[102977] in North American Network Operators' Group
Re: Customer-facing ACLs
daemon@ATHENA.MIT.EDU (Adrian Chadd)
Tue Mar 11 00:10:08 2008
Date: Tue, 11 Mar 2008 13:18:23 +0900
From: Adrian Chadd <adrian@creative.net.au>
To: Justin Shore <justin@justinshore.com>
Cc: NANOG <nanog@merit.edu>
In-Reply-To: <47D19D99.9000408@justinshore.com>
Errors-To: owner-nanog@merit.edu
I've attempted to summarise the replies I found useful in the Wiki:
http://nanog.cluepon.net/index.php/MailTopics#Customer-Facing_ACLs
My personal observations:
* More information about what networks are doing would be nice!
* More data points about probes/scans/etc would be nice!
* Filtering technologies would be nice for ACLs - not shaping of things
like BT/YT/etc - stuff like how to deploy per-customer ACLs on
a variety of tech. I know I've used ACLs in Radius AV pairs in a
SP environment for DSL aggregation; I've also used similar hackery
in 802.1x for per-port ethernet ACLs in an Enterprise environment.
Has anyone rolled out 802.1x style port authentication in a ethernet-
edge scenario and included ACLs/shaping AV-pairs? Experience/Feedback
would be great.
Constructive comments appreciated.
Adrian
