On 8 Sep 2001, at 22:41, Paul D. Robertson wrote:
> Some switches will still broadcast packets when their buffers
> start to get saturated, or if they get too many entries in their
> ARP tables- if you really need seperation, then things should be
> physically seperated and routed (per-port costs go up for users in
> that scenerio, but on the good side you get big routers to play
> with.)
Some? That's the *correct* behaviour for a switch when it receives
a packet whose destination MAC address is not in its tables, whether
because it just hasn't yet seen traffic from the destination box yet,
or whether its tables have filled and can't hold any more addresses.
In either case, the switch doesn't know which is the correct
destination port, and the safe fallback is to forward the packet to
all ports on the VLAN/broadcast domain. Any switch that doesn't do
that is broken, and anyone who considers this a security issue should
stop relying on switches as a security mechanism....
Dave Gillett
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
