On Feb 02, arek@xxxxxxxxxxx wrote:
>
> Moment, DHCP is not arp packet.
> and ARP is not DHCP.
>
however every dhcp request fires off a bunch of ARP requests. I am
suggesting using DHCP-relay so you put the 'long distance' DHCP requests into
a kind of IP tunnel (?). If this is not true then you could accomplish the
same with IPSec/ssh tunnels. The idea of this is to shunt the DHCP (and
related traffic) into something that is managable.
> DHCP is always IP addressed /check via tcpdump/
> so you can mark these addresses with tc without any problems.
>
good point :)
> ARP packets are low level packets of ethernet interconnectivity.
> They will work always, unless your LAN is overloaded or somebody will do
> nasty things like /arp poisoning/.
> The only way you can increase your network performance for arp packets is
> enabling broadcast storm control in layer-2 devices.
> Some limmitations of arp-settings in linux /proc filesystem (gc_thresh_...
> etc)
> You can neither set static arp from Server side /and client side too (more
> complex)/
>
I would still be keen on shunting things into a managable IP(Sec)/ssh tunnel,
although it sounds overboard, if you are dealing with thousands of PC's (even
hundreds) thats likely to cross several subnets.
As I mentioned before it would give you the infrastructure to have
'maintainence' tunnel, you could put all the insecure telnet traffic in this
tunnel to prevent it crossing the whole distance un-encrypted :) More so you
can give it a high priority which would help you get access to machines when
you need to during a crisis.
Regards
Alex
--
__________________________________
/ A likely impossibility is always \
| preferable to an unconvincing |
| possibility. |
| |
\ -- Aristotle /
----------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
Attachment:
signature.asc
Description: Digital signature
