Restricted IP/MAC access to switchport.....!

Unanswered Question

Hi all,


My scenario is something like:

I have a PC which is to be remotely connected (RDP) by an external PC (Not in my network, internet). I want that once the outsider PC gets RDP of the inside PC it should not communicate with any of the PC's in the LAN. What the outside pc should do is FTP to some other outside (outside of my network/ organization, once it has RDP connection of inside pc) ONLY. My switch is 2950 which does not support private-VLAN feature. Firewall and routers ACL can take care of Layer3 restrictions but how can I protect my LAN (layer2) from the outside pc once it has control of one of my inside pc. I hope I'm clear to what I am asking for?


--gaurav

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
shrikar.dange Tue, 02/05/2008 - 02:57
User Badges:
  • Bronze, 100 points or more

hi,

I am not sure whether this feature is supported on 2950 or not.But you can have a try using MAC-based acl on the switch.You can give access to only one to one based on the MACs.Everything else is restricted by implisit deny at the end.I personally have not tried this.

Example:

sw(config)#mac access-list extended TEST

sw(config-ext-macl)#permit host aaaa.bbbb.cccc host dddd.eeee.ffff

sw(config-ext-macl)exit


sw(config)#interface fa2/5

sw(config-if)#switchport

sw(config-if)#mac access-group TEST in


HTH,


regards,


shri :)

s.arunkumar Tue, 02/05/2008 - 03:05
User Badges:
  • Bronze, 100 points or more

Hi

As i understand ur requirement is that nobody gets into ur network after connecting RDP to ur network.Now the above method is good one.Only thing is the mac access-list host mac should be ur PC's and destination ur gateways mac..,but the problem here is this PC will not be able to communicate with any other ..


A doubt,is there the PC OS has got some security option that could restric accessing the network after RDP is done..???


arun

shrikar.dange Tue, 02/05/2008 - 03:19
User Badges:
  • Bronze, 100 points or more

hi arun,


Yes you are right.PC in your network will not be able to communicate with any other except the gateway.Appologies I did not pay carefull attention to the original post which clearaly states that the other PC is in the outside network.So the reply posted by me will not work in your case.

I dont kno much about RDP options in OS so try what aun has suggested.Again appologies as i was careless in my posting.


regards,


shri

Does that mean that in mac based ACL's the source and destination mac-addresses should reside in the same LAN else it won't work. Let me know if I got you correctly.


There is one more problem with this approach and that is: such acl's restrict only incoming traffic that means once the ouside-PC is connected through RDP to inside PC there will not b any restiction for traffic going out i.e. the outside PC can do lot of things it should not do, isn't it?


--gaurav

s.arunkumar Tue, 02/05/2008 - 19:44
User Badges:
  • Bronze, 100 points or more

Hi

1.Since in a frame the source and destination MAC will be of a same LAN(if destination is of external network then destination MAC is of default gateway),so should be in MAC ACL also..

In ur case the PC is communicating with external network,hence the source should be PC mac and destination of default gateway..


2. In access-list example given by shrikar the MAC access list is applied on interface in inbound direction.ie,.Here no restriction is for connecting to the PC and after RDP(and even before that)in the LAN the PC can only send frames to gateway,not any other device in the network.Hence the PC can't do much in ur LAN..


but still i suggest that there should be some option in the OS level for RDP to restric the access of network once RDP is made...


arun


Actions

This Discussion