Firewall Wizards mailing list archives
Re: Layer 2 (stealth) firewalls - PBR?
From: "Darden, Patrick S." <darden () armc org>
Date: Thu, 10 Apr 2008 08:00:08 -0400
(My answers below start with--. This will be my last message on this thread unless someone adds something new. Rehashing fundamental layer2 is not interesting.) No, just saying that I'm (a) aware of the differences in layers and (b) aware of when those differences are not treated as true boundaries. --I don't think you are. You do seem to be learning though. My guess is you are doing a lot of research in order to answer my "challenges", although they haven't been personal up til now. I will refer you to RFC 4541, Considerations for Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping Switches. (May 2006) Which says in part: In recent years, a number of commercial vendors have introduced products described as "IGMP snooping switches" to the market. These devices do not adhere to the conceptual model that provides the strict separation of functionality between different communications layers in the ISO model, and instead utilize information in the upper level protocol headers as factors to be considered in processing at the lower levels. This is analogous to the manner in which a router can act as a firewall by looking into the transport protocol's header before allowing a packet to be forwarded to its destination address. In the case of IP multicast traffic, an IGMP snooping switch provides the benefit of conserving bandwidth on those segments of the network where no node has expressed interest in receiving packets addressed to the group address. This is in contrast to normal switch behavior where multicast traffic is typically forwarded on all interfaces. Many switch datasheets state support for IGMP snooping, but no recommendations for this exist today. It is the authors' hope that the information presented in this document will supply this foundation. ... The suggestions in this document are based on IGMP, which applies only to IPv4. For IPv6, Multicast Listener Discovery [MLD] must be used instead. Because MLD is based on IGMP, we do not repeat the entire description and recommendations for MLD snooping switches. Instead, we point out the few cases where there are differences from IGMP. --Paul, this is a layer 3 switch. No wonder it can handle specialized layer 3 protocols. Most L3 switches can handle certain circumstances in specific ways to enhance or optimize them. E.g. route once, switch many....
but layer 2 devices such as NICs, hubs, bridges, and layer 2 switches do not rely on IP or any other layer 3 protocol whatsoever for forwarding.
So, you see switch vendors really are looking into layer 3 information for multicast traffic. Enough so that someone thought "Hey, we should have an RFC to cover this!" --Yes they are. That's because there is a huge market for L3 switches. Core switches had better be L3 these days.
You seem to be conflating layer 3 multicast/broadcast/unicast Packets with broadcast/unicast Frames. To begin with, packets are not frames, and layer 2 devices cannot interpret packets.
Perhaps I crossed frame and packet, I tend to do that from time to time, doesn't change the fact that the vendors are a' shipping it. --Meh.
You state "They also have to forward layer 3 broadcasts out all ports in a LAN" which is patently false--if a 128 port layer 2 switch has 64 ports on 10.0.0.0/24 and the other 64 ports on 10.1.0.0/24, then a broadcast sent to 10.0.0.0/24 will only hit the correct 64 ports. The switch decides
That's two LANs the way I've always counted it in terms of addressing unless your'e supernetting on some devices and not on others, in which case you can count it several ways. A dumb switch doesn't always know your mask either. I think the algorithm for a dumb switch actually tends to be "if I don't know the destination MAC address, send it out all the ports," but I'd have to get some playtime to test it effectively. --No no no. And no. Yes for the last sentence--that is the basic fundamental function of an L2 switch; yes yes yes, you are getting it finally!
I think this is the problem. You are confusing layer 2 unicast/broadcast frames with layer 3 unicast/multicast/broadcast packets. Certainly layer 2 devices do unicast and broadcast, but again NOT based on IP or any other layer 3 protocol. Layer 2 Unicast and Broadcast are all in relation to
No, I'm talking about both types, you're simply missing the case where the switch vendors peeking up the stack. Your refusal to acknowlege this blinds you, and causes you to misinterpret. --I don't refuse to acknowledge it. I just know the difference between an L3 switch and an L2 switch.
IPv6 has nothing to do with layer 2. I am going to completely ignore this statement.
Again, I'll point you to MLD snooping. Again, I'll admit my term of "peeking" isn't the common "snooping" that seems to be vogue, but it's still there and it's still a factor in shipping hardware. --Me chest thump now. Do a search on ipv6 and my name. You'll find I am part of the public policy making body in ARIN for IPV6, and have been for years. Active too. IPV6 is medium independant. Neutral on layer 2. As is ipv4: ethernet, token ring, atm (special case here, but mostly true), etc. etc. etc. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." http://www.fluiditgroup.com/blog/pdr/ Art: http://PaulDRobertson.imagekind.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Layer 2 (stealth) firewalls - PBR? Darren Reed (Apr 01)
- Re: Layer 2 (stealth) firewalls - PBR? Sami Ghourabi (Apr 01)
- Re: Layer 2 (stealth) firewalls - PBR? Darden, Patrick S. (Apr 02)
- Re: Layer 2 (stealth) firewalls - PBR? Darren Reed (Apr 02)
- Re: Layer 2 (stealth) firewalls - PBR? Darden, Patrick S. (Apr 03)
- Re: Layer 2 (stealth) firewalls - PBR? Paul D. Robertson (Apr 03)
- Re: Layer 2 (stealth) firewalls - PBR? Darden, Patrick S. (Apr 08)
- Re: Layer 2 (stealth) firewalls - PBR? Paul D. Robertson (Apr 08)
- Re: Layer 2 (stealth) firewalls - PBR? Patrick Darden (Apr 08)
- Re: Layer 2 (stealth) firewalls - PBR? Paul D. Robertson (Apr 08)
- Re: Layer 2 (stealth) firewalls - PBR? Darden, Patrick S. (Apr 10)
- Re: Layer 2 (stealth) firewalls - PBR? Darden, Patrick S. (Apr 02)
- Re: Layer 2 (stealth) firewalls - PBR? Sami Ghourabi (Apr 01)
- Layer 2 (stealth) firewalls - PBR? iarenaza (Apr 09)
- Re: Layer 2 (stealth) firewalls - PBR? Darden, Patrick S. (Apr 10)
- Re: Layer 2 (stealth) firewalls - PBR? lordchariot (Apr 10)
- Message not available
- Re: Layer 2 (stealth) firewalls - PBR? Darren Reed (Apr 08)
- <Possible follow-ups>
- Re: Layer 2 (stealth) firewalls - PBR? Paul D. Robertson (Apr 10)