Is there any common equipment that doesn't support this kind of filtering?
I have no access to the switches where I work (I am just a CS agent at a
smaller service provider), but my boss tells me that they do not support
doing this... however, I do not believe this at all. I think that all the
switches are all from Dell. Issues are happening as some customers
accidentally have rogue DHCP servers running from their routers being
connected improperly, and his only solution to this issue is to disable the
switch port instead of simply preemptively filtering out this.
Any insight? Regards.
I don't know about Dell switches, but Cisco switches have DHCP Snooping, IP Source Guard, PACLs, VACLs, and so forth at layer-2.
The supported options vary within the PowerConnect product line. So
it depends entirely on WHAT exact switch. Some do support DHCP
snooping like that, some don't. Even with it on it can create it's
own problems, on the 6248 f/ex this causes the DHCP replies from
trusted ports to always get copied to the CPU so it can inspect them
and create it's VLAN+MAC+IP bindings databases. All untrusted port
DHCP traffic gets punted to CPU. The gist is that this can open up a
potential DoS attack on the switch, or, even without that, the DHCP
traffic might be too high for the switch to manage.
Similar issues with ACLs. There are some options in Cisco (not
certain if any of dell's products have this) that basically keep ports
from talking to eachother, but allow them to talk to the upstream port
(usually a router that can then enforce deeper ACLs and such).
All of these additional protection/security methods can have their
drawbacks for any particular environment, assuming the hardware even
Those would be private VLAN's in classic solutions, and
split horizon bridge domains on carrier Ethernet platforms.
I find the latter simpler and more elegant, but limited to