What equipment do real ISP's use?

Question

In a dormitory of 550 residents, people often mistakenly set up DHCP servers for the whole network by plugging in their private Wi-Fi routers wrongly. Also recently, someone mistakenly configured their PC to a static IP address being the same as that of the default gateway. We use cheap 3Com switches at the moment.

I know that more advanced switches support DHCP snooping to solve the DHCP problem, but that still does not solve the default gateway IP address takeover problem.

What sort of switch equipment do real ISP's use so their customers cannot break the network for the other customers?

Edit: What we ended up doing

In case anyone are courious, we ended up doing seperate VLANs for each user. And as a matter of fact, not just the 550 users, but for 2500 users (11 dorms). Here's a page describing the setup:

http://k-net.dk/technicalsetup/ (the section "Transparent firewall using VLANs").

There was no significant load on the router server as I feared in one of the comments below. Even at 800Mpbs.

Not an answer to your problem, but this is the stuff real ISPs use: https://www.cisco.com/en/US/products/ps5763/index.html — Zypher, May 21 '10 at 19:07

score 6 · Accepted Answer · answered May 20 '10 at 21:22

6

What you want to consider as well is Private VLAN. You put all your users in an single "normal" VLAN but only allow them to speak between specific ports.

Basically, you emulate point to point between gateway and PC. Much more simple then any other solution mentionned here.

answered May 20 '10 at 21:22

Antoine Benkemoun

7,314
3
41
60

I looked up private VLAN on wikipedia - it looks very much like what we need yes! Do you know whether it is Cisco specific? I cannot seem to find anything about it in our 3com switch configs. – Allanrbo May 22 '10 at 11:27
1

If you 3COM switches are cheap, then no. It's not a Cisco specific features. I just know Cisco switches have them. – Antoine Benkemoun May 22 '10 at 13:12
VLAN is standard for any switch with baseline management - only very primtiive ones simply are "switches" without administration. – TomTom Jun 12 '12 at 10:33

score 4 · Answer 2 · answered May 22 '10 at 12:34

Most traditional ISPs use links that are inherently point-to-point (dial/T1/DS3/ATM); the current trend is an ethernet handoff to a router at the customer's location using static routes and a /30 subnet as an interconnect. For a MTU application like yours, you could do VLAN-per-customer using just about any VLAN-capable switch, although there are issues scaling that past 4000 users (you need to split into multiple VLAN universes across multiple routers, or do Q-in-Q). This is the only standards-compliant solution which addresses both of your issues.

Some switches also support client isolation (private vlan/general mode), although this by itself just prevents the offender's immediate neighbors from noticing a problem -- the typical application protects from edge ports transmitting to ports that aren't the switches uplink. Conflicts may still be possible between edge ports on different switches with a trunk port between them.

Fancier switches support DHCP snooping/filtering (and the IPv6 variant, ra-guard) as well as some IP spoofing protections, which can get most of the benefit of VLAN isolation without the use of extra IP space, but they frequently have vendor-specific quirks.

score 2 · Answer 3 · answered May 20 '10 at 20:21

2

If your budget constrained (you said "Cheap 3Com Switches"), what about throwing a Linux machine in the mix and putting up PPPoE yourself?

answered May 20 '10 at 20:21

McJeff

2,019
13
11

That is an OK idea. Though PPPoE would be more complicated for the users to set up... Would a single modern server running Linux be able to handle around 90 megabits of internet traffic at peak hours? – Allanrbo May 20 '10 at 20:27
90mbps would be easily handled, yes – cpbills May 20 '10 at 20:59
A modern commodity hardware PC can saturate a gigabit connection, a purpose built server can do several. – Chris S May 20 '10 at 22:11
Sure, a bit harder, but no more difficult than configuring a DSL connection. – McJeff May 21 '10 at 00:58
meh. pppoe? come on, why would you want to make such a bottleneck. – pQd May 21 '10 at 19:28

score 1 · Answer 4 · answered May 20 '10 at 20:06

1

It sounds like you want VLANs. This will allow you to segregate the network and filter broadcasts (e.g. DHCP broadcasts). VLANs can only communicate with each other unless a Layer 3 device is involved; thus, if Dorm 301 plugs in a DHCP server only the VLAN Dorm 301 is on gets hosed and other VLANs are unaffected.

answered May 20 '10 at 20:06

smoak

646
2
7
13

~550 VLANS? Isn't that a lot of tagging for his configuration? – McJeff May 20 '10 at 20:18
I have considered VLAN's. This would mean alot of tagging yes, and would mean a pretty heavy load on a server which would be configured with 550 virtual interfaces (using 802.1q). Is that normal? Would the server be able to handle the ~ 90 mbits of internet traffic generated at peak hours? – Allanrbo May 20 '10 at 20:25
@McJeff You don't have to VLAN out all dorms, you could just make 10 VLANs, dorms 1 to 100, 101 to 200, etc. or how many you feel you need. – smoak May 20 '10 at 21:35
**In case anyone are courious**, we ended up doing seperate VLANs for each user. And as a matter of fact, not just the 550 users, but for 2500 users (11 dorms). Here's a page describing the setup: http://k-net.dk/technicalsetup/ (the section "Transparent firewall using VLANs"). There was no significant load on the router server as I feared above. – Allanrbo Jun 12 '12 at 09:46

score 1 · Answer 5 · answered Nov 03 '11 at 23:06

Stick with the dhcp snooping and incorporate dynamic arp inspection and ip source guard. If any other host tries to send a packet with a source address of the gateway or tries to reply to an arp request asking for the gateway's mac address, the switch will drop the packets.

score 0 · Answer 6 · answered May 20 '10 at 19:41

0

This seems to me to be a layer 2 issue. You want to prevent some (all?) broadcasts from going from one user to another.

I think most ISPs have a point to point link with their customers. Didn't cable companies use PPPoE to simulate the point-to-point connection?

I think managed switches can be set up to filter traffic.

Finally, perhaps you could configure DHCP relay if your switch supports it.

answered May 20 '10 at 19:41

pcapademic

1,650
1
14
22

I don't think I can just filter away all broadcast traffic. DHCP and ARP requests (not DHCP offers of course) should still be allowed - so I guess some sort of layer 3 analysis is needed? Our managed switches only have a "broadcast storm" property, which limits bandwidth of all broadcast traffic on a port - not very handy I think. – Allanrbo May 20 '10 at 20:30

score 0 · Answer 7 · answered May 22 '10 at 06:26

0

:) Never use 192.168.0.1 or 192.168.1.1 as gateway. Most of the managed switches or routers use it.

answered May 22 '10 at 06:26

Paul

1,837
1
11
15

don't worry. It's a university network, so all IP's (including the gateway) on the network are real internet IP's, not class C. – Allanrbo May 22 '10 at 11:25
@Allanrbo There are no network classes any more! – MDMarra Jun 12 '12 at 13:02

score -1 · Answer 8 · answered May 21 '10 at 18:57

-1

You could try setting up IPv6. Most modern OSes have it turned on by default.

answered May 21 '10 at 18:57

pcapademic

1,650
1
14
22

What equipment do real ISP's use?

Edit: What we ended up doing

8 Answers8