What equipment do real ISP's use? [closed]

What you want to consider as well is Private VLAN. You put all your users in an single "normal" VLAN but only allow them to speak between specific ports.

Basically, you emulate point to point between gateway and PC. Much more simple then any other solution mentionned here.


Most traditional ISPs use links that are inherently point-to-point (dial/T1/DS3/ATM); the current trend is an ethernet handoff to a router at the customer's location using static routes and a /30 subnet as an interconnect. For a MTU application like yours, you could do VLAN-per-customer using just about any VLAN-capable switch, although there are issues scaling that past 4000 users (you need to split into multiple VLAN universes across multiple routers, or do Q-in-Q). This is the only standards-compliant solution which addresses both of your issues.

Some switches also support client isolation (private vlan/general mode), although this by itself just prevents the offender's immediate neighbors from noticing a problem -- the typical application protects from edge ports transmitting to ports that aren't the switches uplink. Conflicts may still be possible between edge ports on different switches with a trunk port between them.

Fancier switches support DHCP snooping/filtering (and the IPv6 variant, ra-guard) as well as some IP spoofing protections, which can get most of the benefit of VLAN isolation without the use of extra IP space, but they frequently have vendor-specific quirks.


If your budget constrained (you said "Cheap 3Com Switches"), what about throwing a Linux machine in the mix and putting up PPPoE yourself?


It sounds like you want VLANs. This will allow you to segregate the network and filter broadcasts (e.g. DHCP broadcasts). VLANs can only communicate with each other unless a Layer 3 device is involved; thus, if Dorm 301 plugs in a DHCP server only the VLAN Dorm 301 is on gets hosed and other VLANs are unaffected.


Stick with the dhcp snooping and incorporate dynamic arp inspection and ip source guard. If any other host tries to send a packet with a source address of the gateway or tries to reply to an arp request asking for the gateway's mac address, the switch will drop the packets.