Catching up on the thread.. vendor C also calls it "IP Source-guard" on the Cat 4K in IOS. And it acually works quite well (does require DHCP snooping). T ----- Original Message ----- From: "Scott McGrath" <mcgrath@fas.harvard.edu> To: <nanog@merit.edu> Sent: Wednesday, November 12, 2003 5:17 PM Subject: Re: uRPF-based Blackhole Routing System Overview
Vendor C calls it DHCP snooping and to the best of my knowledge it is only available under IOS not CatOS
Scott C. McGrath
On Fri, 7 Nov 2003, Greg Maxwell wrote:
On Fri, 7 Nov 2003, Robert A. Hayden wrote:
[snip]
One final note. This system is pretty useless for modem pools, VPN concentrators, and many DHCP implementations. The dynamic IP nature
of
these setups means you will just kill legitimate traffic next time someone gets the IP. You can attempt to correlate your detection with the time they were handed out, of course, in the hopes you find them.
Another approach to address this type of problem is the source spoofing preventing dynamic-acls support that some vendors have been adding to their products. I don't know if it's in anyone's production code-trains yet.
The basic idea is that your switch snoops DHCP traffic to the port and generates an ACL based on the address assigned to the client. Removing a host is as simple as configuring your DHCP server to ignore it's requests and perhaps sending a crafty packet (custom written DECLINE) to burp the existing ACL out of the switch.
Vendor F calls this feature "Source IP Port Security", I'm not sure what vendor C calls it.
Since this is a layer 2 feature you can configure it far out on the edge and not just at the router.