Solved

Can I use a managed switch to prevent certain IP addresses from accessing the internet?

Posted on 2008-10-29
5
283 Views
Last Modified: 2008-12-07
Our network has many computers with no reason to access the internet.  Can I configure a managed switch to block a group of IP addresses from sending or receiving any data to the firewall appliance?  In other words can I use the switch to say  this group of computers can only communicate within the LAN?  Or should I be using an entirely different approach?
0
Comment
Question by:captainrichard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 4

Expert Comment

by:Patrick49er
ID: 22836117
You can create a proxy setting on that workstation whereby it points to 127.0.0.1 for the Internet.  That will prevent those workstations from even attempting to reach the switch to go to the Internet.  As for the switch itself, I don't believe you can do it via IPs, but I do believe you can create blocked access from the MAC.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 22836544
access control is usually a router function, not a switch one - however, many switches are also routers.

what is "default route" set to on the machines?
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 150 total points
ID: 22837893
If your firewall is doing the NAT, you can block at the firewall based on IP address, not all firewalls can do DNS lookups on hosts. You can move computers to a seperate vlan that does not have a route to the internet. If your switch does layer 3 (ip/routing)you can block on the switch.
You can set a null route to the internet...
but the easiest way, is if they only have IE, setup a false proxy ip address, some IP on your lan that does not have proxy capabilities, and check the box for "disable for local lan" so you should still be able to get to your intranet sites.
-rich
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 150 total points
ID: 22838862
To be honest though, if you are going to go down the proxy route, it would be easier and better to establish a real proxy (such as squid) and implement access controls and logging there; then you can deny individual machines *any* access to the internet (by disabling NAT at the outbound router, and restricting it to just the proxy host) other than via the proxy you control.

you can use the various autoconfigure protocols (such as PAC files, or the appropriate DHCP settings) or group policy to push that to the workstations.
0
 
LVL 5

Accepted Solution

by:
rexxus earned 200 total points
ID: 22866748
If the groups of users has no requirement to access any resources outside of their subnet, you could set up two VLANs.

The first VLAN/subnet could be in the same subnet as the firewall and the DHCP options can provide a default gateway of the internal firewall appliance.

The second VLAN/subnet could be configured with no default gateway, or a default gateway of 127.0.0.1, so that no matter what their traffic can't leave the broadcast domain they are attached to.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question