Solved

Restrict Web access @ Switch? (3Com 4400's)

Posted on 2004-08-17
9
278 Views
Last Modified: 2010-04-11
Hello

  Is there a way that I can restrict (at the physical port) access to the internet on 3Com 4400 switches?

  For instance, physical network has about 100 ethernet ports available, with only about half of them actually connected to anything. I have been able to restrict web access at the router for a group of machines that have no legitimate need to surf the web. (Those machines are setup with static IP's; most of the rest of the network which is DHCP.) However, if someone brings in a laptop from home, all they need to do is plug in to one of the existing ethernet jacks, and they will be given an IP address from the DHCP server, and then they are free to do as they please.

  I know I can disable the unused ports all together, but can I in some way just restrict outgoing http:80 traffic?
0
Comment
Question by:TunaMaxx
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 6

Expert Comment

by:microbolt
ID: 11826406
How do you users currently get internet access?  ISA Server?   Nat Router?  If its a router then what type of router do you have.
0
 

Author Comment

by:TunaMaxx
ID: 11826439
Nat via Cisco 806.

Most of the group of static IP's are deny'd by an access-list, but the DHCP addresses are not.
0
 
LVL 6

Expert Comment

by:microbolt
ID: 11826456
On your access list you can add the IP address that you wish to have access to the internet instead of adding all of the ones you dont want to have internet.  This way if you have a new machine on the network it won't have internet access unless you explictly allow it.  If you need help with access lists if you post your config I can give you some examples.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 8

Expert Comment

by:cooljai1
ID: 11826785
What about restricting the DHCP range available to the actual number of clients attached ? ie, if you connect only 50 legitimate systems, set the DHCP range so that only 50 IPs are available and if someone connects a laptop, the DHCP would not assign Ip addresses. Also you can try locking the IP using MAC address so that any foregin machine would be denied IP
0
 
LVL 6

Expert Comment

by:microbolt
ID: 11826922
cooljai1,

That would be a nightmare to adminsitrate.  Say someone turned off thier PC for 2 weeks because they were on vacation.  While that person was gone thier lease expired on thier IP.  Then Joe Blow with their laptop comes in and gets the IP that just expired.  When the other guy comes back from vacation then he can no longer access the network.

Also just limiting DHCP address would still not solve the issue even if implemted because Joe Blow could still statically assign his machine with an IP and access then internet.

Microbolt
0
 

Author Comment

by:TunaMaxx
ID: 11826967
Thanks for the comments, but is there no way (short of disabling the unused ports completely) to restrict access via the switch's configuration?

One of the main selling features of this hardware was the 'port by port control' and 'advanced configuration' available. (Those are the sales person's words, not 3Com's.) When we bought the hardware, I knew considerably less than what I do now (which isn't saying much!) but it seemed like this was an easy thing to do? Maybe not...
0
 
LVL 8

Expert Comment

by:cooljai1
ID: 11828975

What about using the MAC address way and denying all the IPs except the DHCP ones on the firewall?
0
 

Accepted Solution

by:
ke4sfq earned 250 total points
ID: 11864941
The 3com 4400 is a very nice layer 4 switch.  Therefore you can implement layer 4 rules such as blocking port 80 for a particular access list.  It can also do port learning and learn the mac addresses you have online now and you could block all unknown mac addresses in the future and add new machines you buy.  I use them for automatic VoIP prioritization of voice protocols and do not know how to specifically do the port blocking you require.  But in my experience, 3com has some very experienced support staff and your sales person should be able to connect you to your district representative for 3com who should be able to answer your question or find someone who can at 3com without charging.  if you call 3com support, you have to have a support agreement but if you go through your local sales staff, they will usually help you out to get more sales later.  
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question