[unisog] Are cisco router VLAN ACL's stateful like a PIX?

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Tue Feb 1 19:08:48 GMT 2005


On Tue, 01 Feb 2005 11:59:30 EST, "BACHAND, Dave (Info. Tech. Services)" said:
> I suggest using a two tiered approach.  Use simple ACLs on the routers
> for what they are good at, short, broad swipes at control.  IE- no ICMP,

If any sites are going the "no ICMP" router, at *LEAST* be nice to the
rest of the net and allow 'Unreachable - Frag Needed' to pass.  Otherwise,
this can break Path MTU discovery, resulting in sometimes hard-to-diagnose
failures.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050201/5b72f46f/attachment-0002.bin


More information about the unisog mailing list