dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
660

Uncle Paul
join:2003-02-04
USA

Uncle Paul

Member

Switch Connection Limits/Throttling

Is it possible to set a switch to disable a port or move the port's traffic to a walled garden vlan if it exceeds a specified number of connection attempts within a given time frame?
aryoba
MVM
join:2002-08-22

1 edit

aryoba

MVM

It is possible. But then you need a script or automated monitoring or intrusion prevention system to do so.

Another approach is to implement QoS (Quality of Services) against certain Layer-2/3 traffic pattern, assuming the switch has such support.

I wonder if you consider to implement a firewall (i.e. Cisco ASA or Juniper SRX) since what you are looking for is a firewall's native feature.

tubbynet
reminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ

tubbynet to Uncle Paul

MVM

to Uncle Paul
said by Uncle Paul:

Is it possible to set a switch to disable a port or move the port's traffic to a walled garden vlan if it exceeds a specified number of connection attempts within a given time frame?

when you say "authentication attempts" -- what exactly are you authenticating against? if you already have an 'ise' infrastructure using dot1x for switchport authentication -- the settings are available. in this case -- you use dot1x on the switch to authenticate against your a/d infrastructure -- if it exceeds, it can be walled using a dacl to be completely isolated or it can be disabled.

q.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to Uncle Paul

MVM

to Uncle Paul
Don't think the OP said anything about authentication attempts, or I could just be reading it incorrectly.

Are you able to give any sort of background / history on why you're looking to do what you're asking to
do to help clarify and point you in the right direction?

Regards

Uncle Paul
join:2003-02-04
USA

Uncle Paul to tubbynet

Member

to tubbynet
I didn't say "authentication attempts", I said "connection attempts".

For example if a piece of malware got on a system and started to run port scans or spew spam out (can't block 25). I worked at a facility once where the network team rolled out an edge NAC solution (Cisco switches/Cisco Clean Access) that would disable the port if X number of connection attempts occurred over a certain period of time. Workstations seemed to be ok, but if you tried to run a server or run NMAP over a workstation attached to such switch, it would knock the port off.

I've since moved to another company and it might be usable here, but I'm not sure how they did it.

Thanks!
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to Uncle Paul

MVM

to Uncle Paul
A Catalyst switch on its own has configurable levels for broadcast control and storm control, but it doesn't have much
intelligence beyond x number of frames per second tracking.

You'd have to look up the NAC / Clean Access product page here for more info. As I've never worked on or deployed a
NAC solution before, I can't offer much more Uncle Paul. I also suspect some combination of internal IDS / IPS may
have been part of the solution as well where you last worked.

Just my 00000010bits.

Regards

tubbynet
reminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ

tubbynet

MVM

said by HELLFIRE:

You'd have to look up the NAC / Clean Access product page here for more info.

ise is the way to go.
its a central policy server that is tied into the switch, rather than with the bulky cam/cas architecture that can create some route/switch trickery requirements. also -- you'll need to work with a cisco advanced technology partner for ise (or at least you used to) as the part numbers are restricted for ordering. however -- its much nicer to work with from a central policy management perspective (and very straightforward from a user-policy perspective).

q.

Uncle Paul
join:2003-02-04
USA

Uncle Paul

Member

Thanks for the input all. Much appreciated.