Re: Layer 2 (stealth) firewalls - PBR?

["Darden, Patrick S." <darden () armc org>]

Except that a layer two device can't tell if something is multicast or broadcast or unicast or Anything in ipv4 or 
ipv6....  That's sorta the definition of a layer two device.  If it could discriminate amongst layer 3 traffic, it 
would be a layer 3 device--a router, firewall, etc.

--p


-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com]On Behalf Of Paul
D. Robertson
Sent: Friday, April 04, 2008 12:29 AM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Layer 2 (stealth) firewalls - PBR?


On Thu, 3 Apr 2008, Darden, Patrick S. wrote:

> Layer 2 PBR would, of necessity, have to change next hop address (which
> is destination address) and the next hop would have to change it back to
> the original.  And addresses in layer 2 are MACs (for ethernet that is).

What about using it to shave off broadcast and multicast 
traffic and perhaps IPv6 NDP stuff too?  For that you might find it 
useful if bridging between an external and internal net through a 
multi-homed PBR box.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
             http://www.fluiditgroup.com/blog/pdr/
           Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards