Solved

Smart Switch and IP Blocking

Posted on 2009-07-13
15
542 Views
Last Modified: 2012-05-07
Hi,

We have a number of sites connected via radio links around the site, but effectiviley its just 1 network running on 10.0.0.***, at each site we have the radio connector which is attached to a switch, then devices are attached to the switch (this is applied at each site)

We wanted it so at each site only certain ip address's are allowed to talk through to the switch, so would it be possible to add a smart switch at each site and have it so:

RADIO CONNECTOR > SMART SWITCH (this would only allow certain ip address's from the other side of the radio connector to pass > SWITCH > DEVICES

Am I making sense?>
0
Comment
Question by:Fruit_Box
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
15 Comments
 
LVL 21

Expert Comment

by:from_exp
ID: 24846656
what do you mean by smart switch? what switch model do you have?
Anyway, I would suggest to make such limitations on routers - on wireless connectors, I suppose in your case. Again model name is needed here.
0
 
LVL 2

Author Comment

by:Fruit_Box
ID: 24846853
ProSafe® 8-Port Gigabit Smart Switch
GS108T for example
0
 
LVL 21

Expert Comment

by:from_exp
ID: 24846923
I don't think you will be able to block certain traffic towards AP.
0
Get Actionable Data from Your Monitoring Solution

Your communication platform is only as good as the relevance of the information you send. Ensure your alerts get to the right people every time with actionable responses. Create escalation rules that ensure everyone follows the process and nothing is left to chance.

 
LVL 2

Author Comment

by:Fruit_Box
ID: 24846936
but what about the built in ACL security, like for example the ProSafe® 24-port Gigabit Stackable Smart Switch
GS724TS has the ability to ACL filtering to permit or deny traffic based on MAC addresses or IP addresses.

http://www.netgear.com.au/au/Product/Switches/Advanced-Smart-Switc/GS724TS
0
 
LVL 21

Expert Comment

by:from_exp
ID: 24846998
here is a manual for your device:
ftp://downloads.netgear.com/files/GS108T_UM_11Feb08.pdf

there are no options how to drop traffic passing though the switch.
0
 
LVL 2

Author Comment

by:Fruit_Box
ID: 24847309
ok so what unit could i use to do ip dropping at switch level
0
 
LVL 21

Expert Comment

by:from_exp
ID: 24847457
I would suggest changing your network topology:
separate clients at each site with firewall (you can use almost any netgear firewall, I suppose) from wireless infrastructure.
Please understand, that I can suggest you to use cisco switches to do the job, but home-level routers can also do the job. The only thing to consider - ability to disable NAT (network address translation) for router.
If you are using point-to-multipoint wireless solution, then you really need to limit traffic unnecessary traffic within wireless segment, because all wireless participants share their bandwidth.

so my solution would  be:
site 1 network 192.168.1.0/24
site 2 network 192.168.2.0/24
site 3 network 192.168.3.0/24
core wireless network with 10.0.0.0/24
0
 
LVL 2

Author Comment

by:Fruit_Box
ID: 24848717
thanks for the time on this, however changing the network topology is a no go, the network is pretty much one giant network ring working on ip addressing only, simple network.

Im thinking a firewall at each site and add firewall rules to only allow a certain group of ip addresses to pass, then also because we can use firewall we can also block some pointless traffic like dns, etc etc.

what you think.
0
 
LVL 21

Expert Comment

by:from_exp
ID: 24849162
hm
possibly, I have poorly explained, but introducing firewalls at each site means segmenting network according provided method of mine.
Otherwise you can't put part of a network behind a firewall without loosing connectivity between it's parts.

Please understand, that when you have a firewall between networks, it means that each side of a firewall must have it's own subnet.
can you please, draw a quick scheme of your network.
at least with several sites. Please show IP's of equipment and network addresses.
0
 
LVL 2

Author Comment

by:Fruit_Box
ID: 24855928
please find attach diagram, very simple as you can see, but it is a very simple network that runs totally off IP


so what we would need is a solution that can be applied at each site where you could enter a group of ip addresses to stop them communicating, for example at the site 10.0.0.20-25, the smart switch could be configured to drop all traffic that comes from 10.0.0.40-45 ip addresses, but not 10.0.0.30-25 etc, but each site could be configured with its own set of rules. hope this makes sense, there must be an easy solution for this.

a layer 3 switch with IP ACL built in should do the trick right?


Drawing1.jpg
0
 
LVL 21

Expert Comment

by:from_exp
ID: 24857770
Hi L3 can do the stuff, but again, switches are designed to switch and route traffic (L3), if you want something to be blocked  you should use firewalls, because IP ACLs in IP switches are not that flexible.
so I still stick to my provided solution
0
 
LVL 2

Author Comment

by:Fruit_Box
ID: 24858000
ok thanks, i would rather go down the firewall path, but we really cant change the infrastructure,

without changing the topology could you recommand any other solution

0
 
LVL 21

Accepted Solution

by:
from_exp earned 500 total points
ID: 24858503
what kind of APs do you have?
0
 
LVL 2

Author Comment

by:Fruit_Box
ID: 24858865
they arnt ap like a smb would use, they are line of sight HR radio's, run at about 10mb, the radios or the network isnt the problem, the design we have works well for the information we use (this setup is used to monitor plc's, so we are not running a domain off it etc), but yeah its getting to a point where its easier to just out source someone at $120 an hour to get this all fixed up.
0
 
LVL 2

Author Closing Comment

by:Fruit_Box
ID: 31603149
over it
0

Featured Post

Enroll in June's Course of the Month

June's Course of the Month is now available! Every 10 seconds, a consumer gets hit with ransomware. Refresh your knowledge of ransomware best practices by enrolling in this month's complimentary course for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question