Re: Q: Controlling access at the Ethernet level
From: Gleb Smirnoff (glebius_at_cell.sick.ru)
Date: 04/04/04
- Previous message: Chuck Swiger: "Re: Q: Controlling access at the Ethernet level"
- In reply to: Adrian Penisoara: "Q: Controlling access at the Ethernet level"
- Next in thread: Andrew Riabtsev: "Re: Q: Controlling access at the Ethernet level"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sun, 4 Apr 2004 23:32:52 +0400 To: Adrian Penisoara <ady@freebsd.ady.ro>
On Sun, Apr 04, 2004 at 09:22:33PM +0300, Adrian Penisoara wrote:
A> We have thought about using static MAC entries per port on managed
A> switches installed at the client endpoints, but that would require a
A> overwhelming budget. We are also thinking about L2TP and PPPoE, but I
A> am uncertain about compatibility.
PPPoE is a working solution. mpd from ports can serve PPPoE at wirespeed.
However is has some disadvantages:
- Traffic from host A to host B flows thru access concentrator.
- All hosts share bandwidth of access concentrator
- mpd in PPPoE mode does not work under CURRENT
- PPPoE gives authentication for access outside your LAN, it does not
prevent someone plugging into a port of dumb switch and flooding your
LAN with broadcasts, or performing any other kind of ethernet DoS.
A> I also heard about 802.1x technology and seems to be an interesting
A> and professional alternative; I just don't know how well supported is
A> on the server side, namely FreeBSD.
Theoretically, 802.1x is best solution. But client side is supported only in
Windows XP, and I've been told that it has numerous weird bugs. In 802.1x
the server side is ethernet switch itself, which authenticates clients
on RADIUS server. So upgrading all switches in your LAN is required. The
cheapest one with 802.1x support is D-Link DES-3226, AFAIK.
-- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE _______________________________________________ freebsd-isp@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-isp To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
- Previous message: Chuck Swiger: "Re: Q: Controlling access at the Ethernet level"
- In reply to: Adrian Penisoara: "Q: Controlling access at the Ethernet level"
- Next in thread: Andrew Riabtsev: "Re: Q: Controlling access at the Ethernet level"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
