CHAP TER
22-1
User Guide for Cisco Security Manager 4.4
OL-28826-01
22
Managing Transparent Firewall Rules
Transparent firewall rules are access control rules for non-IP layer 2 traffic. You can use these rules to
permit or drop traffic based on the Ethertype value in the layer-2 packet.
This chapter contains the following topics:
Configuring Transparent Firewall Rules, page22-1
Transparent Rules Page, page 22-3

Configuring Transparent Firewall Rules

Transparent firewall rules are access control rules for non-IP layer 2 traffic. You can use these rules to
permit or drop traffic based on the Ethertype value in the layer-2 packet. These rules create Ethertype
access control lists on the device. With transparent rules, you can control the flow of non-IP traffic across
the device. (To control IP traffic, use access rules; see Understanding Access Rules, page16-1.)
Transparent firewalls are devices that you place within a single subnet to control traffic flow across a
bridge. They allow you to insert a firewall on a subnet without renumbering your networks.
You can configure transparent rules only on the following types of interfaces:
IOS 12.3(7)T or higher devices—On layer-3 interfaces that are part of a bridge group:
Configure the interfaces you want to bridge as layer 3 in the Interfaces > Interfaces policy.
Configure a bridge group with two or more layer 3 interfaces in the Platform > Device Admin
> Bridging policy (see Bridging on Cisco IOS Routers, page 60-18 and Defining Bridge
Groups, page 60-19).
Create a bridge group virtual interface (BVI) using the same number as the bridge group (see
Bridge-Group Virtual Interfaces, page 60-18). For example, if you create bridge group 12,
create BVI12.
ASA, PIX 7.0+, FWSM devices—On any interface when the device is running in transparent mode.
If you are using multiple contexts, configure the rules on the individual security contexts.
There are several other bridging policies that you can configure in the Platform > Bridging policy
group including: ARP table and ARP inspection, MAC table and the ability to disable MAC
learning, and the ability to configure a management IP address so that you can remotely manage the
device. For more detail about transparent firewalls, see Chapter46, “Configuring Bridging Policies
on Firewall Devices” and Interfaces in Routed and Transparent Modes, page45-4.