Ping a Specific Port

Question

stefan.at.wpf

Asked: 2012-06-04 03:11:27 +0800 CST2012-06-04 03:11:27 +0800 CST 2012-06-04 03:11:27 +0800 CST

Isolate clients on same subnet?

772

Given n (e.g. 200) clients in a /24 subnet and the following network structure:

client 1 \
.         \
.          switch -- firewall
.         / 
client n /

(in words: all clients connected to one switch and the switch connected to the firewall)

Now by default, e.g. client 1 and client n can communicate directly using the switch, without any packets ever arriving the firewall. Therefore none of those packets could be filtered. However I would like to filter the packets between the clients, therefore I want to disallow any direct communication between the clients.

I know this is possible using vlans, but then - according to my understanding - I would have to put all clients in their own network. However I don't even have that much IP addresses: I have about 200 clients, only a /24 subnet and all clients shall have public ip addresses, therefore I can't just create a private network for each of them (well, maybe using some NAT, but I'd like to avoid that).

So, is there any way to tell the switch: Forward all packets to the firewall, don't allow direct communication between clients? Thanks for any hint!

5 Answers

Voted

rnxrx · Answer 1 · 2012-06-04T04:21:37+08:00

Best Answer

rnxrx

2012-06-04T04:21:37+08:002012-06-04T04:21:37+08:00

You can separate clients within a VLANM if your switch supports PVLAN (private VLAN) which can be configured to allow any host to talk to the firewall while being unable to communicate with any other device. You can additionally configure your PVLAN to also allow communication amongst limited groups of servers.

What sort of switch are you using?

3

joeqwerty · Answer 2 · 2012-06-04T07:06:34+08:00

joeqwerty

2012-06-04T07:06:34+08:002012-06-04T07:06:34+08:00

You may need a different switch in order to implement PVLAN's. Below is a link to Cisco's product matrix for Cisco switches that support PVLAN's:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml

And here's a link to a Cisco Catalyst 2948G at www.amazon.com:

http://www.amazon.com/Cisco-WS-C2948G-L3-Catalyst-Gigabit-Switch/dp/B0000515TX/ref=sr_1_3?ie=UTF8&qid=1338735756&sr=8-3

2

Khaled · Answer 3 · 2012-06-04T03:44:42+08:00

Khaled

2012-06-04T03:44:42+08:002012-06-04T03:44:42+08:00

When the clients are connected to the same switch, they will communicate with each other via passing through the firewall. You can not tell the switch to forward the traffic to the firewall to be filtered. The switch is transparent to the client and firewall in the network.

You need to distribute the clients in different subnets in order to do some filtering at layer 3 (IP). So, using VLANs is the best option in this case. If you need to use public IPs and you don't have much of them, you can just assign private IPs and do NAT on the firewall.

1

kasperd · Answer 4 · 2015-07-17T00:09:02+08:00

Hosts do not have to be in separate subnets in order to have a firewall between them.

Firewalls come in different flavors such as a routing firewall or a bridging firewall. When firewalls are mentioned without specifying which kind, it is generally assumed you mean a routing firewall. But in order to firewall traffic between hosts on a single subnet, what you need is a bridging firewall. Some firewalls are capable of acting as both a routing firewall and a bridging firewall at the same time.

A routing firewall is a router which can filter packets based on a set of rules.

A bridging firewall is a switch which can filter packets based on a set of rules.

The best performance would be achieved if the switch interconnecting the hosts could itself act as a bridging firewall. However assuming performance isn't a high priority and you need to keep using the same switch, you can look at other options.

By putting each host on a separate VLAN and tagging all the traffic on the port connected to the firewall, you will then be able to configure the firewall to act as a bridging firewall. (Assuming your firewall is capable of acting as a bridging firewall).

Such a setup requires nothing more from the switch than VLAN support. It does touch one corner case of VLAN switching which is easy to overlook in the design which means it is conceivable that some switches have a design flaw preventing them from working correctly with a bridging firewall between the VLANs. The tricky part is that every single MAC address will be visible to the switch on different ports depending on which VLAN tag is used. If the switch uses only destination MAC address as key when looking up in the CAM it will not work, a correctly implemented VLAN capable switch uses the combination of VLAN tag and MAC address as key for CAM lookups.

Christoph Kondering · Answer 5 · 2015-07-16T20:06:38+08:00

Christoph Kondering

2015-07-16T20:06:38+08:002015-07-16T20:06:38+08:00

I would solve otherwise. I precede to install a PPPoE server, which all clients are isolated because they are in a tunnel and have to connect to the server

-2

Isolate clients on same subnet?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?