On my Cisco-based SP network with RPMs in MGX chassis acting as PEs: I have the ACL below applied on many network devices to block the common worms ports, if you are a service provider, perhaps filtering in the core will not be appreciated by some customers. of course, as a provider, you can choose what 'service' you are providing. but, if you filter ports, it is not clear you are providing internet service. one approach might be radius installed filters? some contract language to allow 'customers' to request standard templated filters at little/no-extra cost to them. Allow them to make the decision to filter themselves (where 'themselves' may be a dial reseller, of course). Making them responsible means when odd-application-12 comes along to utilize tcp/135 you won't have to poke spot holes through your filters to permit this access.
yep. but note that kim says "ACL below applied on many network devices," and went on to mention ras, which i, possibly mistakenly, took to mean not just the radius-able edge. randy