Firewall Wizards mailing list archives
Re: Layer 2 (stealth) firewalls - PBR?
From: "Paul D. Robertson" <paul () compuwar net>
Date: Thu, 10 Apr 2008 17:56:17 -0400 (EDT)
(My answers below start with--. This will be my last message on this thread unless someone adds something new. Rehashing fundamental layer2 is not interesting.)No, just saying that I'm (a) aware of the differences in layers and (b) aware of when those differences are not treated as true boundaries.I don't think you are. You do seem to be learning though. My guess is you are doing a lot of research in order to answer my "challenges", although they haven't been personal up til now.
Well, you can guess again, I've followed multicast networking for a number of years. I've networked production traffic over more layer 1 and 2 varieties than most people and I'll put my experience up against pretty-much anyone. I'll be happy to give you an off-list selection of my directly relevent experience if you're interested. I'm going to try to clean up the quoting because minus signs make it difficult to follow. I'll offset portions by lines of five asterisks after attribution, I'll keep some of the mailer-induced quoting, but in case we don't get good formatting, hopefully it'll still be readable. I originally said: *****
I will refer you to RFC 4541, Considerations for Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping Switches. (May 2006) Which says in part: In recent years, a number of commercial vendors have introduced products described as "IGMP snooping switches" to the market. These devices do not adhere to the conceptual model that provides the strict separation of functionality between different communications layers in the ISO model, and instead utilize information in the upper level protocol headers as factors to be considered in processing at the lower levels. This is analogous to the manner in which a router can act as a firewall by looking into the transport protocol's header before allowing a packet to be forwarded to its destination address. In the case of IP multicast traffic, an IGMP snooping switch provides the benefit of conserving bandwidth on those segments of the network where no node has expressed interest in receiving packets addressed to the group address. This is in contrast to normal switch behavior where multicast traffic is typically forwarded on all interfaces. Many switch datasheets state support for IGMP snooping, but no recommendations for this exist today. It is the authors' hope that the information presented in this document will supply this foundation. The suggestions in this document are based on IGMP, which applies only to IPv4. For IPv6, Multicast Listener Discovery [MLD] must be used instead. Because MLD is based on IGMP, we do not repeat the entire description and recommendations for MLD snooping switches. Instead, we point out the few cases where there are differences from IGMP.
***** You replied *****
Paul, this is a layer 3 switch. No wonder it can handle specialized layer 3 protocols. Most L3 switches can handle certain circumstances in specific ways to enhance or optimize them. E.g. route once, switch many....
***** My new reply is: ***** Patrick, a layer three switch switches based upon layer 3 addressing information. This is perfectly implementable (and has been implemented by several companies- links later) in a switch that only switches on layer 2 addressing. It's simply a method to optimize multicast performance. In fact, you can Google "MLD snoping and layer 2 switches" and find all sorts of documentation of implementation on non-layer-3 switches. ***** You originally said: *****
but layer 2 devices such as NICs, hubs, bridges, and layer 2 switches do not rely on IP or any other layer 3 protocol whatsoever for forwarding.
***** I originally replied: *****
So, you see switch vendors really are looking into layer 3 information for multicast traffic. Enough so that someone thought "Hey, we should have an RFC to cover this!"
***** You said: *****
Yes they are. That's because there is a huge market for L3 switches. Core switches had better be L3 these days.
***** I'm replying: ***** Here, I'll even save you the Googling: http://www.h3c.com/portal/Products___Solutions/Technology/IP_Multicast/IGMP_Snooping___MLD_Snooping/200702/201356_57_0.htm (Key phrase "Before and after IGMP Snooping is enabled on the Layer 2 device") http://advanced.comms.agilent.com/n2x/docs/appnotes/enterprise/TestingIGMP/5989-0821EN.pdf (Key phrase "IGMP snooping is a process whereby a Layer-2 switch passively listens (or "snoops") the Layer-3 IGMP traffic...") http://www.net-o2.com/igs.asp (Key phrase "n the recent years networking devices - specifically layer 2 switches have been supporting the ability to derive layer 2 multicast group forwarding information by processing the layer 3 Internet Group Management Protocol (IGMP) packets.") While I agree that there's a huge market for Layer-3 switches, and that core switches should be layer-3 switches, that's really got nothing to do with the implementation of IGMP snooping on Layer-2 switches. ***** You originally said: *****
You state "They also have to forward layer 3 broadcasts out all ports in a LAN" which is patently false--if a 128 port layer 2 switch has 64 ports on 10.0.0.0/24 and the other 64 ports on 10.1.0.0/24, then a broadcastsent to 10.0.0.0/24 will only hit the correct 64 ports. The switch decides
***** I originally replied: *****
That's two LANs the way I've always counted it in terms of addressing unless your'e supernetting on some devices and not on others, in which case you can count it several ways. A dumb switch doesn't always know your mask either. I think the algorithm for a dumb switch actually tends to be "if I don't know the destination MAC address, send it out all the ports," but I'd have to get some playtime to test it effectively.
***** You replied: *****
No no no. And no. Yes for the last sentence--that is the basic fundamental function of an L2 switch; yes yes yes, you are getting it finally!
***** I reply: ***** Hey, you're the one who had a switch broadcasting to specific ports based on a subnet mask. In fact, outside of VLANs (which limit brodcast domains) I don't see how your "correct 64 ports" happens. I've supernetted a couple of production networks over the years (probably no more than three, as it tends to confuse folks) and each time I've done that, I've had some devices with different masks than others, so I really don't see how your scenerio works in an environment where you're not simply using one physical device as if it were two. ***** You originally said: *****
I think this is the problem. You are confusing layer 2 unicast/broadcast frames with layer 3 unicast/multicast/broadcast packets. Certainly layer 2 devices do unicast and broadcast, but again NOT based on IP or any other layer 3 protocol. Layer 2 Unicast and Broadcast are all in relation to
***** I originally replied: *****
No, I'm talking about both types, you're simply missing the case where the switch vendors peeking up the stack. Your refusal to acknowlege this blinds you, and causes you to misinterpret.
***** You replied: *****
I don't refuse to acknowledge it. I just know the difference between an L3 switch and an L2 switch.
***** I reply: ***** Well, apparently your differences aren't the same as everyone else's differences. For instance, switch manufacturer Foundry says: "Passive - When passive IGMP mode is enabled, the Layer 2 Switch listens for IGMP Group Membership reports but does not send IGMP queries. The passive mode is sometimes called "IGMP snooping". Use this mode when another device in the network is actively sending queries." http://www.foundrynetworks.co.jp/services/documentation/sribcg/L2_multicast.html You're telling me that this is a Layer-3 switch: http://www.etherwan.com/products_detail.php?cat=es&model_no=EX72000 I think your definition of Layer-3 switch isn't correct, you seem to be defining Layer-3 switch as "any switch that looks at any Layer-3 data" rather than "Any switch that routes data out of a port based on layer 3 information." Layer-2 switches which snoop IGMP still swtich multicast data based on table entries, not Layer-3 addressing, so they're not acting as layer-3 switches when they do so, even if they are capable of acting as such, which many are not. ***** You said: *****
IPv6 has nothing to do with layer 2. I am going to completely ignore this statement.
***** I replied: *****
Again, I'll point you to MLD snooping. Again, I'll admit my term of "peeking" isn't the common "snooping" that seems to be vogue, but it's still there and it's still a factor in shipping hardware.
***** You replied: *****
Me chest thump now. Do a search on ipv6 and my name. You'll find I am part of the public policy making body in ARIN for IPV6, and have been for years. Active too. IPV6 is medium independant. Neutral on layer 2. As is ipv4: ethernet, token ring, atm (special case here, but mostly true), etc. etc. etc.
***** Which has nothing to do with the fact that MLD snooping looks up the chain to layer 3 on a layer 2 device, as IGMP snooping does. Now you may not be able to find implementations of IGMP or MLD discovery for many layer-2 mediums, but that doesn't make it the Easter Bunny. Real layer-2 switches look at real layer-3 information on real networks- no matter how much you want to deny it. Some vendors have decided if they're going to go through the trouble of making a switch layer-3 aware, they may as well make a layer-3 switch, but that's not (a) the entire market, or (b) the case necessary for successful implementation. Once again, I'll point to actual shipping product: http://www.pcmall.com/pcmall/shop/detail.asp?dpno=7285636&Redir=1&description=D-Link-Managed%2024-Port%20Gigabit%20Stackable%20Layer%202%20Switch%20+%204%20combo%20SFP%20+%2020%20Gig%20Stacking-Switches%20/%20Hubs Pleaase note "The DGS-3100-24 switch is a managed Layer 2 Gigabit stackable switch designed as feature-rich, low-cost devices in the entry-level network management category." Combined with: "The switch provides IGMP snooping and MLD snooping to control multicast transmission, and port mirroring to facilitate diagnostics." Layer 2 switch, MLD snooping and IGMP snooping. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." http://www.fluiditgroup.com/blog/pdr/ Art: http://PaulDRobertson.imagekind.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Layer 2 (stealth) firewalls - PBR?, (continued)
- Re: Layer 2 (stealth) firewalls - PBR? Paul D. Robertson (Apr 08)
- Re: Layer 2 (stealth) firewalls - PBR? Patrick Darden (Apr 08)
- Re: Layer 2 (stealth) firewalls - PBR? Paul D. Robertson (Apr 08)
- Re: Layer 2 (stealth) firewalls - PBR? Darden, Patrick S. (Apr 10)
- Layer 2 (stealth) firewalls - PBR? iarenaza (Apr 09)
- Re: Layer 2 (stealth) firewalls - PBR? Darden, Patrick S. (Apr 10)
- Re: Layer 2 (stealth) firewalls - PBR? lordchariot (Apr 10)
- Message not available
- Re: Layer 2 (stealth) firewalls - PBR? Darren Reed (Apr 08)