?
Solved

Outbound traffic shaping based on MAC?

Posted on 2006-04-27
9
Medium Priority
?
799 Views
Last Modified: 2013-11-13
Hi Experts,
  In a big nutshell, what I'd like to setup here is a software/hardware solution that will allow me to view, shape, or altogether disable inbound and/or outbound network traffic.

Some details about the setup:

-about 100 clients on the LAN,  solution should allow for growth to twice that amount.
-vanilla type LAN setup (for the most part)  some DHCP clients, some static IP, some allowed, some not.
-bandwidth is limited here, and will become mission critical in the future.
-This is a business environment that has had problems with employees bringing devices from home.  Laptops, Ipods, PSP's, etc.  They will need to be able to control or disable traffic based on traffic type, and an ACL containing trusted MACs.
-Ideally they would like employees to be able to connect their laptops in a lounge.  Limited bandwidth (even to unknown MACs) and VLAN type seclusion to this lounge circuit would be a huge plus.  This is the complicated part.  Can they maintain a whitelist, a blacklist, and a "grey list" of MAC addresses and assign bandwidth access based on group membership?

I am currently looking at the following types of solutions

1. Managed switches.  
  What is a good switch for shaping in/out traffic based on MAC AND/OR traffic type? Cisco vs. 3Com? Layer 3? Model #'s you've had luck with?

2. Software firewall?  ISA server?  Kerio Winroute?  Linux w/ squid or Sygate?

3. Your suggestions? (only if you've actually done it please)

I'm looking for suggestions from those who have had success solving this specific problem.  

Which solution do you think is most reliable? Why?
Most easy to maintain / Lowest TCO?

Thanks in advance,
adminsb

0
Comment
Question by:adminsb
  • 4
  • 3
8 Comments
 
LVL 1

Author Comment

by:adminsb
ID: 16552897
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 16555947
I've done this using linux and the iproute2 toolset, but I've not done MAC-based shaping (although it would be easy, since you can use fwmark to tag packets based on MAC).

I do question your use of MAC in this manner - MAC addresses are easily adjustable on plenty of equipment, and should not be used for security policy enforcement exclusively - maybe implementing an additional level of access control (like radius) might be a sensible option in this case.

>Which solution do you think is most reliable?

Linux.

>Why?

Because I know it, and know how to make it reliable.  The answer may be different for you.

>Most easy to maintain / Lowest TCO?

Linux, for the same reasons.  Once again, YMMV.

Cheers,
-Jon

0
 
LVL 1

Author Comment

by:adminsb
ID: 16562830
Thanks for the info Jon,
  If you would:

Which distribution did you use?

Also I have only had experience working with Unix systems (non administrative tasks), although I'm good with scripts in ksh, csh, etc.  Is this going to be suicidal to take this on?  How long did it take you (as an experienced linux guru =)) to set this up?  I think MMMV indeed.

<snip>
I do question your use of MAC in this manner - MAC addresses are easily adjustable on plenty of equipment, and should not be used for security policy enforcement exclusively - maybe implementing an additional level of access control (like radius) might be a sensible option in this case.
<snip>

I agree, I think radius would probably be necessary.  

What method did you use to authenticate?  machine/user/other?

Thanks,
adminsb

Anyone have input on the hardware sol'n?
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
LVL 3

Expert Comment

by:waqaswasib
ID: 16584262
u can use isa server & integrate software like bandwidth controller or bandwidth manager or u can also use freebsd & configure it to reshape bandwidth there r several hardware based bandidth manager as well u can reshape bandwidth with sygate its a firewall it will be helpful for stoppping access
bye
0
 
LVL 1

Author Comment

by:adminsb
ID: 16984698
Although I was unsatisfied with the lack of feedback I received, I'd recommend deleting the question or splitting the points between the two if that's unreasonable.  I think as a whole this thread doesn't contain much useful information. I'll give the experts another chance to respond here as well.
0
 
LVL 16

Accepted Solution

by:
The--Captain earned 2000 total points
ID: 16988432
>Thanks for the info Jon,
>  If you would:

>Which distribution did you use?

>Also I have only had experience working with Unix systems (non administrative tasks), although I'm good with scripts in
>ksh, csh, etc.  Is this going to be suicidal to take this on?  How long did it take you (as an experienced linux guru =)) to set
>this up?  I think MMMV indeed.

Sorry about that - I must've missed the previous email notifs...

I've mainly used Redhat with CBQ - it's actually pretty easy to set up - if you can handle adding some iptables rules that set fwmark, and can live with the config file format of CBQ, you should be OK - I haven't played with CBQ in a while, but I do think I remember that it works much better in one direction than the other - I have a colleague that does this much more frequently than I, and I think he's told me that there are better things than CBQ out there (and handles both directions of traffic gracefully), so I'll see what he has to say.

CBQ took less than an hour to setup, and a little more than that to test everything - I don't know how well of an estimate that might be - I get distracted a lot a work, but I've also dealt with this sort of thing before...  If you know linux decently, and have a fair knowledge of IP, you can probably do this in less than a day, regardless.

Cheers,
-Jon
 
0
 
LVL 1

Author Comment

by:adminsb
ID: 17553140
Finally decided to go with Cisco switches and Radius Authentication.
Thanks for all your advice.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 17555897
Nice.  I wasn't sure that cisco had switches that robust...

Can you tell us the model number and IOS (or equivalent) version you wound up using?  I'd be interested in checking them out for my own projects...

Cheers,
-Jon
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question