OT - per-port IP filtering/config for ethernet access

[Simon Hobson]

It's a bit OT for the list (although the intention is to provide DHCP), but I suspect a few people here are doing it ...

I have a couple of situations where we provide connectivity to clients, where there is a shared internet service and we provide a port on a switch to which the client connects their router. Up to now it's been done on a "the clients are trustworthy enough" and the sites are small enough that if someone "steals" an IP (whether deliberately or by accident) it's easy enough to track them down and introduce them to Mr Clue-by-four (it's not happenned yet).

However, I've a couple of things coming up where this won't be enough - the network is too important to take the risk, and/or it's remote so we can't just walk round to the office and deal with it. The latter has (10 year old) Cisco switches, the other just has an unmanaged switch at present.

So we need to be able to specify that a device (or devices) attached to a specific port are limited to using only certain IPs - and if they attempt to use anything else then the packets will just get dropped. At present each client gets their own subnet (/29 or /30 - some have 1 address, some require more) and VLAN - but when we switch providers we probably won't be able to get enough IPv4 address to be that wasteful.

I assume others must have similar setups, any pointers would be handy ?


Also, from the DHCP side of things, I've not been keeping up, but fromhttps://lists.isc.org/pipermail/dhcp-users/2012-January/014800.html it appears I should be able to just use the snooping that's probably built into the Cisco switches and the :
  host foo {
    host-identifier option agent.circuit-id "foo"
syntax to assign addresses to those devices that don't need manual config.