I've used that approach before, and if you get too restrictive on some protocols, you will slow down the login process and get phone calls. For example Active Directory uses a range of ports and if you don't get them right (and even when I thought I had it right), it slows down the process. Usually open access to critical services like AD, by the IP of the server. Also have to remember to adjust your policy if your IPs change, just in case you upgrade a server and change IPs. Services like DNS, FTP and www etc that use a set of well known ports, you can lock down to port level and get away with it. A lot of the time, when I setup policy at a site, especially with wireless, and if the servers and workstations are on separate vlans, is use policy to block all traffic on the workstation vlan and allow access to whatever server they need to talk to. This will stop the peer to peer traffic. Things like printers that only need access to certain ports to print can be really locked down.
Hope this helps. Brian Anderson [email protected]<mailto:[email protected]> Network Engineer P.O. Box 30051, Edmond, OK 73003 C +1 (501) 690-3305 F +1 (405) 562-8669 [cid:[email protected]] From: John Kaftan <[email protected]<mailto:[email protected]>> Date: February 8, 2013, 6:35:05 AM CST To: "Enterasys Customer Mailing List" <[email protected]<mailto:[email protected]>> Subject: [enterasys] Policy Dreamer Reply-To: [email protected]<mailto:[email protected]> We are just starting to dream about policy. We are using it as part of NAC in our residence halls but have not really played around with it beyond that. When I do packet captures I see the usual junk flying around our network, i.e. various broadcasts from MS or what have you. I see no reason why clients need to talk to each other at all. The only thing our users need is to be able to arp so they can find the gateway, DHCP, DNS, and access to whatever services we are providing for them centrally, e.g. printing, files, directory, internet, etc. Has anyone taken the lockdown approach where you only allow the protocols that are needed rather than blocking the ones that you don't like? My guess is that this approach is too restrictive and that phone rings too much, but "I have a dream...." -- John Kaftan IT Infrastructure Manager Utica College * --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
<<inline: image001.png>>
