[cisco-bba] DSL DHCP Broadband Aggregation Security Question
Erich Hohermuth
eh at solnet.ch
Thu Sep 6 05:18:47 EDT 2007
Dear List,
We plan to make a broadband installation based on DSL bridging with dhcp
and option 82.
No there are some open questions about the security issues as we would
like to implement one vlan per service and a shared ip pool.
To prevent the clients to directly communicate with other customers we
set "switchport protected" and implement one vlan per Service to the RBE
to protect ARP spoofing.
RBE config example:
interface loopback 1
description Residential Pool
ip address 10.0.0.1 255.255.0.0
interface gigabit 2/0.10
encapsulation dot1Q 10
ip unnumbered loopback 1
ip local-proxy-arp
ip helper-address <dhcp unicast address>
interface gigabit 2/0.11
encapsulation dot1Q 11
ip unnumbered loopback 1
ip local-proxy-arp
ip helper-address <dhcp unicast address>
Now, the problem is the address spoofing and the dhcp dynamic, static
issue. For Cable provider exists a feature called "cable verify source
dhcp" which checks the option82 field on each dhcp request.
Unfortunately this feature only exists on a UBR Release.
Does anyone solve this problem for ETTX or DSL Broadband solution or
should we change the whole design.
Regards
Erich
--
* Erich Hohermuth IP Engineer - SolNet (AS 9044) PGPKEY-46A08FCB *
* phone: +41 32 517 6220 / sip:9044*463 at inoc-dba.pch.net *
More information about the cisco-bba
mailing list