FWSM: How to permit Solaris Jumpstart (uses RARP)?

Christopher Ursich · ‎08-07-2006

Can anyone offer a suggestion regarding this problem? I have a firewall service module (FWSM) running code 2.3(1) in transparent mode. On the inside VLAN I have a Sun server that is to be rebuilt using the Sun "Jumpstart" method. When the "boot net -install" command is given at the Sun's OpenBoot 'ok' prompt, the server sends a RARP packet, asking to be given an IP address. I can see this RARP packet in a capture of the server's switchport traffic. I never see the packet on the other side of the firewall, however. ARP inspection is disabled (as by default), and the documentation I read indicates that that should be OK. A "show arp" in the firewall context does show that the FW context does have a good ARP entry.

Thanks,

Christopher Ursich

Fernando_Meza · ‎08-07-2006

Hi .. is the switch port where the server is connected configured as trunk ..? and if it is do you have a native VLAN configured on it ..?

Another think to look at could be the possibility that the firewall is not seing those packets as normal IP traffic and hence you might have to create an EtherType access-list which will specifically allowed thoses packets through ..

Christopher Ursich · ‎08-08-2006

Hi, Fernando.

The server's switchport is not a trunk; it's just regular "access" mode.

I investigated doing that. At least in Firewall Management Center (part of CiscoWorks VMS), RARP is not one of the options when creating an ethertype access-list entry. The choices are: IPX, BPDU, MPLS-UNICAST, MPLS-MULTICAST, and "Other" (where you need to enter a hex value).

From my Ethereal captures, I infer that RARP is considered to be a subset of ARP. Since page 7-3 of the FWSM configuration guide says: "By default, ARP inspection is disabled on all interfaces; all ARP packets are allowed through the FWSM," I thought it should work.