> Overload the MAC<>port mapping tables of the switches on the
> internal lan, through the firewall. - Foolproof recipe for
> turning any switch into a hub (well, almost a hub -- it'll
> still run full duplex).
>
> Unless the firewall in question has explicit limits on how
> many MAC addresses it will allow inbound (seen over an
> _EXTENDED_ period of time -- quite likely a longer period
> than the firewall stays up!), and unless those limits are
> finely tuned to be adapted to the LOWEST common denominator
> of CAM table sizes of switches on the internal lan (yes, that
> is a lot of "unless"), this could severely degrade
> performance and require a reset of every single switch on
> the internal LAN.
In case you are using wildcards in your configuration this would
indeed be possible.
Fact is that with the learning bridge implementation of the BRICK,
only ARP's for hosts specified on a certain interface/zome will be
passed (actually recreated) and therefor overloading the MAC table
on the switch is quite unlikely.
Greetings,
Diederik
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
