Cisco Systems OL-16647-01 Network Router User Manual

Open as PDF

of 1230

18-7

Cisco ASDM User Guide

OL-16647-01

Chapter 18 Firewall Mode Overview

Transparent Mode Overview

Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its

screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a “bump

in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices.

This section describes transparent firewall mode, and includes the following topics:

• Transparent Firewall Network, page 18-7

• Allowing Layer 3 Traffic, page 18-7

• Allowed MAC Addresses, page 18-7

• Passing Traffic Not Allowed in Routed Mode, page 18-8

• MAC Address vs. Route Lookups, page 18-8

• Using the Transparent Firewall in Your Network, page 18-9

• Transparent Firewall Guidelines, page 18-9

• Unsupported Features in Transparent Mode, page 18-10

• How Data Moves Through the Transparent Firewall, page 18-11

Transparent Firewall Network

The security appliance connects the same network on its inside and outside interfaces. Because the

firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network.

Allowing Layer 3 Traffic

IPv4 traffic is allowed through the transparent firewall automatically from a higher security interface to

a lower security interface, without an access list. ARPs are allowed through the transparent firewall in

both directions without an access list. ARP traffic can be controlled by ARP inspection. For Layer 3

traffic travelling from a low to a high security interface, an extended access list is required.

Allowed MAC Addresses

The following destination MAC addresses are allowed through the transparent firewall. Any MAC

address not on this list is dropped.

• TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF

• IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF

• IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF

• BPDU multicast address equal to 0100.0CCC.CCCD

• Appletalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF

previous next

Top Automotive Device Types

Top Automotive Brands

Top Baby Care Device Types

Top Baby Care Brands

Top Car Audio & Video Device Types

Top Car Audio & Video Brands

Top Cellphone Device Types

Top Cellphone Brands

Top Communications Device Types

Top Communications Brands

Top Computer Device Types

Top Computer Brands

Top Fitness Device Types

Top Fitness Brands

Top Home Audio Device Types

Top Home Audio Brands

Top Household Appliance Device Types

Top Household Appliance Brands

Top Kitchen Appliance Device Types

Top Kitchen Appliance Brands

Top Laundry Appliance Device Types

Top Laundry Appliance Brands

Top Lawn & Garden Device Types

Top Lawn & Garden Brands

Top Marine Equipment Device Types

Top Marine Equipment Brands

Top Musical Instrument Device Types

Top Musical Instrument Brands

Top Outdoor Cooking Device Types

Top Outdoor Cooking Brands

Top Personal Care Device Types

Top Personal Care Brands

Top Photography Device Types

Top Photography Brands

Top Portable Media Device Types

Top Portable Media Brands

Top Power Tools Device Types

Top Power Tools Brands

Top TV and Video Device Types

Top TV and Video Brands

Top Videogame Device Types

Top Videogame Brands

Cisco Systems OL-16647-01 Network Router User Manual