Ce site est optimisé pour être consulté depuis un navigateur moderne dans lequel JavaScript est activé.

Comment protéger un réseau à petit budget contre les serveurs DHCP non autorisés ?

ayi

Je suis helping a friend manage a shared internet connection in an apartment buildling avec 80 apartments - 8 stairways avec 10 apartments in each.
The network is laid out avec le internet router at one end of le building, connected to a cheap non-managed 16 port switch in le premier stairway où le premier 10 apartments are aussi connected.
One port is connected to another 16 port cheapo switch in le suivant stairway, où those 10 apartments are connected, et so forth. Sort of a daisy chain of switches, avec 10 apartments as spokes on chaque "daisy". The building is a U-shape, approximately 50 x 50 meters, 20 meters high - so depuis le router to le farthest apartment it’s probably around 200 meters including up-and-down stairways.

Nous avons a fair bit of problems avec people hooking up wifi-routers le wrong way, creating rogue DHCP servers qui interrupt large groups of le users et we wish to solve this problem by making le network smarter (instead of doing a physical unplugging binary search).

With mon limited networking skills, Je vois two ways - DHCP-snooping ou splitting le entire network into separate VLANS for chaque apartment. Separate VLANS gives chaque apartment leur own private connection to le router, tandis que DHCP snooping will encore allow LAN gaming et file sharing.

Will DHCP snooping work avec this kind of network topology, ou does that rely on le network being in a proper hub-and-spoke-configuration? Je suis pas sure si there are différent levels of DHCP snooping - say like expensive Cisco switches will do anything, mais inexpensive ones like TP-Link, D-Link ou Netgear will seulement do it in certain topologies?

And will basic VLAN support be good enough for this topology? I guess even cheap managed switches can tag traffic depuis chaque port avec it’s own VLAN tag, mais quand le suivant switch in le daisy chain receives le packet on it’s “downlink” port, wouldn’t it strip ou replace le VLAN tag avec it’s own trunk-tag (or whatever le name is for le backbone traffic).

Money is tight, et I don’t think we can afford professional grade Cisco (J'ai been campaigning for this for years), so I’d love certains advice on qui solution has le best support on low-end network equipment et si there are certains spécifique models that are recommended? Par exemple low-end HP switches ou even budget brands like TP-Link, D-Link etc.

If J'ai overlooked another way to solve this problem it is due to mon lack of knowledge. 🙂

ayi

Je pense you should go le multi-VLAN route - et pas juste parce que of le DHCP server issue. At le moment, you have one big flat network et tandis que to certains degree, users should be expected to take care of leur own security, J'aimerais personally find it a pretty unacceptable setup.

The seulement switches that need to be managed are yours. Beyond that, you give chaque apartment a single port on a spécifique VLAN - anything downstream of that will be completely unaware of le VLAN et you can function normally.

In terms of votre switches - le switch-to-switch ports will need configuring as trunk ports et vous devrez be consistent avec votre VLAN ID's. In autre words, VLAN100 MUST correspond to VLAN100 everywhere else on le network.

Other than that, you can set up a "Router-on-a-stick" configuration, avec chaque VLAN (And c'est associated pool of IP's*) configured seulement to route back et forth to le internet et NOT to autre internal networks.

*Je n'ai pas pu think of anywhere else to stick this, mais remember that ideally you should be giving votre VLANs leur own pool of IP's. The easiest way to do this is to keep one of le octets même as le VLAN ID, e.g.

192.168.100.x - VLAN100
192.168.101.x - VLAN101
192.168.102.x - VLAN102

Once tous of this is in place, you can really start to take it places avec things like Quality-Of-Service, traffic monitoring et so on si you wish!

The "LAN Games" request seems to be a relatively niche request, to me, et certainly pas one J'aimerais think about. They can encore game normally through NAT by going out to le Internet et back - pas ideal, mais no différent to chaque apartment having c'est own connection qui is le norm over here in le UK. On a case by case basis, though, you could add full inter-VLAN routing entre apartments qui want to share leur network in that way.

In fact, you COULD add full Inter-VLAN routing everywhere - that would fix votre DHCP issues, allow QoS mais is encore a massive security issue in mon opinion.

Te one thing J'ai pas covered here is votre DHCP - presumably you have a single scope at le moment for tous of votre clients. If you put them onto separate networks alors you'll need to manage a separate scope for chaque VLAN. C'est really device et infrastructure dependant, so Je vais leave this off for now.