Actually, everyone on the 'downstream' network should be able to see the
Internet, but not everyone should be able to see the restricted network.
It is this type of IP masquerading (or hijacking) that I want to avoid.
> Hrm, not really any way of doing it with Livingston Equipment BECAUSE
> unless you BRIDGED the remote network to the main site, where you can have
> mac address control. If its IP ROUTED only, I don't think the router knows
> or cares what the mac address of the network card is. O
That's what I wanted to know. Does the PM or, for example, a Cisco 2501
have access to the MAC or have an arp table where the MAC can be compared
to the IP address?
> Perhaps they can force the users on the local network to retrieve their ip
> address dynamically, but then they could ALWAYS go in and change their win
> 95 setup under control panel.
I want to avoid having dynamically assigned IP addresses. Too messy.
> Or perhaps you could put all the users that should NOT have internet
> access on a segment coming from a switching hub where IP traffic is not
> sent or received from that segment.
Yeah, but since everyone has access to the Internet, the filtering has to
be done in my office.
> So the short answers are:
>
> 1. Bridge, to get mac address control
Hmm. Not a good option, unfortunately.
> 2. Take away the ability of the remote user to change their tcpip settings
Can this be done in Win95? Anyway, it would solve the case of someone
bringing in their own notebook and plugging into an Ethernet port.
> 3. Go thru a NAT translation box that uses software that allows you to
> filter out specific mac addresses. IPRoute MIGHT do this in newer
> releases.
Again, I want to use real IP addresses, so NAT would be a problem.
> 4. Connect the remote PC's that dont get access to a non IP'd segment of a
> switched hub.
Too spendy, I think. Again, since these branch offices may have between
10-100 users, the switch probably wouldn't be economical in the smaller
offices.
> Livingston products only route. Maybe you can play with IPX routing but I
> dont think you can disable IP and have only IPX. It would take some
> experimentation.
Rats. I was under the impression that there were access lists/IP filters
on the PMs. I guess that any filtering I do will have to happen on my
router.? I know that this isn't the Cisco mailing list but since there
are so many 2501 users here, does anyone know if it's doable? Or, if
it's an inappropriate topic in this forum, please move off channel or
suggest a better place to find out. Thanks.
> Hrm, this indicates that you want to protect your LOCAL upstream network.
> Maybe I didnt understand your original question but Ill leave all that
> text there cuz it took me a while to type.
Ah, yes. A picture's worth a thousand words.
> Why not just install a firewall between the UPSTREAM network and the frame
> relay router?
Ah. The best idea so far. But, the problem is that the Upstream network
is in a different state and managed by another group. Since access
changes would happen in this state and since I'd be responsible for
managing this state's traffic, I'd like to keep the filtering local.
>
> ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
> Jake Messinger 713-772-6690 jake@ams.com
> Advanced Medical Systems, Inc. jake@uh.edu
> 8300 Bissonnet #400
> Houston, Texas 77074 http://www.ams.com/~jake
> ~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
Thanks.
doug