Setting up ACLs for 3com Layer III switch

[PSWired]

Hello all, I'm working on setting up a 3com Corebuilder 3500 modular layer III switch as a core network switch for a small business. It will be used as a router to connect VLANs inside the local network at the site. I have 5 local networks in the 172.16.x.x range. Each network is isolated on its own VLAN. I have a router interface set up for each subnet, one per VLAN, and the routing is working fine on my test bench right now. Incoming connections need to be restricted on certain subnets. For example, one subnet will be for management purposes (SNMP cards for devices, web administration interfaces, etc.) and the remainder of the subnets should not be able to open connections to any hosts on this management network. Using the 3com packet filtering language on the Corebuilder 3500, I can reject packets based on any information in the first 64 bytes of the packet. I cannot simply reject all packets with destination addresses on the management network and source addresses on another network, because I need to be able to communicate from a host on the management network to a host on another subnet. How can I go about filtering packets that are not part of an established connection desined for the management subnet? Would blocking all incoming packets with port numbers less than 1024 be an acceptable way of doing this? What security risks will I encounter by doing this, besides allowing access to services using ports higher than 1024 on hosts on the management network? Suggestions? Thanks in advance.