Transparent Firewall Features - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 4
Configuring the Firewall Mode
Firewall Mode Overview
Transparent Firewall Features
Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its
screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a "bump
in the wire," or a "stealth firewall," and is not seen as a router hop to connected devices. The Firewall
Services Module (FWSM) connects the same network on its inside and outside ports but uses different
VLANs on the inside and outside.
Because the firewall is not a routed hop, you can easily introduce a transparent firewall into an existing
network. You assign different VLANs to each interface, and IP readdressing is unnecessary.
Maintenance is facilitated because there are no complicated routing patterns to troubleshoot and no NAT
configuration.
Even though transparent mode acts as a bridge, Layer 3 traffic, such as IP traffic, cannot pass through
the FWSM unless you explicitly permit it with an extended access control list (ACL). (See the
"Adding
an Extended Access Control List" section on page
10-13.)
In routed mode, some types of traffic cannot pass through the FWSM even if you allow it in an ACL.
The transparent firewall, however, can allow any traffic through using either an extended ACL (for IP
traffic) or an EtherType ACL (for non-IP traffic. See the
"Adding an EtherType Access Control List"
section on page 10-16
for more information).
Note
The transparent mode FWSM does not pass Cisco Discovery Protocol (CDP) packets.
For example, you can allow multicast traffic such as that created by IPTV using an extended ACL. You
can also establish routing protocol adjacencies through a transparent firewall; for example, you can allow
OSPF, RIP, EIGRP, or BGP traffic through based on an extended ACL. Likewise, protocols like HSRP
or VRRP can pass through the FWSM.
Non-IP traffic (for example IPX, BPDUs, and MPLS) can be configured to go through using an
EtherType ACL.
When the FWSM runs in transparent mode, the outgoing interface of a packet is determined by
performing a MAC address lookup instead of a route lookup. Route statements can still be configured,
but they only apply to FWSM-originated traffic. For example, if your syslog server is located on a remote
network, you must use a static route so the FWSM can reach that subnet. See the
"Configuring Static
Routes" section on page 8-3
for more information.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
4-9
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
