Solved

Can I use a managed switch to prevent certain IP addresses from accessing the internet?

Posted on 2008-10-29
5
280 Views
Last Modified: 2008-12-07
Our network has many computers with no reason to access the internet.  Can I configure a managed switch to block a group of IP addresses from sending or receiving any data to the firewall appliance?  In other words can I use the switch to say  this group of computers can only communicate within the LAN?  Or should I be using an entirely different approach?
0
Comment
Question by:captainrichard
5 Comments
 
LVL 4

Expert Comment

by:Patrick49er
ID: 22836117
You can create a proxy setting on that workstation whereby it points to 127.0.0.1 for the Internet.  That will prevent those workstations from even attempting to reach the switch to go to the Internet.  As for the switch itself, I don't believe you can do it via IPs, but I do believe you can create blocked access from the MAC.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 22836544
access control is usually a router function, not a switch one - however, many switches are also routers.

what is "default route" set to on the machines?
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 150 total points
ID: 22837893
If your firewall is doing the NAT, you can block at the firewall based on IP address, not all firewalls can do DNS lookups on hosts. You can move computers to a seperate vlan that does not have a route to the internet. If your switch does layer 3 (ip/routing)you can block on the switch.
You can set a null route to the internet...
but the easiest way, is if they only have IE, setup a false proxy ip address, some IP on your lan that does not have proxy capabilities, and check the box for "disable for local lan" so you should still be able to get to your intranet sites.
-rich
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 150 total points
ID: 22838862
To be honest though, if you are going to go down the proxy route, it would be easier and better to establish a real proxy (such as squid) and implement access controls and logging there; then you can deny individual machines *any* access to the internet (by disabling NAT at the outbound router, and restricting it to just the proxy host) other than via the proxy you control.

you can use the various autoconfigure protocols (such as PAC files, or the appropriate DHCP settings) or group policy to push that to the workstations.
0
 
LVL 5

Accepted Solution

by:
rexxus earned 200 total points
ID: 22866748
If the groups of users has no requirement to access any resources outside of their subnet, you could set up two VLANs.

The first VLAN/subnet could be in the same subnet as the firewall and the DHCP options can provide a default gateway of the internal firewall appliance.

The second VLAN/subnet could be configured with no default gateway, or a default gateway of 127.0.0.1, so that no matter what their traffic can't leave the broadcast domain they are attached to.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ensuring effective and secure communication in the age of healthcare BYOD.
With healthcare moving into the digital age with things like Healthcare.gov, the digitization of patient records and video conferencing with patients, data has a much greater chance of being exposed than ever before.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question