From: Joseph Ezerski (jezerski@xxxxxxxxxxxx)
Date: Fri Oct 12 2001 - 20:06:02 GMT-3
RE: A firewall QuestionWhoops, I think you might be misunderstanding me....I
meant it to read "this might be useless to add to the conversation because
you are discussing firewalls...."
I meant absolutely no insult at all.
-Joe
-----Original Message-----
From: Kenny Sallee [mailto:kenny@centerspan.com]
Sent: Friday, October 12, 2001 4:03 PM
To: 'jezerski@broadcom.com'; ccielab@groupstudy.com
Subject: RE: A firewall Question
WTF do you mean by useless? So it's a L2 device that's smart enough to
look at L2-4 info. Which is exactly what the PFC does ( amongst other
things ). And it's not smart enough to look at L7 - that would mean it
can't look at the DATA portion of a packet to make a decision as to forward
or not. And by the way I've used VACL's before and they definitely are
useful for providing a level of security on a LAN segment. Used with
private VLANs you can really restrict traffic on a LAN segment. Still don't
understand what you mean by useless / why you were trying to insult me.
The original email states " firewall that is a layer 2 device". The point
I was trying to make was that a firewall that inspects L3-7 traffic cannot
( by my definition ) be a true L2 device ( by my definition again ). If it
were a true L2 device you'd call it a bridge and you'd have to filter by
MAC. By the way, a Cat6k with an MSFC/PFC/etc in my definition is not a
true L2 device either.
Kenny
-----Original Message-----
From: Joseph Ezerski [mailto:jezerski@broadcom.com]
Sent: Friday, October 12, 2001 3:27 PM
To: 'Kenny Sallee'; 'louie kouncar'; ccielab@groupstudy.com
Subject: RE: A firewall Question
This may be entirely useless to you, but the Cat 6509 switch with a PFC
matches EVERY packet up to layer 4. This lets you do VACLs on the switch
itself at wire speed. We use them to stop rogue DHCP servers from taking
over the LAN.
-Joe
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Kenny Sallee
Sent: Friday, October 12, 2001 3:05 PM
To: 'louie kouncar'; ccielab@groupstudy.com
Subject: RE: A firewall Question
It can't be a pure L2 device and still filter anything above it. It may
be
setup like it's a bridge, which I have seen before ( I can't remember the
name/type of the firewall ). But it still filters packets based on L3,4
and
7 information, else there would be now way to filter. I guess it's a
matter
of definition. If the box is a bridge and sits like this:
router
|
| ---> Subnet 192.168.1.0/24
|
L2 firewall
|
| ---> Subnet 192.168.1.0/24
|
Router
|
------- > Internal Segment
Then it's a layer2 device that's smart enough to look at, and react to,
L3-7
packets. Not a true L2 firewall ( or it'd only filter on MAC right).
Just
my opinion of course.
Kenny
-----Original Message-----
From: louie kouncar [mailto:lkouncar@UU.NET]
Sent: Friday, October 12, 2001 10:02 AM
To: ccielab@groupstudy.com
Subject: A firewall Question
All,
I have been working with Check point firewall for a while, and just today
I
heard a guy say that there is a kind of firewall that is a layer 2 device,
anyone can comment on that please....
Thank you
Louie J. Kouncar CCIE #7994
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:18 GMT-3