I wrote:
> The link layer (Token Ring/Ethernet/PPP) should not make any >difference to
> your firewall. If you go for the proxy firewall, it makes 0 difference,
> only some packet filter types might have trouble if they've only been
> implemented to support Ethernet frames. ie it won't be of concern to your
> ciscos if you include them as part of your firewall.
Paul Ferguson wrote:
> However, if its *routed* and not bridged, it becomes much more of a
> palatable exercise to filter traffic. I would also suggest that access
> control at layer 3 is much less CPU intensive than at layer 2. To
> generically state that 'it won't be of concern' is the Wrong Thing.
I was refering to it (link layer) not making any difference to ip access
list writing, extended or not, for firewalling. You should still be
dropping all incoming packets, except for a few you want to allow
through. I was assuming that the cisco would enable you to write such
access lists without needing to worry, too much, about whether routing
or bridging is done...(assuming you're not bridging your token ring to
the internet O:)
darren
References:
|
|
