Filter
Top Products
20-7
Cisco ASDM User Guide
OL-16647-01
Chapter 20 Configuring Access Rules and EtherType Rules
Configuring Access Rules
802.3-formatted frames are not handled by the rule because they use a length field as opposed to a type
field.
BPDUs, which are handled by the rule, are the only exception: they are SNAP-encapsulated, and the
security appliance is designed to specifically handle BPDUs.
The security appliance receives trunk port (Cisco proprietary) BPDUs. Trunk BPDUs have VLAN
information inside the payload, so the security appliance modifies the payload with the outgoing VLAN
if you allow BPDUs.
Note If you use failover, you must allow BPDUs on both interfaces with an EtherType rule to avoid bridging
loops.
Implicit Permit of IP and ARPs Only
IPv4 traffic is allowed through the transparent firewall automatically from a higher security interface to
a lower security interface, without a rule. ARPs are allowed through the transparent firewall in both
directions without a rule. ARP traffic can be controlled by ARP inspection.
However, to allow any traffic with EtherTypes other than IPv4 and ARP, you need to apply an EtherType
access list, even from a high security to a low security interface.
Because EtherTypes are connectionless, you need to apply the rule to both interfaces if you want traffic
to pass in both directions.
IPv6 Unsupported
EtherType ACEs do not allow IPv6 traffic, even if you specify the IPv6 EtherType.
Allowing MPLS
If you allow MPLS, ensure that Label Distribution Protocol and Tag Distribution Protocol TCP
connections are established through the security appliance by configuring both MPLS routers connected
to the security appliance to use the IP
address on the security appliance interface as the router-id for LDP
or TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward
packets.)
On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is
the interface connected to the security appliance.
hostname(config)# mpls ldp router-id
interface
force
Or
hostname(config)# tag-switching tdp router-id
interface
force
Configuring Access Rules
The Access Rules window shows your entire network security policy expressed in rules.
When you choose the Access Rules option, this window lets you define access lists to control the access
of a specific host or network to another host/network, including the protocol or port that can be used.