Hi John
I would not recommend you to disable communication between clients, there is out too many things like shared drives on a windows server, Bon Jour services, Netbios (who is really still exist in 90% of all networks) and much more. Best practice to use Policies is to use it as a kind of access level privilege instrument. For example an office PC should NOT able to be a Webserver, a DHCP Server or as SMTP Server. Put office clients into a Policy where this things are forbidden. Printers for example should be able to perform a webservice, but does not need to have Internet access. So if a "bad guy" would get the MAC address of a printer he should not be able to go into the WWW, but the office PC's should. Additinally I would recommend you to use a Netflow Analyzer to collect the flow data's. A typicall reason for this is "does anyone access to this old server and how much and who use it" (who still try to access the Netbios server for example). Who is my top talker client and with what he talk to? The NAC is an amazing thing, we use it at our customers for very difficult assing of vlan's and the combination of it. Like the office in New York has a different IP VLAN structure as the office in Miami, if a Client from New York is traveling to Miami what Vlan should he get and what Policy he should get? One of our customers has a NAC Rule Matrix with more then 1700 entries in, and it works PERFECT. Or an employee has an Windows Domain account. With this credentials he access to the company's WLAN in context with 802.1x at his (company)mobile device. What can you do to prevent him to use his private Ipad or Android device with his company account? There is the point where NAC become the interesting point. With NAC (or as it now called IAM) you can combine the information as a credential of authentication. Is the MAC address of the device a company device with he wants to authenticate himself to the company's WLAN? Or you can also negate it like a kind of blacklist devices. If he use an Apple IOS based product and he want's to authenticate his device to the company's WLAN then DON'T accept it. There are so many possibilities, it is unbelievable (and amazing) :) Best regards Rainer ADAM System Engineer Von: John Kaftan [mailto:[email protected]] Gesendet: Freitag, 8. Februar 2013 13:35 An: Enterasys Customer Mailing List Betreff: [enterasys] Policy Dreamer We are just starting to dream about policy. We are using it as part of NAC in our residence halls but have not really played around with it beyond that. When I do packet captures I see the usual junk flying around our network, i.e. various broadcasts from MS or what have you. I see no reason why clients need to talk to each other at all. The only thing our users need is to be able to arp so they can find the gateway, DHCP, DNS, and access to whatever services we are providing for them centrally, e.g. printing, files, directory, internet, etc. Has anyone taken the lockdown approach where you only allow the protocols that are needed rather than blocking the ones that you don't like? My guess is that this approach is too restrictive and that phone rings too much, but "I have a dream...." -- John Kaftan IT Infrastructure Manager Utica College * --To unsubscribe from enterasys, send email to [email protected]<mailto:[email protected]> with the body: unsubscribe enterasys [email protected]<mailto:[email protected]> --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
