total newbie question about dividing certain users on our network

[DougP]

We have a software program called Clark Connect running on our server. so the Verizon router plugs into 1 NIC in the server and a second NIC goes to our network. Clark connect blocks certain sites.
Right now it blocks everyone and some of us have a password to get by.
Can a CISCO switch or router be used to do the same blocking.
In other words can I have one switch for users who don't need to be blocked and one switch for user who need certain sites blocked like facebook, youtube etc, a list we can add to or change?
Reason is our network is very slow at times when traffic is high it grinds to a halt.

DougP

 

[baddos]

A switch and router combo could do what you want, however it would require the users with internet access to be on a different vlan than users without. It would be simpler to have a proxy server in my opinion where you could tell the router that only the proxy server has internet access. You could then use the proxy server to determine who gets what and could also benefit from some caching.

 

[DougP]

baddos, so that's what we have now right? a router to the server, dual homed with Clark Connect handling it. But the Dell T-105 Server we have is too small, we need another machine? we have about 80 users and as many clients some access the internet constantly for hours at a time. Clark connect reporting has major spikes showing horrendous traffic.
Also you said

users with internet access to be on a different vlan than users without

how is that done? they would have a different IP's like 10.10.9.x
and others would be 10.10.8.x. we are doing that too through the server.


DougP

 

[baddos]

how is that done? they would have a different IP's like 10.10.9.x
and others would be 10.10.8.x. we are doing that too through the server.

Yes, with a simple access-list on the router saying 10.10.8.x can access the internet on port 80 and 443, but the other subnet cannot.

I just looked at the t105 specs, and I don't think it should be running that poorly in a normal proxy server scenario. What it sounds like you are currently doing with clark connect is using it as a router and a web filter, which may be the reason for the lower than expected performance. I'm not familiar with clark connect, so I couldn't help in that area.

 

[cisconooblet]

You need a proxy server for that kind of stuff. Using a router and acl's to block websites will get old fast and most of the time is unfeasible. Take facebook for example. If you block all the ip addresses they use, you will also be blocking other websites unintentionally. This is because multiple websites can be hosted per ip address. You will spend eternity running down ip addresses to block just for a couple websites that are large such as facebook. Have a true router by all means but use a proxy for filtering websites and content for your users. I'm not familiar with what you have but you can start by contacting their tech support. It may be configured incorrectly or it may have insufficient hardware for the amount of users you have. Otherwise there are many others to chose from if it won't meet your needs. Happy hunting.

CCNA, BCNE, Security+, Network +

 

[DougP]

cisconooblet, what is another way to do this?
also you wrote

it may have insufficient hardware for the amount of users you have

how would we find this out? I am sure this is the problem.

The Clark connect reports show the traffic is a problem at certain times of the day when we are having issues. so I know that's the bottle neck. what we are struggling with for over year now, is how to fix it.


DougP