also sprach Dan Faerch <[EMAIL PROTECTED]> [2002.04.27.2120 +0200]: > > you know their algorithm against MAC table overflow? > No i dont.. I would be very interrested in reading about it, if you know of > a link.. Im sure that it would be possible to enforce some level of > security..
it's quite simple. i don't have a link. but these switches clear out their MAC tables LRU style at a rate indirectly proportional to the space left. so if you manage to half the space left by MAC flooding, they'll clean out the tables twice as fast. if you manage to half the remaining space, they'll clean out four times as fast. there's very little chance that a you can fill those tables and make it enter hub mode. > It is correct that you can get switches that, one way or another, will try > to enforce the switching mode and thus, not reentering hub-mode.. Also the > locking mechanism some switches use, that locks the MAC/IP pair to a single > port is quite good, but rather annoying to work with in most office > enviroments (because of laptops and so forth).. aside from the fact that you can still change you MAC address at will... but yes, these are good for static environments only, but they aren't a security measure. `ifconfig eth0 hw ether 00:11:22:33:44:55` is all i have to say... switches are *not* a security measure, period. -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck "one should never trust a woman who tells her real age. if she tells that, she'll tell anything." -- oscar wilde
msg06516/pgp00000.pgp
Description: PGP signature
