Solved

Can I use a managed switch to prevent certain IP addresses from accessing the internet?

Posted on 2008-10-29
5
282 Views
Last Modified: 2008-12-07
Our network has many computers with no reason to access the internet.  Can I configure a managed switch to block a group of IP addresses from sending or receiving any data to the firewall appliance?  In other words can I use the switch to say  this group of computers can only communicate within the LAN?  Or should I be using an entirely different approach?
0
Comment
Question by:captainrichard
5 Comments
 
LVL 4

Expert Comment

by:Patrick49er
ID: 22836117
You can create a proxy setting on that workstation whereby it points to 127.0.0.1 for the Internet.  That will prevent those workstations from even attempting to reach the switch to go to the Internet.  As for the switch itself, I don't believe you can do it via IPs, but I do believe you can create blocked access from the MAC.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 22836544
access control is usually a router function, not a switch one - however, many switches are also routers.

what is "default route" set to on the machines?
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 150 total points
ID: 22837893
If your firewall is doing the NAT, you can block at the firewall based on IP address, not all firewalls can do DNS lookups on hosts. You can move computers to a seperate vlan that does not have a route to the internet. If your switch does layer 3 (ip/routing)you can block on the switch.
You can set a null route to the internet...
but the easiest way, is if they only have IE, setup a false proxy ip address, some IP on your lan that does not have proxy capabilities, and check the box for "disable for local lan" so you should still be able to get to your intranet sites.
-rich
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 150 total points
ID: 22838862
To be honest though, if you are going to go down the proxy route, it would be easier and better to establish a real proxy (such as squid) and implement access controls and logging there; then you can deny individual machines *any* access to the internet (by disabling NAT at the outbound router, and restricting it to just the proxy host) other than via the proxy you control.

you can use the various autoconfigure protocols (such as PAC files, or the appropriate DHCP settings) or group policy to push that to the workstations.
0
 
LVL 5

Accepted Solution

by:
rexxus earned 200 total points
ID: 22866748
If the groups of users has no requirement to access any resources outside of their subnet, you could set up two VLANs.

The first VLAN/subnet could be in the same subnet as the firewall and the DHCP options can provide a default gateway of the internal firewall appliance.

The second VLAN/subnet could be configured with no default gateway, or a default gateway of 127.0.0.1, so that no matter what their traffic can't leave the broadcast domain they are attached to.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Unable to ping a server in the same subnet 10 90
Non admin needs to install programs 17 67
desktop security assessment (windows devices). 2 41
Wifi addin for wireshark? 5 30
OnPage: Incident management and secure messaging on your smartphone
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question