[unisog] Are cisco router VLAN ACL's stateful like a PIX?

Jeff Kell jeff-kell at utc.edu
Wed Feb 2 18:57:12 GMT 2005


Valdis.Kletnieks at vt.edu wrote:
> On Wed, 02 Feb 2005 21:25:28 +1300, Russell Fulton said:
> 
>>Agreed, at the border, but we were talking about blocks within the
>>network (on the backbone interfaces of our sector switches) and between
>>vlans.  We have had 137 and friends blocked at the border since we
>>joined the Internet in 1989.
> 
> Can anybody at your site explain why a machine on the other side of campus
> is considered more trustworthy than one on another continent?
> 
> The usual reason given is some variant on "because if they hack into me, I know
> where to find them and beat the snot out of them". 

We're contemplating the same thing here, regarding intra-resnet 
filtering.  Obviously I'd prefer to apply our institutional 
ingress/egress rules to each port, but the devil's advocate argument 
could be made against it, e.g., do roommates, or neighbors, or students 
on the same floor/wing/building/block have a reasonable expectation of 
file sharing/playing Unreal Tournament/Halo/etc while plugged into their 
ResNet port, as opposed to plugging into their own private hub?

At the moment, we're looking at filtering at least between buildings at 
the distribution layer, but considering moving to the uplinks at the 
access layer.  Not quite ready to push that down to the access port 
level, or even sure that we can/may/could/should.

Jeff



More information about the unisog mailing list