Transparent Mode Overview; Transparent Firewall Network; Bridge Groups - Cisco 7604 Configuration Manual

Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs Also See for 7604:
Table of Contents

Advertisement

Chapter 5
Configuring the Firewall Mode

Transparent Mode Overview

A transparent firewall is a Layer 2 firewall that acts like a "bump in the wire," or a "stealth firewall," and
is not seen as a router hop to connected devices.
This section describes transparent firewall mode, and includes the following topics:

Transparent Firewall Network

The FWSM connects the same network on its inside and outside interfaces. Because the firewall is not
a routed hop, you can easily introduce a transparent firewall into an existing network; IP readdressing is
unnecessary.
You can optionally enable NAT for hosts connected to the transparent firewall.

Bridge Groups

If you do not want the overhead of security contexts, or want to maximize your use of security contexts,
you can configure up to eight pairs of interfaces, called bridge groups. Each bridge group connects to a
separate network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to
another bridge group within the FWSM, and traffic must exit the FWSM before it is routed by an external
router back to another bridge group in the FWSM. Although the bridging functions are separate for each
bridge group, many other functions are shared between all bridge groups. For example, all bridge groups
share a system log server or AAA server configuration. For complete security policy separation, use
security contexts with one bridge group in each context.
Because the firewall is not a routed hop, you can easily introduce a transparent firewall into an existing
network; IP readdressing is unnecessary. Maintenance is facilitated because there are no complicated
routing patterns to troubleshoot.
Each bridge group requires a management IP address. The FWSM uses this IP address as the source
Note
address for packets originating from the bridge group. The management IP address must be on the same
subnet as the connected network. For another method of management, see the
section on page
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Transparent Firewall Network, page 5-7
Bridge Groups, page 5-7
Management Interface, page 5-8
Allowing Layer 3 Traffic, page 5-8
Allowed MAC Addresses, page 5-8
Passing Traffic Not Allowed in Routed Mode, page 5-8
MAC Address vs. Route Lookups, page 5-9
Using the Transparent Firewall in Your Network, page 5-9
Transparent Firewall Guidelines, page 5-10
Unsupported Features in Transparent Mode, page 5-11
How Data Moves Through the Transparent Firewall, page 5-12
5-8.
Transparent Mode Overview
"Management Interface"
5-7

Hide quick links:

Advertisement

Table of Contents
loading

This manual is also suitable for:

7609-s76137606-sCatalyst 6500 series7600 series

Table of Contents