High to Low security level implicit rules applies to unicast traffic only, it does not apply to multicast traffic. More information on Ethertype ACLs can be found here BPDUs may want to be blocked in Active/Standby failover, to block BPDUs and prevent the switchport going into a block state when the topology changes.Įxample ethertype ACL configuration: access-list ETHERTYPE-ACL ethertype permit dap|bpdu|ipx|mpls-unicast|mpls-multicast|isis|anyĪccess-group ETHERTYPE-ACL in interface INSIDEĪccess-group ETHERTYPE-ACL in interface OUTSIDE.Any other ethertype must be explicitly permitted using a Ethertype ACL, in both directions.The only ethertype permitted by default through a “transparent” firewall is an IP packet (0x800).The following are key points regarding ethertypes when the ASA is configured in transparent mode: ARP is permitted in both directions by default.The BVI IP address should NOT act as the default gateway for connected device, the default gateway should be a device on the other side of the ASA.Bridge group traffic is isolated from other bridge groups, traffic is not routed to another bridge group.You can create up to 250 bridge groups, with 64 interfaces per bridge group.Bidirectional Forwarding Detection (BFD) echo packets are not allowed through the ASA when using bridge group members, because they have the same source and destination IP address and considered a LAND attack.A default route is required only to provide return path for management traffic.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |