Can I use a managed switch to prevent certain IP addresses from accessing the internet?

Our network has many computers with no reason to access the internet.  Can I configure a managed switch to block a group of IP addresses from sending or receiving any data to the firewall appliance?  In other words can I use the switch to say  this group of computers can only communicate within the LAN?  Or should I be using an entirely different approach?
captainrichardAsked:
Who is Participating?
 
rexxusConnect With a Mentor Commented:
If the groups of users has no requirement to access any resources outside of their subnet, you could set up two VLANs.

The first VLAN/subnet could be in the same subnet as the firewall and the DHCP options can provide a default gateway of the internal firewall appliance.

The second VLAN/subnet could be configured with no default gateway, or a default gateway of 127.0.0.1, so that no matter what their traffic can't leave the broadcast domain they are attached to.
0
 
Patrick49erCommented:
You can create a proxy setting on that workstation whereby it points to 127.0.0.1 for the Internet.  That will prevent those workstations from even attempting to reach the switch to go to the Internet.  As for the switch itself, I don't believe you can do it via IPs, but I do believe you can create blocked access from the MAC.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
access control is usually a router function, not a switch one - however, many switches are also routers.

what is "default route" set to on the machines?
0
 
Rich RumbleConnect With a Mentor Security SamuraiCommented:
If your firewall is doing the NAT, you can block at the firewall based on IP address, not all firewalls can do DNS lookups on hosts. You can move computers to a seperate vlan that does not have a route to the internet. If your switch does layer 3 (ip/routing)you can block on the switch.
You can set a null route to the internet...
but the easiest way, is if they only have IE, setup a false proxy ip address, some IP on your lan that does not have proxy capabilities, and check the box for "disable for local lan" so you should still be able to get to your intranet sites.
-rich
0
 
Dave HoweConnect With a Mentor Software and Hardware EngineerCommented:
To be honest though, if you are going to go down the proxy route, it would be easier and better to establish a real proxy (such as squid) and implement access controls and logging there; then you can deny individual machines *any* access to the internet (by disabling NAT at the outbound router, and restricting it to just the proxy host) other than via the proxy you control.

you can use the various autoconfigure protocols (such as PAC files, or the appropriate DHCP settings) or group policy to push that to the workstations.
0
All Courses

From novice to tech pro — start learning today.