> anyone who IS smart gets on your LAN, you're fairly stuffed anyway.
Quite. But guests would be wireless and on my guest SSID thus isolated by my WAPs (using L2 filtering). No, the model of attacker I was thinking about is a good friend whom I trust brings a machine that is itself crawling with nasties and tries to attack my LAN, so the attacker is not a human.
> the concern is a rogue DHCP server either by accident or on purpose, most LAN kit supports some sort of DHCP filtering or snooping so that DHCP requests are only forwarded to designated ports.
Indeed, I was interested in that kind of security technology. I can’t use that kind of protection anymore because of Apple spoofing. This is done by the Apple "sleep proxy server" - services provided in say Apple HomePod speaker (iirc), and the Apple TV box. Apple spoofing is very sort-of evil and very clever. When a device wants to sleep, it asks a sleep proxy server to take over the device’s roles while it sleeps and then the sleep proxy server impersonates the snoozing device at the MAC level. That was very vague, because I don’t know the details; I would need to read up on the protocol properly.
Anyway, checking for spoofing is something that some switches offer, but wouldn’t help me because of all the WLAN hosts.
The right thing for me to do concerning untrusted friends’ wired devices is to put them in their own subnet.