Transparent Firewall Network; Allowing Layer 3 Traffic; Allowed Mac Addresses; Passing Traffic Not Allowed In Routed Mode - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 15
Firewall Mode Overview
•
•
•
•
•
•
•
Transparent Firewall Network
The security appliance connects the same network on its inside and outside interfaces. Because the
firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network.
Allowing Layer 3 Traffic
IPv4 traffic is allowed through the transparent firewall automatically from a higher security interface to
a lower security interface, without an access list. ARPs are allowed through the transparent firewall in
both directions without an access list. ARP traffic can be controlled by ARP inspection. For Layer 3
traffic travelling from a low to a high security interface, an extended access list is required on the low
security interface. See the
Allowed MAC Addresses
The following destination MAC addresses are allowed through the transparent firewall. Any MAC
address not on this list is dropped.
•
•
•
•
•
Passing Traffic Not Allowed in Routed Mode
In routed mode, some types of traffic cannot pass through the security appliance even if you allow it in
an access list. The transparent firewall, however, can allow almost any traffic through using either an
extended access list (for IP traffic) or an EtherType access list (for non-IP traffic).
The transparent mode security appliance does not pass CDP packets or IPv6 packets, or any packets that
Note
do not have a valid EtherType greater than or equal to 0x600. For example, you cannot pass IS-IS
packets. An exception is made for BPDUs, which are supported.
OL-12172-03
Allowed MAC Addresses, page 15-7
Passing Traffic Not Allowed in Routed Mode, page 15-7
MAC Address vs. Route Lookups, page 15-8
Using the Transparent Firewall in Your Network, page 15-9
Transparent Firewall Guidelines, page 15-9
Unsupported Features in Transparent Mode, page 15-10
How Data Moves Through the Transparent Firewall, page 15-11
"Adding an Extended Access List" section on page 16-5
TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF
IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF
IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF
BPDU multicast address equal to 0100.0CCC.CCCD
Appletalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF
Cisco Security Appliance Command Line Configuration Guide
Transparent Mode Overview
for more information.
15-7
Advertisement
Table of Contents
Troubleshooting
