Cisco ASA 5505 Configuration Manual page 638

Licensing Requirements for Access Rules
•
•
Supported EtherTypes
•
•
•
•
•
Access Rules for Returning Traffic
Because EtherTypes are connectionless, you need to apply the rule to both interfaces if you want traffic
to pass in both directions.
Allowing MPLS
If you allow MPLS, ensure that Label Distribution Protocol and Tag Distribution Protocol TCP
connections are established through the adaptive security appliance by configuring both MPLS routers
connected to the adaptive security appliance to use the IP address on the adaptive security appliance
interface as the router-id for LDP or TDP sessions. (LDP and TDP allow MPLS routers to negotiate the
labels (addresses) used to forward packets.)
On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is
the interface connected to the adaptive security appliance.
hostname(config)# mpls ldp router-id interface force
Or
hostname(config)# tag-switching tdp router-id interface force
Licensing Requirements for Access Rules
The following table shows the licensing requirements for this feature:
Model License Requirement
All models Base License.
Cisco ASA 5500 Series Configuration Guide using ASDM
30-6
Access Rules for Returning Traffic, page 30-6
Allowing MPLS, page 30-6
An EtherType rule controls any EtherType identified by a 16-bit hexadecimal number.
EtherType rules support Ethernet V2 frames.
802.3-formatted frames are not handled by the rule because they use a length field as opposed to a
type field.
BPDUs, which are permitted by default, are the only exception: they are SNAP-encapsulated, and
the adaptive security appliance is designed to specifically handle BPDUs.
The adaptive security appliance receives trunk port (Cisco proprietary) BPDUs. Trunk BPDUs have
VLAN information inside the payload, so the adaptive security appliance modifies the payload with
the outgoing VLAN if you allow BPDUs.
Chapter 30 Configuring Access Rules
OL-20339-01