Path: utzoo!attcan!telly!lethe!yunexus!ists!helios.physics.utoronto.ca!news-server.csri.toronto.edu!rutgers!ucsd!ucbvax!NMS.HLS.COM!salzman From: salzman@NMS.HLS.COM (Mike Salzman) Newsgroups: comp.protocols.tcp-ip Subject: Re: Intelligent bridges vs. routers Message-ID: <9010270539.AA03233@nms.> Date: 27 Oct 90 05:39:09 GMT References: <21892@hercules.csl.sri.com> Sender: daemon@ucbvax.BERKELEY.EDU Organization: Hughes Lan Systems, Mt View Ca Lines: 87 Allan Leinwand of cisco writes: > > I can think of a few downfalls other than broadcast storms: > > 1. an intelligent bridge will not separate your address space like a > router. Thus, your two subnets will exist on one logical LAN. This > may result in configuring routers to understand this situation. > Alan, it is disingenuous to argue the case of routers vs bridges on the basis of the damage that bridges inflict on the router. More importantly, routers impose an absolutely necessary management overhead on the installer/user of the router, while bridges can be plug and play (for the simple bridging functions). I have seen articles written by network managers of two major corporations ogling over their routers and all the wonderful ingenious schemes that they came up with to partition their subnets and address spaces so that they could use their routers. While they struggled to deal with organizational movements and the subsequent impact on address allocations, they could have simply moved the users in a bridged environment and be done with it. The burden of planning and administering a routered system is neglected by purveyors of routers to the detriment of innocent users who view routers as a better alternative to bridges. More about this issue later. > 2. a bridge will not allow you to control the network for security > reasons as well as a router if you are running multiple protocols (such > as IP and DECnet). With a bridge all of your security control is usually > based upon the MAC level address of a host. Keeping up with boards > swaps and changing MAC addresses can become a configuration nightmare. > With a router, the security can usually be setup to understand the > network protocol level addresses. This usually makes security > management a bit easier. > Here too, you are furthering half truths. Stopping at the network layer is not the magical solution. You imply that the MAC address is insufficient, yet you make the point that protocol independence is a necessary attribute of security. I agree with your assertion that the router can more finely control its activity. Today's bridges, however, offer filtering options which can effectively accomplish the same task, via protocol filtering and masking. Moreover, we find it quite usefule to specify the MAC address of those machines which we permit to access the net, regardless of the protocols they use. I can also argue that the next layer up would offer an even finer level of control, and stopping at the IP layer is not necessarily the optimal answer. Kerberos offers an even better answer. The conclusion is that routers offer a different, finer granularity, and more complex form of access control, which may be appropriate in certain cases. > 3. dare I say this? With many routers having SNMP agents, this > gives you a basis for network management. Yet, (contradicting myself > :-)) some bridges now answer SNMP. > In the 89 Interop, we demonstrated several bridges with SNMP management. This argument is clearly a red herring. > 4. the cost of a low end, two port router (which has router > functionality AND bridge functionality) may surprise you.... > Touche. Your recent announcement is indeed a triumph and an innovation. It still does not replace bridges. You do not need to denigrate bridges in order to gain a place for routers -- they are not head to head competitors. In competitive situations, vendors often pitch one against the other, based on the rule that you sell what you have, or what will win the bid. Nevertheless, routers have a role in backbone applications, in wide area applications, and in cases where the address management features are fruitfully applicable. Bridges have an equally important role in subnet traffic management, and providing connectivity behind the backbone, within a building, or within a facility. Bridges will remain easier and cheaper to operate simply because they operate at lower levels than routers. Similarly, repeaters operate at an even lower level, and are correspondingly easier to administer. > Thanks, > > Allan Leinwand > cisco Systems > leinwand@cisco.com > You're welcome. -- -------------------- salzman@hls.com ---------------------- Michael M. Salzman Voice (415) 966-7479 Fax (415)960-3738 Hughes Lan Systems 1225 Charleston Road Mt View Ca 94043