps would be easily handled, yes
-
smoak about 14 years@McJeff You don't have to VLAN out all dorms, you could just make 10 VLANs, dorms 1 to 100, 101 to 200, etc. or how many you feel you need. -
Philip about 14 yearsA modern commodity hardware PC can saturate a gigabit connection, a purpose built server can do several. -
McJeff about 14 yearsSure, a bit harder, but no more difficult than configuring a DSL connection.
-
pQd about 14 yearsmeh. pppoe? come on, why would you want to make such a bottleneck.
-
Allanrbo about 14 yearsI looked up private VLAN on wikipedia - it looks very much like what we need yes! Do you know whether it is Cisco specific? I cannot seem to find anything about it in our 3com switch configs.
-
Antoine Benkemoun about 14 yearsIf you 3COM switches are cheap, then no. It's not a Cisco specific features. I just know Cisco switches have them.
-
Allanrbo almost 12 yearsIn case anyone are courious, we ended up doing seperate VLANs for each user. And as a matter of fact, not just the 550 users, but for 2500 users (11 dorms). Here's a page describing the setup: k-net.dk/technicalsetup (the section "Transparent firewall using VLANs"). There was no significant load on the router server as I feared above.
-
TomTom almost 12 yearsVLAN is standard for any switch with baseline management - only very primtiive ones simply are "switches" without administration.
-
MDMarra almost 12 years@Allanrbo There are no network classes any more!
