dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
552
share rss forum feed


Uncle Paul

join:2003-02-04
USA
kudos:1

Switch Connection Limits/Throttling

Is it possible to set a switch to disable a port or move the port's traffic to a walled garden vlan if it exceeds a specified number of connection attempts within a given time frame?


aryoba
Premium,MVM
join:2002-08-22
kudos:4

1 edit

It is possible. But then you need a script or automated monitoring or intrusion prevention system to do so.

Another approach is to implement QoS (Quality of Services) against certain Layer-2/3 traffic pattern, assuming the switch has such support.

I wonder if you consider to implement a firewall (i.e. Cisco ASA or Juniper SRX) since what you are looking for is a firewall's native feature.



tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
reply to Uncle Paul

said by Uncle Paul:

Is it possible to set a switch to disable a port or move the port's traffic to a walled garden vlan if it exceeds a specified number of connection attempts within a given time frame?

when you say "authentication attempts" -- what exactly are you authenticating against? if you already have an 'ise' infrastructure using dot1x for switchport authentication -- the settings are available. in this case -- you use dot1x on the switch to authenticate against your a/d infrastructure -- if it exceeds, it can be walled using a dacl to be completely isolated or it can be disabled.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to Uncle Paul

Don't think the OP said anything about authentication attempts, or I could just be reading it incorrectly.

Are you able to give any sort of background / history on why you're looking to do what you're asking to
do to help clarify and point you in the right direction?

Regards



Uncle Paul

join:2003-02-04
USA
kudos:1
reply to tubbynet

I didn't say "authentication attempts", I said "connection attempts".

For example if a piece of malware got on a system and started to run port scans or spew spam out (can't block 25). I worked at a facility once where the network team rolled out an edge NAC solution (Cisco switches/Cisco Clean Access) that would disable the port if X number of connection attempts occurred over a certain period of time. Workstations seemed to be ok, but if you tried to run a server or run NMAP over a workstation attached to such switch, it would knock the port off.

I've since moved to another company and it might be usable here, but I'm not sure how they did it.

Thanks!


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to Uncle Paul

A Catalyst switch on its own has configurable levels for broadcast control and storm control, but it doesn't have much
intelligence beyond x number of frames per second tracking.

You'd have to look up the NAC / Clean Access product page here for more info. As I've never worked on or deployed a
NAC solution before, I can't offer much more Uncle Paul. I also suspect some combination of internal IDS / IPS may
have been part of the solution as well where you last worked.

Just my 00000010bits.

Regards



tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1

said by HELLFIRE:

You'd have to look up the NAC / Clean Access product page here for more info.

ise is the way to go.
its a central policy server that is tied into the switch, rather than with the bulky cam/cas architecture that can create some route/switch trickery requirements. also -- you'll need to work with a cisco advanced technology partner for ise (or at least you used to) as the part numbers are restricted for ordering. however -- its much nicer to work with from a central policy management perspective (and very straightforward from a user-policy perspective).

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


Uncle Paul

join:2003-02-04
USA
kudos:1
reply to Uncle Paul

Thanks for the input all. Much appreciated.