From: Kenny Sallee (kenny@xxxxxxxxxxxxxx)
Date: Fri Oct 12 2001 - 20:10:03 GMT-3
Sorry I read it the wrong way...call me a 'big dummy'. I've been a little
defensive lately.
Kenny
-----Original Message-----
From: Joseph Ezerski [mailto:jezerski@broadcom.com]
Sent: Friday, October 12, 2001 4:06 PM
To: 'Kenny Sallee'; ccielab@groupstudy.com
Subject: RE: A firewall Question
Whoops, I think you might be misunderstanding me....I meant it to read "this
might be useless to add to the conversation because you are discussing
firewalls...."
I meant absolutely no insult at all.
-Joe
-----Original Message-----
From: Kenny Sallee [mailto:kenny@centerspan.com]
Sent: Friday, October 12, 2001 4:03 PM
To: 'jezerski@broadcom.com'; ccielab@groupstudy.com
Subject: RE: A firewall Question
WTF do you mean by useless? So it's a L2 device that's smart enough to look
at L2-4 info. Which is exactly what the PFC does ( amongst other things ).
And it's not smart enough to look at L7 - that would mean it can't look at
the DATA portion of a packet to make a decision as to forward or not. And by
the way I've used VACL's before and they definitely are useful for providing
a level of security on a LAN segment. Used with private VLANs you can
really restrict traffic on a LAN segment. Still don't understand what you
mean by useless / why you were trying to insult me.
The original email states " firewall that is a layer 2 device". The point I
was trying to make was that a firewall that inspects L3-7 traffic cannot (
by my definition ) be a true L2 device ( by my definition again ). If it
were a true L2 device you'd call it a bridge and you'd have to filter by
MAC. By the way, a Cat6k with an MSFC/PFC/etc in my definition is not a
true L2 device either.
Kenny
-----Original Message-----
From: Joseph Ezerski [ mailto:jezerski@broadcom.com
<mailto:jezerski@broadcom.com> ]
Sent: Friday, October 12, 2001 3:27 PM
To: 'Kenny Sallee'; 'louie kouncar'; ccielab@groupstudy.com
Subject: RE: A firewall Question
This may be entirely useless to you, but the Cat 6509 switch with a PFC
matches EVERY packet up to layer 4. This lets you do VACLs on the switch
itself at wire speed. We use them to stop rogue DHCP servers from taking
over the LAN.
-Joe
-----Original Message-----
From: nobody@groupstudy.com [ mailto:nobody@groupstudy.com
<mailto:nobody@groupstudy.com> ]On Behalf Of
Kenny Sallee
Sent: Friday, October 12, 2001 3:05 PM
To: 'louie kouncar'; ccielab@groupstudy.com
Subject: RE: A firewall Question
It can't be a pure L2 device and still filter anything above it. It may be
setup like it's a bridge, which I have seen before ( I can't remember the
name/type of the firewall ). But it still filters packets based on L3,4 and
7 information, else there would be now way to filter. I guess it's a matter
of definition. If the box is a bridge and sits like this:
router
|
| ---> Subnet 192.168.1.0/24
|
L2 firewall
|
| ---> Subnet 192.168.1.0/24
|
Router
|
------- > Internal Segment
Then it's a layer2 device that's smart enough to look at, and react to, L3-7
packets. Not a true L2 firewall ( or it'd only filter on MAC right). Just
my opinion of course.
Kenny
-----Original Message-----
From: louie kouncar [ mailto:lkouncar@UU.NET <mailto:lkouncar@UU.NET> ]
Sent: Friday, October 12, 2001 10:02 AM
To: ccielab@groupstudy.com
Subject: A firewall Question
All,
I have been working with Check point firewall for a while, and just today I
heard a guy say that there is a kind of firewall that is a layer 2 device,
anyone can comment on that please....
Thank you
Louie J. Kouncar CCIE #7994
<http://www.groupstudy.com/list/posting.html>
To unsubscribe from the CCIELAB list, send a message to
majordomo@groupstudy.com with the body containing:
unsubscribe ccielab
This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:18 GMT-3