heres my setup:
I have a ROUTED access layer switch and a user vlan that terminates on it. The default gateway for the users is the user-vlan interface on the switch.
The problem is that the users need to be treated as untrusted users. Their traffic needs to be firewalled, per se. We dont have a FW appliance, so we have to resort to ACLs.
the users will need access to a few servers on our server farm. That leaves us vulnerable to DoS attacks and hacking.
Now, we can block ICMP but we dont want to -- want it for t-shooting.
Is there a way to allow pings from the users to the servers BUT limit them so that they cannot launch a DoS attack?