Traffic Management in Transparent Mode
Now that you have transparent mode enabled on the Security Appliance, you must allow
more than just ARP traffic through the firewall. Extended access lists must be configured for
each traffic type you wish to allow through the firewall. For non-IP traffic, you must
configure EtherType access lists. Both types of access lists, once configured, must be assigned
to one of the two interfaces, or both, to be enabled. The syntax for extended access lists is
the same as those used in nontransparent mode, and detailed configuration of these access
lists can be found in Chapter 7, “Configuring Access.” EtherType access lists are used when
non-IP traffic is required to pass through the firewall. EtherType access lists are connectionless
and must be applied to both interfaces to operate correctly. To create an EtherType access
list, use the ethertype attribute with the access-list command:
access-list id ethertype {deny | permit}{ipx | bpdu | mpls-unicast | mpls-multica
Table 6-16 describes the parameters for the access-list ethertype command.
Example 6-13 Assigning an IP Address to Management Ports in Multiple-Context Mode
Pix/admin(config)# ip address 10.10.10.1 255.255.255.0
Pix/admin(config)# changeto context1
Pix/context1(config)# ip address 10.10.11.1 255.255.255.0
Pix/context1(config)# changeto context2
Pix/context2(config)# ip address 10.10.12.1 255.255.255.0
Table 6-16 access-list ethertype Command Parameters
Parameter Description
id Name or number of an access list.
deny Denies access if the conditions are matched.
permit Permits access if the conditions are matched.
ipx Specifies access to IPX.
npdu Specifies access to bridge protocol data units.
mpls-unicast Specifies access to MPLS unicast.
mpls-multicast Specifies access to MPLS multicast.
any Specifies access to anyone.
hex_number A 16-bit hexadecimal number greater than or equal to 0x600 by which an
EtherType can be identified.
NOTE In transparent mode, the Security Appliance relies on EtherTypes to determine
traffic selection. This forces the Security Appliance to only pass Ethernet II frames, due to
802.3 frames requiring a length field instead of EtherType.
Remember that the Security Appliance defaults do not allow any non-ARP traffic through
the firewall.
You can manage the ARP traffic through inspection on the Security Appliance. Inspection
can help restrict malicious users from attempting ARP floods on or through the firewall or
connected networks. Using the arp-inspection command in global-configuration mode, you
can check each request to flood ARP requests through an interface for mismatched IP
addresses, MAC addresses, or fake interfaces, and you can drop the request packets before
they can cause problems. The full command syntax for the arp-inspection command is as
follows:
arp-inspection interface_name enable [flood | no-flood]
Table 6-17 describes the parameters for the arp-inspection ethertype command.
Table 6-17 arp-inspection ethertype Command Parameters
Parameter Description
interface_name The interface on which you want ARP inspection.
enable Enables ARP inspection.
flood (Default) Specifies that packets not matching any element of a static ARP
entry are flooded out of all interfaces except the originating interface. If a
mismatch occurs between the MAC address, IP address, or interface, the
Security Appliance drops the packet.
no-flood (Optional) Specifies that packets not exactly matching a static ARP entry
are dropped.