[unisog] Are cisco router VLAN ACL's stateful like a PIX?
jeff-kell at utc.edu
Wed Feb 2 18:57:12 GMT 2005
Valdis.Kletnieks at vt.edu wrote:
> On Wed, 02 Feb 2005 21:25:28 +1300, Russell Fulton said:
>>Agreed, at the border, but we were talking about blocks within the
>>network (on the backbone interfaces of our sector switches) and between
>>vlans. We have had 137 and friends blocked at the border since we
>>joined the Internet in 1989.
> Can anybody at your site explain why a machine on the other side of campus
> is considered more trustworthy than one on another continent?
> The usual reason given is some variant on "because if they hack into me, I know
> where to find them and beat the snot out of them".
We're contemplating the same thing here, regarding intra-resnet
filtering. Obviously I'd prefer to apply our institutional
ingress/egress rules to each port, but the devil's advocate argument
could be made against it, e.g., do roommates, or neighbors, or students
on the same floor/wing/building/block have a reasonable expectation of
file sharing/playing Unreal Tournament/Halo/etc while plugged into their
ResNet port, as opposed to plugging into their own private hub?
At the moment, we're looking at filtering at least between buildings at
the distribution layer, but considering moving to the uplinks at the
access layer. Not quite ready to push that down to the access port
level, or even sure that we can/may/could/should.
More information about the unisog