Link to home
Start Free TrialLog in
Avatar of Fruit_Box
Fruit_Box

asked on

Smart Switch and IP Blocking

Hi,

We have a number of sites connected via radio links around the site, but effectiviley its just 1 network running on 10.0.0.***, at each site we have the radio connector which is attached to a switch, then devices are attached to the switch (this is applied at each site)

We wanted it so at each site only certain ip address's are allowed to talk through to the switch, so would it be possible to add a smart switch at each site and have it so:

RADIO CONNECTOR > SMART SWITCH (this would only allow certain ip address's from the other side of the radio connector to pass > SWITCH > DEVICES

Am I making sense?>
Avatar of from_exp
from_exp
Flag of Latvia image

what do you mean by smart switch? what switch model do you have?
Anyway, I would suggest to make such limitations on routers - on wireless connectors, I suppose in your case. Again model name is needed here.
Avatar of Fruit_Box
Fruit_Box

ASKER

ProSafe® 8-Port Gigabit Smart Switch
GS108T for example
I don't think you will be able to block certain traffic towards AP.
but what about the built in ACL security, like for example the ProSafe® 24-port Gigabit Stackable Smart Switch
GS724TS has the ability to ACL filtering to permit or deny traffic based on MAC addresses or IP addresses.

http://www.netgear.com.au/au/Product/Switches/Advanced-Smart-Switc/GS724TS
here is a manual for your device:
ftp://downloads.netgear.com/files/GS108T_UM_11Feb08.pdf

there are no options how to drop traffic passing though the switch.
ok so what unit could i use to do ip dropping at switch level
I would suggest changing your network topology:
separate clients at each site with firewall (you can use almost any netgear firewall, I suppose) from wireless infrastructure.
Please understand, that I can suggest you to use cisco switches to do the job, but home-level routers can also do the job. The only thing to consider - ability to disable NAT (network address translation) for router.
If you are using point-to-multipoint wireless solution, then you really need to limit traffic unnecessary traffic within wireless segment, because all wireless participants share their bandwidth.

so my solution would  be:
site 1 network 192.168.1.0/24
site 2 network 192.168.2.0/24
site 3 network 192.168.3.0/24
core wireless network with 10.0.0.0/24
thanks for the time on this, however changing the network topology is a no go, the network is pretty much one giant network ring working on ip addressing only, simple network.

Im thinking a firewall at each site and add firewall rules to only allow a certain group of ip addresses to pass, then also because we can use firewall we can also block some pointless traffic like dns, etc etc.

what you think.
hm
possibly, I have poorly explained, but introducing firewalls at each site means segmenting network according provided method of mine.
Otherwise you can't put part of a network behind a firewall without loosing connectivity between it's parts.

Please understand, that when you have a firewall between networks, it means that each side of a firewall must have it's own subnet.
can you please, draw a quick scheme of your network.
at least with several sites. Please show IP's of equipment and network addresses.
please find attach diagram, very simple as you can see, but it is a very simple network that runs totally off IP


so what we would need is a solution that can be applied at each site where you could enter a group of ip addresses to stop them communicating, for example at the site 10.0.0.20-25, the smart switch could be configured to drop all traffic that comes from 10.0.0.40-45 ip addresses, but not 10.0.0.30-25 etc, but each site could be configured with its own set of rules. hope this makes sense, there must be an easy solution for this.

a layer 3 switch with IP ACL built in should do the trick right?


Drawing1.jpg
Hi L3 can do the stuff, but again, switches are designed to switch and route traffic (L3), if you want something to be blocked  you should use firewalls, because IP ACLs in IP switches are not that flexible.
so I still stick to my provided solution
ok thanks, i would rather go down the firewall path, but we really cant change the infrastructure,

without changing the topology could you recommand any other solution

ASKER CERTIFIED SOLUTION
Avatar of from_exp
from_exp
Flag of Latvia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
they arnt ap like a smb would use, they are line of sight HR radio's, run at about 10mb, the radios or the network isnt the problem, the design we have works well for the information we use (this setup is used to monitor plc's, so we are not running a domain off it etc), but yeah its getting to a point where its easier to just out source someone at $120 an hour to get this all fixed up.
over it