Restrict Web access @ Switch? (3Com 4400's)

Hello

  Is there a way that I can restrict (at the physical port) access to the internet on 3Com 4400 switches?

  For instance, physical network has about 100 ethernet ports available, with only about half of them actually connected to anything. I have been able to restrict web access at the router for a group of machines that have no legitimate need to surf the web. (Those machines are setup with static IP's; most of the rest of the network which is DHCP.) However, if someone brings in a laptop from home, all they need to do is plug in to one of the existing ethernet jacks, and they will be given an IP address from the DHCP server, and then they are free to do as they please.

  I know I can disable the unused ports all together, but can I in some way just restrict outgoing http:80 traffic?
TunaMaxxAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
ke4sfqConnect With a Mentor Commented:
The 3com 4400 is a very nice layer 4 switch.  Therefore you can implement layer 4 rules such as blocking port 80 for a particular access list.  It can also do port learning and learn the mac addresses you have online now and you could block all unknown mac addresses in the future and add new machines you buy.  I use them for automatic VoIP prioritization of voice protocols and do not know how to specifically do the port blocking you require.  But in my experience, 3com has some very experienced support staff and your sales person should be able to connect you to your district representative for 3com who should be able to answer your question or find someone who can at 3com without charging.  if you call 3com support, you have to have a support agreement but if you go through your local sales staff, they will usually help you out to get more sales later.  
0
 
microboltCommented:
How do you users currently get internet access?  ISA Server?   Nat Router?  If its a router then what type of router do you have.
0
 
TunaMaxxAuthor Commented:
Nat via Cisco 806.

Most of the group of static IP's are deny'd by an access-list, but the DHCP addresses are not.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
microboltCommented:
On your access list you can add the IP address that you wish to have access to the internet instead of adding all of the ones you dont want to have internet.  This way if you have a new machine on the network it won't have internet access unless you explictly allow it.  If you need help with access lists if you post your config I can give you some examples.
0
 
cooljai1Commented:
What about restricting the DHCP range available to the actual number of clients attached ? ie, if you connect only 50 legitimate systems, set the DHCP range so that only 50 IPs are available and if someone connects a laptop, the DHCP would not assign Ip addresses. Also you can try locking the IP using MAC address so that any foregin machine would be denied IP
0
 
microboltCommented:
cooljai1,

That would be a nightmare to adminsitrate.  Say someone turned off thier PC for 2 weeks because they were on vacation.  While that person was gone thier lease expired on thier IP.  Then Joe Blow with their laptop comes in and gets the IP that just expired.  When the other guy comes back from vacation then he can no longer access the network.

Also just limiting DHCP address would still not solve the issue even if implemted because Joe Blow could still statically assign his machine with an IP and access then internet.

Microbolt
0
 
TunaMaxxAuthor Commented:
Thanks for the comments, but is there no way (short of disabling the unused ports completely) to restrict access via the switch's configuration?

One of the main selling features of this hardware was the 'port by port control' and 'advanced configuration' available. (Those are the sales person's words, not 3Com's.) When we bought the hardware, I knew considerably less than what I do now (which isn't saying much!) but it seemed like this was an easy thing to do? Maybe not...
0
 
cooljai1Commented:

What about using the MAC address way and denying all the IPs except the DHCP ones on the firewall?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.