CHAP TER
46-1
User Guide for Cisco Security Manager 4.4
OL-28826-01
46
Configuring Bridging Policies on Firewall
Devices
This chapter contains the following topics:
About Bridging on Firewall Devices, page46-1
Bridging Support for FWSM 3.1, page 46-3
ARP Table Page, page46-3
ARP Inspection Page, page 46-5
Managing the IPv6 Neighbor Cache, page 46-6
MAC Address Table Page, page46-7
MAC Learning Page, page 46-8
Management IP Page, page 46-10
Management IPv6 Page (ASA 5505), page 46-10

About Bridging on Firewall Devices

Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its
screened subnets. A transparent firewall, on the other hand, is a Layer 2 device that acts like a “bump in
the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices. The security
appliance connects the same network on its inside and outside ports, acting as an access-control bridge;
you assign different VLANs to each interface, and IP addressing is not used.
Thus, you can easily introduce a transparent firewall into an existing network—IP re-addressing is
unnecessary—and maintenance is facilitated because there are no complicated routing patterns to
troubleshoot and no NAT configuration.
Although the transparent-mode device acts as a bridge, Layer 3 traffic, such as IP traffic, cannot pass
through the security appliance unless you explicitly permit it with specific access rules. The only traffic
allowed through a firewall without an access list is ARP traffic, which you can control using ARP
inspection, and IPv6 neighbor discovery.
When the security appliance runs in transparent mode, the outgoing interface of a packet is determined
by performing a MAC address lookup instead of a route lookup. Route statements can still be configured,
but they apply only to security appliance-originated traffic. For example, if your syslog server is located
on a remote network, you must use a static route so the security appliance can reach that subnet.