Transparent Mode Overview
Management Interface
In addition to each bridge group management IP address, you can add a separate management interface
that is not part of any bridge group, and that allows only management traffic to the FWSM. This feature
is especially useful in multiple context mode so you can manage each context from a single interface.
Interfaces for through traffic cannot be shared between contexts; however, the management VLAN can
be shared across multiple contexts.
Allowing Layer 3 Traffic
Even though transparent mode acts as a bridge, Layer 3 traffic, such as IP traffic, cannot pass through
the FWSM unless you explicitly permit it with an extended access list. The only traffic allowed through
the transparent firewall without an access list is ARP traffic. ARP traffic can be controlled by ARP
inspection. See the
Allowed MAC Addresses
The following destination MAC addresses are allowed through the transparent firewall. Any MAC
address not on this list is dropped.
•
•
•
•
•
Passing Traffic Not Allowed in Routed Mode
In routed mode, some types of traffic cannot pass through the FWSM even if you allow it in an access
list. The transparent firewall, however, can pass most types of traffic through using either an extended
access list (for IP traffic) or an EtherType access list (for non-IP traffic).
The transparent mode FWSM does not pass CDP packets, or any packets that do not have a valid
Note
EtherType greater than or equal to 0x600. For example, you cannot pass IS-IS packets. An exception is
made for BPDUs, which are supported.
For example, you can establish routing protocol adjacencies through a transparent firewall; you can
allow OSPF, RIP, EIGRP, or BGP traffic through based on an extended access list. Likewise, protocols
like HSRP or VRRP can pass through the FWSM. See
about allowing special traffic.
Non-IP traffic (for example AppleTalk, IPX, BPDUs, and MPLS) can be configured to go through using
an EtherType access list.
For features that are not directly supported on the transparent firewall, you can allow traffic to pass
through so that upstream and downstream routers can support the functionality. For example, by using
an extended access list, you can allow DHCP traffic (instead of the unsupported DHCP relay feature) or
multicast traffic such as that created by IP/TV.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
5-8
"Adding an Extended Access List" section on page 13-6
TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF
IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF
IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF
BPDU multicast address equal to 0100.0CCC.CCCD
AppleTalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF
Chapter 5
Configuring the Firewall Mode
for more information.
Table 13-2 on page 13-7
for more information
OL-20748-01