Someone wrote (off-list):
>
> Mikael Olsson wrote:
> > With a bridging firewall, it becomes a breeze to transform
> > the 1000-host, 5Gbps backplane LAN on the other side of the
> > firewall into a hubbed 100mbps one.
>
> How is that done?
>
Overload the MAC<>port mapping tables of the switches on the
internal lan, through the firewall. - Foolproof recipe for
turning any switch into a hub (well, almost a hub -- it'll
still run full duplex).
Unless the firewall in question has explicit limits on how
many MAC addresses it will allow inbound (seen over an
_EXTENDED_ period of time -- quite likely a longer period
than the firewall stays up!), and unless those limits are
finely tuned to be adapted to the LOWEST common denominator
of CAM table sizes of switches on the internal lan (yes, that
is a lot of "unless"), this could severely degrade
performance and require a reset of every single switch on
the internal LAN.
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
