also sprach Dan Faerch <dan@fake.dk> [2002.04.27.2120 +0200]:
> > you know their algorithm against MAC table overflow?
> No i dont.. I would be very interrested in reading about it, if you know of
> a link.. Im sure that it would be possible to enforce some level of
> security..
it's quite simple. i don't have a link. but these switches clear out
their MAC tables LRU style at a rate indirectly proportional to the
space left. so if you manage to half the space left by MAC flooding,
they'll clean out the tables twice as fast. if you manage to half the
remaining space, they'll clean out four times as fast. there's very
little chance that a you can fill those tables and make it enter hub
mode.
> It is correct that you can get switches that, one way or another, will try
> to enforce the switching mode and thus, not reentering hub-mode.. Also the
> locking mechanism some switches use, that locks the MAC/IP pair to a single
> port is quite good, but rather annoying to work with in most office
> enviroments (because of laptops and so forth)..
aside from the fact that you can still change you MAC address at
will... but yes, these are good for static environments only, but they
aren't a security measure. `ifconfig eth0 hw ether 00:11:22:33:44:55`
is all i have to say...
switches are *not* a security measure, period.
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
"one should never trust a woman who tells her real age.
if she tells that, she'll tell anything."
-- oscar wilde
Attachment:
pgpMZ80T9N8Kn.pgp
Description: PGP signature