• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 802
  • Last Modified:

Outbound traffic shaping based on MAC?

Hi Experts,
  In a big nutshell, what I'd like to setup here is a software/hardware solution that will allow me to view, shape, or altogether disable inbound and/or outbound network traffic.

Some details about the setup:

-about 100 clients on the LAN,  solution should allow for growth to twice that amount.
-vanilla type LAN setup (for the most part)  some DHCP clients, some static IP, some allowed, some not.
-bandwidth is limited here, and will become mission critical in the future.
-This is a business environment that has had problems with employees bringing devices from home.  Laptops, Ipods, PSP's, etc.  They will need to be able to control or disable traffic based on traffic type, and an ACL containing trusted MACs.
-Ideally they would like employees to be able to connect their laptops in a lounge.  Limited bandwidth (even to unknown MACs) and VLAN type seclusion to this lounge circuit would be a huge plus.  This is the complicated part.  Can they maintain a whitelist, a blacklist, and a "grey list" of MAC addresses and assign bandwidth access based on group membership?

I am currently looking at the following types of solutions

1. Managed switches.  
  What is a good switch for shaping in/out traffic based on MAC AND/OR traffic type? Cisco vs. 3Com? Layer 3? Model #'s you've had luck with?

2. Software firewall?  ISA server?  Kerio Winroute?  Linux w/ squid or Sygate?

3. Your suggestions? (only if you've actually done it please)

I'm looking for suggestions from those who have had success solving this specific problem.  

Which solution do you think is most reliable? Why?
Most easy to maintain / Lowest TCO?

Thanks in advance,
adminsb

0
adminsb
Asked:
adminsb
  • 4
  • 3
1 Solution
 
adminsbAuthor Commented:
0
 
The--CaptainCommented:
I've done this using linux and the iproute2 toolset, but I've not done MAC-based shaping (although it would be easy, since you can use fwmark to tag packets based on MAC).

I do question your use of MAC in this manner - MAC addresses are easily adjustable on plenty of equipment, and should not be used for security policy enforcement exclusively - maybe implementing an additional level of access control (like radius) might be a sensible option in this case.

>Which solution do you think is most reliable?

Linux.

>Why?

Because I know it, and know how to make it reliable.  The answer may be different for you.

>Most easy to maintain / Lowest TCO?

Linux, for the same reasons.  Once again, YMMV.

Cheers,
-Jon

0
 
adminsbAuthor Commented:
Thanks for the info Jon,
  If you would:

Which distribution did you use?

Also I have only had experience working with Unix systems (non administrative tasks), although I'm good with scripts in ksh, csh, etc.  Is this going to be suicidal to take this on?  How long did it take you (as an experienced linux guru =)) to set this up?  I think MMMV indeed.

<snip>
I do question your use of MAC in this manner - MAC addresses are easily adjustable on plenty of equipment, and should not be used for security policy enforcement exclusively - maybe implementing an additional level of access control (like radius) might be a sensible option in this case.
<snip>

I agree, I think radius would probably be necessary.  

What method did you use to authenticate?  machine/user/other?

Thanks,
adminsb

Anyone have input on the hardware sol'n?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
waqaswasibCommented:
u can use isa server & integrate software like bandwidth controller or bandwidth manager or u can also use freebsd & configure it to reshape bandwidth there r several hardware based bandidth manager as well u can reshape bandwidth with sygate its a firewall it will be helpful for stoppping access
bye
0
 
adminsbAuthor Commented:
Although I was unsatisfied with the lack of feedback I received, I'd recommend deleting the question or splitting the points between the two if that's unreasonable.  I think as a whole this thread doesn't contain much useful information. I'll give the experts another chance to respond here as well.
0
 
The--CaptainCommented:
>Thanks for the info Jon,
>  If you would:

>Which distribution did you use?

>Also I have only had experience working with Unix systems (non administrative tasks), although I'm good with scripts in
>ksh, csh, etc.  Is this going to be suicidal to take this on?  How long did it take you (as an experienced linux guru =)) to set
>this up?  I think MMMV indeed.

Sorry about that - I must've missed the previous email notifs...

I've mainly used Redhat with CBQ - it's actually pretty easy to set up - if you can handle adding some iptables rules that set fwmark, and can live with the config file format of CBQ, you should be OK - I haven't played with CBQ in a while, but I do think I remember that it works much better in one direction than the other - I have a colleague that does this much more frequently than I, and I think he's told me that there are better things than CBQ out there (and handles both directions of traffic gracefully), so I'll see what he has to say.

CBQ took less than an hour to setup, and a little more than that to test everything - I don't know how well of an estimate that might be - I get distracted a lot a work, but I've also dealt with this sort of thing before...  If you know linux decently, and have a fair knowledge of IP, you can probably do this in less than a day, regardless.

Cheers,
-Jon
 
0
 
adminsbAuthor Commented:
Finally decided to go with Cisco switches and Radius Authentication.
Thanks for all your advice.
0
 
The--CaptainCommented:
Nice.  I wasn't sure that cisco had switches that robust...

Can you tell us the model number and IOS (or equivalent) version you wound up using?  I'd be interested in checking them out for my own projects...

Cheers,
-Jon
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now