Solved

Smart Switch and IP Blocking

Posted on 2009-07-13
15
541 Views
Last Modified: 2012-05-07
Hi,

We have a number of sites connected via radio links around the site, but effectiviley its just 1 network running on 10.0.0.***, at each site we have the radio connector which is attached to a switch, then devices are attached to the switch (this is applied at each site)

We wanted it so at each site only certain ip address's are allowed to talk through to the switch, so would it be possible to add a smart switch at each site and have it so:

RADIO CONNECTOR > SMART SWITCH (this would only allow certain ip address's from the other side of the radio connector to pass > SWITCH > DEVICES

Am I making sense?>
0
Comment
Question by:Fruit_Box
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
15 Comments
 
LVL 21

Expert Comment

by:from_exp
ID: 24846656
what do you mean by smart switch? what switch model do you have?
Anyway, I would suggest to make such limitations on routers - on wireless connectors, I suppose in your case. Again model name is needed here.
0
 
LVL 2

Author Comment

by:Fruit_Box
ID: 24846853
ProSafe® 8-Port Gigabit Smart Switch
GS108T for example
0
 
LVL 21

Expert Comment

by:from_exp
ID: 24846923
I don't think you will be able to block certain traffic towards AP.
0
Are You Ransomware's Next Victim?

Worried about ransomware attacks hitting your organization?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with WatchGuard Total Security!

 
LVL 2

Author Comment

by:Fruit_Box
ID: 24846936
but what about the built in ACL security, like for example the ProSafe® 24-port Gigabit Stackable Smart Switch
GS724TS has the ability to ACL filtering to permit or deny traffic based on MAC addresses or IP addresses.

http://www.netgear.com.au/au/Product/Switches/Advanced-Smart-Switc/GS724TS
0
 
LVL 21

Expert Comment

by:from_exp
ID: 24846998
here is a manual for your device:
ftp://downloads.netgear.com/files/GS108T_UM_11Feb08.pdf

there are no options how to drop traffic passing though the switch.
0
 
LVL 2

Author Comment

by:Fruit_Box
ID: 24847309
ok so what unit could i use to do ip dropping at switch level
0
 
LVL 21

Expert Comment

by:from_exp
ID: 24847457
I would suggest changing your network topology:
separate clients at each site with firewall (you can use almost any netgear firewall, I suppose) from wireless infrastructure.
Please understand, that I can suggest you to use cisco switches to do the job, but home-level routers can also do the job. The only thing to consider - ability to disable NAT (network address translation) for router.
If you are using point-to-multipoint wireless solution, then you really need to limit traffic unnecessary traffic within wireless segment, because all wireless participants share their bandwidth.

so my solution would  be:
site 1 network 192.168.1.0/24
site 2 network 192.168.2.0/24
site 3 network 192.168.3.0/24
core wireless network with 10.0.0.0/24
0
 
LVL 2

Author Comment

by:Fruit_Box
ID: 24848717
thanks for the time on this, however changing the network topology is a no go, the network is pretty much one giant network ring working on ip addressing only, simple network.

Im thinking a firewall at each site and add firewall rules to only allow a certain group of ip addresses to pass, then also because we can use firewall we can also block some pointless traffic like dns, etc etc.

what you think.
0
 
LVL 21

Expert Comment

by:from_exp
ID: 24849162
hm
possibly, I have poorly explained, but introducing firewalls at each site means segmenting network according provided method of mine.
Otherwise you can't put part of a network behind a firewall without loosing connectivity between it's parts.

Please understand, that when you have a firewall between networks, it means that each side of a firewall must have it's own subnet.
can you please, draw a quick scheme of your network.
at least with several sites. Please show IP's of equipment and network addresses.
0
 
LVL 2

Author Comment

by:Fruit_Box
ID: 24855928
please find attach diagram, very simple as you can see, but it is a very simple network that runs totally off IP


so what we would need is a solution that can be applied at each site where you could enter a group of ip addresses to stop them communicating, for example at the site 10.0.0.20-25, the smart switch could be configured to drop all traffic that comes from 10.0.0.40-45 ip addresses, but not 10.0.0.30-25 etc, but each site could be configured with its own set of rules. hope this makes sense, there must be an easy solution for this.

a layer 3 switch with IP ACL built in should do the trick right?


Drawing1.jpg
0
 
LVL 21

Expert Comment

by:from_exp
ID: 24857770
Hi L3 can do the stuff, but again, switches are designed to switch and route traffic (L3), if you want something to be blocked  you should use firewalls, because IP ACLs in IP switches are not that flexible.
so I still stick to my provided solution
0
 
LVL 2

Author Comment

by:Fruit_Box
ID: 24858000
ok thanks, i would rather go down the firewall path, but we really cant change the infrastructure,

without changing the topology could you recommand any other solution

0
 
LVL 21

Accepted Solution

by:
from_exp earned 500 total points
ID: 24858503
what kind of APs do you have?
0
 
LVL 2

Author Comment

by:Fruit_Box
ID: 24858865
they arnt ap like a smb would use, they are line of sight HR radio's, run at about 10mb, the radios or the network isnt the problem, the design we have works well for the information we use (this setup is used to monitor plc's, so we are not running a domain off it etc), but yeah its getting to a point where its easier to just out source someone at $120 an hour to get this all fixed up.
0
 
LVL 2

Author Closing Comment

by:Fruit_Box
ID: 31603149
over it
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question