Path: utzoo!attcan!uunet!ncrlnk!ncrcae!hubcap!gatech!bloom-beacon!bu-cs!kwe
From: kwe@bu-cs.BU.EDU (kwe@bu-it.bu.edu (Kent W. England))
Newsgroups: comp.dcom.lans
Subject: Re: Smart Bridge/Router
Message-ID: <26684@bu-cs.BU.EDU>
Date: 15 Dec 88 15:41:04 GMT
References: <1448@aucs.UUCP>
Reply-To: kwe@buit13.bu.edu (Kent England)
Followup-To: comp.dcom.lans
Distribution: na
Organization: Boston Univ. Information Tech. Dept.
Lines: 25

In article <1448@aucs.UUCP> paul@aucs.UUCP (Paul Steele) writes:
>Does anyone know of a router/bridge that can be setup to restict/allow
>access according to the packet's ethernet address.  
>[...]
>Is there a router that would
>allow some users immediate access to both servers (according to the user's
>ethernet address), while restricting other stations to just one or the
>other server.  

	The Proteon p4200 IP routing software allows you to filter
packets based on masks on the IP address.  You can make it an
inclusive or exclusive list and you can mask on source and destination
addresses.
	One simple access control list use that we have tried is to
restrict nodes with IP host parts of 192 and above to the local
network (ie, restrict off-campus access).  That way our name czar can
assign addresses based on access privilege (and relieve the network
crew of the job).  It works, but it still isn't terribly secure.
	Of course, every datagram must go through the filter and
that's a performance hit.  Keep the list short and limit it to as few
routers as possible.
	Access control in an IP router based on Ethernet addresses is
less desireable than based on IP addresses.

	Kent England, Boston University