MAC Address vs. Route Lookups, 15-8 | Cisco Systems OL-12172-01

Chapter 15 Firewall Mode Overview

Transparent Mode Overview

Passing Traffic Not Allowed in Routed Mode

In routed mode, some types of traffic cannot pass through the security appliance even if you allow it in an access list. The transparent firewall, however, can allow almost any traffic through using either an extended access list (for IP traffic) or an EtherType access list (for non-IP traffic).

Note The transparent mode security appliance does not pass CDP packets or IPv6 packets, or any packets that do not have a valid EtherType greater than or equal to 0x600. For example, you cannot pass IS-IS packets. An exception is made for BPDUs, which are supported.

For example, you can establish routing protocol adjacencies through a transparent firewall; you can allow OSPF, RIP, EIGRP, or BGP traffic through based on an extended access list. Likewise, protocols like HSRP or VRRP can pass through the security appliance.

Non-IP traffic (for example AppleTalk, IPX, BPDUs, and MPLS) can be configured to go through using an EtherType access list.

For features that are not directly supported on the transparent firewall, you can allow traffic to pass through so that upstream and downstream routers can support the functionality. For example, by using an extended access list, you can allow DHCP traffic (instead of the unsupported DHCP relay feature) or multicast traffic such as that created by IP/TV.

MAC Address vs. Route Lookups

When the security appliance runs in transparent mode without NAT, the outgoing interface of a packet is determined by performing a MAC address lookup instead of a route lookup. Route statements can still be configured, but they only apply to security appliance-originated traffic. For example, if your syslog server is located on a remote network, you must use a static route so the security appliance can reach that subnet.

An exception to this rule is when you use voice inspections and the endpoint is at least one hop away from the security appliance. For example, if you use the transparent firewall between a CCM and an H.323 gateway, and there is a router between the transparent firewall and the H.323 gateway, then you need to add a static route on the security appliance for the H.323 gateway for successful call completion.

If you use NAT, then the security appliance uses a route lookup instead of a MAC address lookup. In some cases, you will need static routes. For example, if the real destination address is not directly-connected to the security appliance, then you need to add a static route on the security appliance for the real destination address that points to the downstream router.

	Cisco Security Appliance Command Line Configuration Guide
15-8	OL-12172-01

OL-12172-01 specifications

Cisco Systems OL-12172-01 is a pivotal component in the landscape of networking and telecommunications, particularly catering to the needs of businesses seeking robust and efficient networking solutions. This particular offering is part of Cisco's ongoing commitment to providing advanced networking technologies that enhance connectivity, security, and overall operational efficiency.

One of the main features of Cisco OL-12172-01 is its capability to support enterprise networking environments through highly scalable and flexible architecture. The device is designed to address the growing demands for bandwidth and connectivity in corporate networks, enabling seamless communication and data exchange among various devices and applications. With support for high-speed Ethernet connections, the OL-12172-01 can significantly improve the performance of network operations, ensuring minimal downtime and optimal user experiences.

Security is a hallmark of the Cisco OL-12172-01. The device comes equipped with advanced security protocols that protect sensitive data and mitigate the risks associated with network vulnerabilities. Features such as integrated firewall capabilities, Virtual Private Network (VPN) support, and intrusion prevention systems are vital in safeguarding corporate information against cyber threats. This ensures that businesses can operate confidently in a digital landscape laden with potential risks.

Another significant aspect of the OL-12172-01 is its compatibility with various Cisco technologies, enhancing its versatility. It integrates seamlessly with Cisco’s Software-Defined Networking (SDN) solutions, allowing for dynamic network management and automation. This adaptability means businesses can respond quickly to changing network demands and efficiently manage resources without incurring excessive costs.

The OL-12172-01 also boasts comprehensive management and monitoring tools. Through Cisco's management software, network administrators can easily configure, monitor, and troubleshoot their networks. These tools provide insight into network performance metrics, enabling proactive measures to ensure optimal functionality.

In summary, Cisco Systems OL-12172-01 is a feature-rich device designed for modern enterprise networking. With advanced security measures, high-speed connectivity, and compatibility with cutting-edge technologies, it empowers businesses to optimize their network infrastructure while maintaining high levels of protection. As organizations continue to evolve their IT landscapes, the OL-12172-01 remains a reliable solution for enhancing operational efficiency and safeguarding essential data.