I hava a dedicated floor for users to get on internet. The issue is that they come and go. They take there computers home and load say kazaa or imesh or other file sharing programs. This good at home but at work we have material we cannot risk going out. AT the same time the perminent users use file sharing in-house. So I only need to block that floor. Is there a way to block such programs on the single switch on the floor?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Blocking kazaa on switch 1
- Thread starter brewer61
- Start date
-
1
- #2
Yes, if you use a combination of VLAN's and ACL's on a router and/or policies in a firewall.
For example if you split up your office network and assigned IP subnets and vlans by floor, you might end up with something like this...
floor 1 - Vlan10 IP network 192.168.1.0 255.255.255.0
floor 2 - Vlan20 IP network 192.168.2.0 255.255.255.0
floor 3 - Vlan30 IP network 192.168.3.0 255.255.255.0
and so on....
Depending on your infrastructure, you could use VLAN tagging (802.1Q or ISL) with a router to pass traffic between VLAN's. Eg, if VLAN's 10 and 30 needed to talk to each other.
You could also create an access list or firewall policy to block kazaa traffic on an individual subnetwork. eg ACL to block any traffic originating from VLAN 20 out to the internet using tcp port 1214 (kazaa).
For example if you split up your office network and assigned IP subnets and vlans by floor, you might end up with something like this...
floor 1 - Vlan10 IP network 192.168.1.0 255.255.255.0
floor 2 - Vlan20 IP network 192.168.2.0 255.255.255.0
floor 3 - Vlan30 IP network 192.168.3.0 255.255.255.0
and so on....
Depending on your infrastructure, you could use VLAN tagging (802.1Q or ISL) with a router to pass traffic between VLAN's. Eg, if VLAN's 10 and 30 needed to talk to each other.
You could also create an access list or firewall policy to block kazaa traffic on an individual subnetwork. eg ACL to block any traffic originating from VLAN 20 out to the internet using tcp port 1214 (kazaa).
- Thread starter
- #3
Well the why i am set up each floor has a switch fibered to the ground floor, the real trick is i want to block port 1214 (thats for outbound, correct?) so they connect even connect to the server but like i said only block that floor. we use file sharing to the internet between buildings. New question can i block IP ranges from that port
say floor 3 run
199.23.2.18-99
but i want the rest to be able to use that port if neccissary is it possible?
say floor 3 run
199.23.2.18-99
but i want the rest to be able to use that port if neccissary is it possible?
Yes, you can block ip ranges. You can only do this on the router or firewall though unless your switch(s) have Layer 3 capabilities (ie Cisco 3550 series).
How are you connecting out to the internet ? Do you use a hardware firewall of some description ?
There is another way of doing it also by using a proxy server (ie Microsoft IAS) by restricting either file types (.mp3,.mpg,.jpg etc) or by blocking tcp/udp ports.
How are you connecting out to the internet ? Do you use a hardware firewall of some description ?
There is another way of doing it also by using a proxy server (ie Microsoft IAS) by restricting either file types (.mp3,.mpg,.jpg etc) or by blocking tcp/udp ports.
- Thread starter
- #5
Find out which inside IP addresses you want to block. For example you might want to block 77.30.22.1 - 77.30.22.16
Then you can add an access list to your NAT statement on the router (I'm presuming here that your using Cisco routers).
For example,
ip nat pool testpool x.x.x.x x.x.x.x netmask 255.255.255.0
ip nat outside source list 1 pool testpool
!
interface Ethernet1
ip address 77.30.22.x 255.255.255.0
ip nat inside
no ip mroute-cache
no ip route-cache
!
interface Serial1
ip address x.x.x.x 255.255.255.252
ip nat outside
no ip mroute-cache
no ip route-cache
clockrate 2000000
!
ip route 0.0.0.0 255.255.255.255 Serial1
access-list 1 deny 77.30.22.0 0.0.0.63 eq tcp 1214
access-list 1 deny 77.30.22.0 0.0.0.63 eq udp 1214
access-list 1 permit any any
I would suggest practicing acl's in a test lab until your comfortable with them before trying this as you can cause major problems if you get it wrong.
Then you can add an access list to your NAT statement on the router (I'm presuming here that your using Cisco routers).
For example,
ip nat pool testpool x.x.x.x x.x.x.x netmask 255.255.255.0
ip nat outside source list 1 pool testpool
!
interface Ethernet1
ip address 77.30.22.x 255.255.255.0
ip nat inside
no ip mroute-cache
no ip route-cache
!
interface Serial1
ip address x.x.x.x 255.255.255.252
ip nat outside
no ip mroute-cache
no ip route-cache
clockrate 2000000
!
ip route 0.0.0.0 255.255.255.255 Serial1
access-list 1 deny 77.30.22.0 0.0.0.63 eq tcp 1214
access-list 1 deny 77.30.22.0 0.0.0.63 eq udp 1214
access-list 1 permit any any
I would suggest practicing acl's in a test lab until your comfortable with them before trying this as you can cause major problems if you get it wrong.
- Status
