08-07-2006 06:35 AM - edited 03-09-2019 03:49 PM
Can anyone offer a suggestion regarding this problem? I have a firewall service module (FWSM) running code 2.3(1) in transparent mode. On the inside VLAN I have a Sun server that is to be rebuilt using the Sun "Jumpstart" method. When the "boot net -install" command is given at the Sun's OpenBoot 'ok' prompt, the server sends a RARP packet, asking to be given an IP address. I can see this RARP packet in a capture of the server's switchport traffic. I never see the packet on the other side of the firewall, however. ARP inspection is disabled (as by default), and the documentation I read indicates that that should be OK. A "show arp" in the firewall context does show that the FW context does have a good ARP entry.
Thanks,
Christopher Ursich
08-07-2006 07:22 PM
Hi .. is the switch port where the server is connected configured as trunk ..? and if it is do you have a native VLAN configured on it ..?
Another think to look at could be the possibility that the firewall is not seing those packets as normal IP traffic and hence you might have to create an EtherType access-list which will specifically allowed thoses packets through ..
08-08-2006 09:24 AM
Hi, Fernando.
The server's switchport is not a trunk; it's just regular "access" mode.
I investigated doing that. At least in Firewall Management Center (part of CiscoWorks VMS), RARP is not one of the options when creating an ethertype access-list entry. The choices are: IPX, BPDU, MPLS-UNICAST, MPLS-MULTICAST, and "Other" (where you need to enter a hex value).
From my Ethereal captures, I infer that RARP is considered to be a subset of ARP. Since page 7-3 of the FWSM configuration guide says: "By default, ARP inspection is disabled on all interfaces; all ARP packets are allowed through the FWSM," I thought it should work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide