Solved

Can i create a route by MAC address to keep a machine limited to an ip address

Posted on 2011-03-14
4
373 Views
Last Modified: 2012-05-11
I have a server hosting two virtual machines.  Each machine is assigned a static IP address in a different network and is routed to a separate firewall gateway. they both travel through a common virtual switch, and through a physical switch as well before the gateway.
  Since these are two different entities i am concerned that a user on network1 could find out the address of network2. Since they both use WAN access, they cannot remove the existing IP without losing their connection, but adding an ip could be an issue if via social hacking, sniffing or dumb luck, they discovered the other address range. In that case they would be able to add that IP range on their machine and browse to the other network. I realize they would likely have to crack a password to actually break in another machine, but if they are doing the first then they would likely do the second as well. So, if network1 is 192.168.11.0/24 and network2 is 192.168.12.0/24 for instance, can i use the computer MAC address on the machines in a route to block all traffic from one VM to the other VM. Or set up a route on each machine that automatically sent any traffic not on their correct network to the bit bucket.  What is the most effective way to limit the machines to their own networks?
0
Comment
Question by:timgil
  • 3
4 Comments
 
LVL 6

Expert Comment

by:RKinsp
ID: 35130901
If i understand your problem correctly, Access Control Lists are the best way to limit this.

Since your VMs are on different VLANs, you can implement this security on your Router by blocking communication from 192.168.11.0 to 192.168.12.0 and vice-versa.

What router are you using?

-RK
0
 

Author Comment

by:timgil
ID: 35131055
I have a fortinet 111c router, but my concern is that the packets would never go that far, if say the guy on network one set an additional IP address and gateway valid on the second network he could browse that network. the packets might only have to go as far as the first switch?  I dont know for sure about that, i am asking. As far as the ACL's go, They have administrator level access on each of their respective machines, I would not be able to set an ACL that they couldn't undo.
0
 
LVL 6

Accepted Solution

by:
RKinsp earned 250 total points
ID: 35131256
Your physical switch could limit this if it has layer 2 ACL (which external users should not have access to), the problem is the Virtual Switch. If it is the regular vSwitch then you can't block the traffic from virtual machine A to virtual machine B.

What you would have to do is bridge the virtual nics to the physical instead of using a virtual switch so all traffic would have to go out to the physical switch. If it supports Layer 2 ACLs you could use that to block communication from MAC A to MAC B. It might not even be necessary since a lot of switches will not forward a packet to the interface it came from, but it would be a way to make sure.

Although this would stop some users, please note that it is possible to change MAC addresses on a virtual machine. You could use something more advanced for a virtual IPS (check out vcontroller on google).

-RK
0
 
LVL 6

Expert Comment

by:RKinsp
ID: 35151167
Thanks for the points!

-RK
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

There are times where you would like to have access to information that is only available from a different network. This network could be down the hall, or across country. If each of the network sites have access to the internet, you can create a ne…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question