ASA transparent FW interface per bridge

h.dam · ‎01-10-2017

Hello all

As I know in transparent mode, the ASA 8.4 has a limit on interfaces, there are only 4 interfaces / bridge available.

I'd like to know if it has been changed in the recent version.

Another question is BROADCAST messages: Cisco said L2 FW allows TRUE BROADCAST, that means FFFF.FFFF.FFFF

If a host sends messages using the broadcast address 10.0.0.255 in a subnet 10.0.0.0/24, can these messages pass through this L2 FW ?

Do I need to create a ACL rule for this?

Thanks

Jimmy

Philip D'Ath · ‎01-10-2017

10.0.0.255 is a layer 3 address (a directed broadcast). The only bit the ASA is interested in is the layer 2 mac address, ffff.ffff.ffff.

I believe the same limits still apply.

h.dam · ‎01-10-2017

Thanks Philip.

So I have to create an ACL to allow a direct broadcast traffic,

But I don't need if its a ffff.ffff.ffff broadcast.

Can you confirme?

Pranay Prasoon · ‎01-11-2017

The following destination MAC addresses are allowed through the transparent firewall. Any MAC address not on this list is dropped.

•TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF

•IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF

•IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF

•BPDU multicast address equal to 0100.0CCC.CCCD

•Appletalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/fwmode.html#wp1201980

For rest you will need to allow in extended access-list

h.dam · ‎01-11-2017

Hello ,

Thanks all of you for the quick answers.