Link Layer Filtering not supported on popular equipment?

Michael Loftis mloftis at wgops.com
Thu Mar 27 16:42:12 UTC 2014


On Wed, Mar 26, 2014 at 9:08 AM, hasser css <hasservalve at gmail.com> wrote:
> Is there any common equipment that doesn't support this kind of filtering?
> I have no access to the switches where I work (I am just a CS agent at a
> smaller service provider), but my boss tells me that they do not support
> doing this... however, I do not believe this at all. I think that all the
> switches are all from Dell. Issues are happening as some customers
> accidentally have rogue DHCP servers running from their routers being
> connected improperly, and his only solution to this issue is to disable the
> switch port instead of simply preemptively filtering out this.
>
> Any insight? Regards.

The supported options vary within the PowerConnect product line.  So
it depends entirely on WHAT exact switch.  Some do support DHCP
snooping like that, some don't.  Even with it on it can create it's
own problems, on the 6248 f/ex this causes the DHCP replies from
trusted ports to always get copied to the CPU so it can inspect them
and create it's VLAN+MAC+IP bindings databases.  All untrusted port
DHCP traffic gets punted to CPU.  The gist is that this can open up a
potential DoS attack on the switch, or, even without that, the DHCP
traffic might be too high for the switch to manage.

Similar issues with ACLs.  There are some options in Cisco (not
certain if any of dell's products have this) that basically keep ports
from talking to eachother, but allow them to talk to the upstream port
(usually a router that can then enforce deeper ACLs and such).

All of these additional protection/security methods can have their
drawbacks for any particular environment, assuming the hardware even
supports them.

-- 

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler



More information about the NANOG mailing list