hit counter script

Management Interface; Allowing Layer 3 Traffic; Allowed Mac Addresses; Passing Traffic Not Allowed In Routed Mode - Cisco 7604 Configuration Manual

Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs Also See for 7604:
Table of Contents

Advertisement

Transparent Mode Overview

Management Interface

In addition to each bridge group management IP address, you can add a separate management interface
that is not part of any bridge group, and that allows only management traffic to the FWSM. This feature
is especially useful in multiple context mode so you can manage each context from a single interface.
Interfaces for through traffic cannot be shared between contexts; however, the management VLAN can
be shared across multiple contexts.

Allowing Layer 3 Traffic

Even though transparent mode acts as a bridge, Layer 3 traffic, such as IP traffic, cannot pass through
the FWSM unless you explicitly permit it with an extended access list. The only traffic allowed through
the transparent firewall without an access list is ARP traffic. ARP traffic can be controlled by ARP
inspection. See the

Allowed MAC Addresses

The following destination MAC addresses are allowed through the transparent firewall. Any MAC
address not on this list is dropped.

Passing Traffic Not Allowed in Routed Mode

In routed mode, some types of traffic cannot pass through the FWSM even if you allow it in an access
list. The transparent firewall, however, can pass most types of traffic through using either an extended
access list (for IP traffic) or an EtherType access list (for non-IP traffic).
The transparent mode FWSM does not pass CDP packets, or any packets that do not have a valid
Note
EtherType greater than or equal to 0x600. For example, you cannot pass IS-IS packets. An exception is
made for BPDUs, which are supported.
For example, you can establish routing protocol adjacencies through a transparent firewall; you can
allow OSPF, RIP, EIGRP, or BGP traffic through based on an extended access list. Likewise, protocols
like HSRP or VRRP can pass through the FWSM. See
about allowing special traffic.
Non-IP traffic (for example AppleTalk, IPX, BPDUs, and MPLS) can be configured to go through using
an EtherType access list.
For features that are not directly supported on the transparent firewall, you can allow traffic to pass
through so that upstream and downstream routers can support the functionality. For example, by using
an extended access list, you can allow DHCP traffic (instead of the unsupported DHCP relay feature) or
multicast traffic such as that created by IP/TV.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
5-8
"Adding an Extended Access List" section on page 13-6
TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF
IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF
IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF
BPDU multicast address equal to 0100.0CCC.CCCD
AppleTalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF
Chapter 5
Configuring the Firewall Mode
for more information.
Table 13-2 on page 13-7
for more information
OL-20748-01

Hide quick links:

Advertisement

Table of Contents
loading

This manual is also suitable for:

7609-s76137606-sCatalyst 6500 series7600 series

Table of Contents