15-7
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
Transparent Mode Overview
Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its
screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a “bump
in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices.
This section describes transparent firewall mode, and includes the following topics:
• Transparent Firewall Network, page 15-7
• Allowing Layer 3 Traffic, page 15-7
• Allowed MAC Addresses, page 15-7
• Passing Traffic Not Allowed in Routed Mode, page 15-8
• MAC Address vs. Route Lookups, page 15-8
• Using the Transparent Firewall in Your Network, page 15-9
• Transparent Firewall Guidelines, page 15-9
• Unsupported Features in Transparent Mode, page 15-10
• How Data Moves Through the Transparent Firewall, page 15-11
Transparent Firewall Network
The security appliance connects the same network on its inside and outside interfaces. Because the
firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network.
Allowing Layer 3 Traffic
IPv4 traffic is allowed through the transparent firewall automatically from a higher security interface to
a lower security interface, without an access list. ARPs are allowed through the transparent firewall in
both directions without an access list. ARP traffic can be controlled by ARP inspection. For Layer 3
traffic travelling from a low to a high security interface, an extended access list is required on the low
security interface. See the “Adding an Extended Access List” section on page 16-5 for more information.
Allowed MAC Addresses
The following destination MAC addresses are allowed through the transparent firewall. Any MAC
address not on this list is dropped.
• TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF
• IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF
• IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF
• BPDU multicast address equal to 0100.0CCC.CCCD
• Appletalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF