TunaMaxx
asked on
Restrict Web access @ Switch? (3Com 4400's)
Hello
Is there a way that I can restrict (at the physical port) access to the internet on 3Com 4400 switches?
For instance, physical network has about 100 ethernet ports available, with only about half of them actually connected to anything. I have been able to restrict web access at the router for a group of machines that have no legitimate need to surf the web. (Those machines are setup with static IP's; most of the rest of the network which is DHCP.) However, if someone brings in a laptop from home, all they need to do is plug in to one of the existing ethernet jacks, and they will be given an IP address from the DHCP server, and then they are free to do as they please.
I know I can disable the unused ports all together, but can I in some way just restrict outgoing http:80 traffic?
Is there a way that I can restrict (at the physical port) access to the internet on 3Com 4400 switches?
For instance, physical network has about 100 ethernet ports available, with only about half of them actually connected to anything. I have been able to restrict web access at the router for a group of machines that have no legitimate need to surf the web. (Those machines are setup with static IP's; most of the rest of the network which is DHCP.) However, if someone brings in a laptop from home, all they need to do is plug in to one of the existing ethernet jacks, and they will be given an IP address from the DHCP server, and then they are free to do as they please.
I know I can disable the unused ports all together, but can I in some way just restrict outgoing http:80 traffic?
How do you users currently get internet access? ISA Server? Nat Router? If its a router then what type of router do you have.
ASKER
Nat via Cisco 806.
Most of the group of static IP's are deny'd by an access-list, but the DHCP addresses are not.
Most of the group of static IP's are deny'd by an access-list, but the DHCP addresses are not.
On your access list you can add the IP address that you wish to have access to the internet instead of adding all of the ones you dont want to have internet. This way if you have a new machine on the network it won't have internet access unless you explictly allow it. If you need help with access lists if you post your config I can give you some examples.
What about restricting the DHCP range available to the actual number of clients attached ? ie, if you connect only 50 legitimate systems, set the DHCP range so that only 50 IPs are available and if someone connects a laptop, the DHCP would not assign Ip addresses. Also you can try locking the IP using MAC address so that any foregin machine would be denied IP
cooljai1,
That would be a nightmare to adminsitrate. Say someone turned off thier PC for 2 weeks because they were on vacation. While that person was gone thier lease expired on thier IP. Then Joe Blow with their laptop comes in and gets the IP that just expired. When the other guy comes back from vacation then he can no longer access the network.
Also just limiting DHCP address would still not solve the issue even if implemted because Joe Blow could still statically assign his machine with an IP and access then internet.
Microbolt
That would be a nightmare to adminsitrate. Say someone turned off thier PC for 2 weeks because they were on vacation. While that person was gone thier lease expired on thier IP. Then Joe Blow with their laptop comes in and gets the IP that just expired. When the other guy comes back from vacation then he can no longer access the network.
Also just limiting DHCP address would still not solve the issue even if implemted because Joe Blow could still statically assign his machine with an IP and access then internet.
Microbolt
ASKER
Thanks for the comments, but is there no way (short of disabling the unused ports completely) to restrict access via the switch's configuration?
One of the main selling features of this hardware was the 'port by port control' and 'advanced configuration' available. (Those are the sales person's words, not 3Com's.) When we bought the hardware, I knew considerably less than what I do now (which isn't saying much!) but it seemed like this was an easy thing to do? Maybe not...
One of the main selling features of this hardware was the 'port by port control' and 'advanced configuration' available. (Those are the sales person's words, not 3Com's.) When we bought the hardware, I knew considerably less than what I do now (which isn't saying much!) but it seemed like this was an easy thing to do? Maybe not...
What about using the MAC address way and denying all the IPs except the DHCP ones on the firewall?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.