Call me lazy.
We, too, do not use "Allow" but assign everyone to a role. I even have a role
called "Bypass security" that is a simple Allow All. Our switches live in this role.

Our Game Systems role allows all traffic, as long as it's confined to ResNet or
goes off-campus. Game Systems do not need to browse our web, do email, register
for classes, etc. ;-)  I don't want to keep up with the various ports used by
the game servers out there.

I don't care if the MAC is a game system or a PC, but most of our students care
about their email, course materials in Blackboard, etc. This appears to have the
desired effect of keeping other types of systems out of the game system role.

--Cal Frye, Network Administrator, Oberlin College
   www.ouuf.org, www.calfrye.com
   Say Yes Twice for Oberlin Schools!   www.oberlinyesyes.com

  "When my information changes, I change my opinion. What do you do, Sir?"  --
John Maynard Keynes.


Michael Grinnell wrote:
> We created a page for our HelpDesk to use that uses the API to  register
> the device.  The HelpDesk checks the MAC Address prefix  against the OUI
> database to verify that it's not someone's router or  pc.  The web form
> creates an "allow" filter with a description that  includes:
>     who registered it
>     who it's registered to
>     what type of device it is
>     the date it was registered.
> 
> We've looked at eventually moving these devices from "allowed" to a 
> specific role, but we wanted to see what other schools' experiences 
> were first.