Ether Type ACLS

VLAN 100 VLAN 200

firewall(config)# Traffic access-list id ethertype {deny | permit} {ipx | bpdu | mpls-unicast | mpls-multicast | any |hex_number}

Treatment of non-IP packets:

• The transparent firewall introduces a new type of ACL: the EtherType ACL.

• With EtherType ACLs, an administrator can allow specific non-IP packets through the firewall.

fw1(config)# access-list ETHER ethertype permit ipx fw1(config)# access-group ETHER in interface inside fw1(config)# access-group ETHER in interface outside

© 2005 Cisco Systems, Inc. All rights reservecl.SNPA v4.0—14-12

To configure an ACL that controls traffic based on its EtherType, use the access-list ethertype command in global configuration mode.

Because EtherTypes are connectionless, you need to apply the ACL to both interfaces if you want traffic to pass in both directions.

The security appliance can control any EtherType that is identified by a 16-bit hexadecimal number. EtherType ACLs support Ethernet2 frames. 802.3-formatted frames are not handled by the ACL because they use a length field as opposed to a type field. Bridge protocol data units (BPDUs), which are handled by the ACL, are the only exception; they are Subnetwork Access Protocol (SNAP)-encapsulated, and the security appliance is designed to specifically handle BPDUs.

You can apply only one ACL of each type (extended and EtherType) to each direction of an interface. You can apply the same ACLs on multiple interfaces.

Predefined EtherTypes are:

■ Internetwork Packet Exchange (IPX)

■ Other Ethernet2 and DIX-encapsulated frames can be allowed based on their 2-byte EtherType.

■ 802.3-encapsulated frames can't pass through the firewall at this time.

access-list id ethertype {deny | permit} {ipx | bpdu | mpls-unicast | mpls-multicast | any | hex number}

any

Specifies access to anyone.

bpdu

Specifies access to BPDUs. By default, BPDUs are denied.

deny

Denies access if the conditions are matched.

hex_number

A 16-bit hexadecimal number greater than or equal to 0x600 by which an EtherType can be identified.

Id

Name or number of an ACL.

ipx

Specifies access to IPX.

mpls-multicast

Specifies access to Multiprotocol Label Switching (MPLS) multicast.

mpls-unicast

Specifies access to MPLS unicast.

permit

Permits access if the conditions are matched.

ARP Inspection

1 ^^^^^^^^ ClivUU.CUIN I

firewall(config)#

arp Interface name ip address mac address [alias]

• A static ARP entry maps an MAC address to an IP address and identifies the interface through which the host is reached.

fw1(config)# arp outside 10.0.1.1 0009.7cbe.2100

1

firewall(config)#

arp-inspection interface name enable [flood | no-flood]

• ARP inspection checks all ARP packets against static ARP entries and blocks mismatched packets.

• This feature prevents ARP spoofing.

fw1(config)# arp-inspection outside enable

arp inspection enabled on outside

14-13

ARP inspection prevents malicious users from impersonating other hosts or routers (known as ARP spoofing). ARP spoofing can enable a "man-in-the-middle" attack. For example, a host sends an ARP request to the gateway router; the gateway router responds with the gateway router MAC address. The attacker, however, sends another ARP response to the host with the attacker MAC address instead of the router MAC address. The attacker can now intercept all the host traffic before forwarding it on to the router. ARP inspection ensures that an attacker cannot send an ARP response with the attacker MAC address, so long as the correct MAC address and the associated IP address are in the static ARP table.

Configure static ARP entries using the arp command before you enable ARP inspection.

When you enable ARP inspection, the security appliance compares the MAC address, IP address, and source interface in all ARP packets to static entries in the ARP table, and takes the following actions:

■ If the IP address, MAC address, and source interface match an ARP entry, the packet is passed through.

■ If there is a mismatch between the MAC address, the IP address, or the interface, then the security appliance drops the packet.

■ If the ARP packet does not match any entries in the static ARP table, then you can set the security appliance to either forward the packet out all interfaces (flood), or to drop the packet.

Note The management-specific interface, if present, never floods packets even if this parameter is set to flood.

arp-inspection interface name enable [flood | no-flood]

enable

Enables ARP inspection.

flood

(Default) Specifies that packets that do not match any element of a static ARP entry are flooded out all interfaces except the originating interface. If there is a mismatch between the MAC address, the IP address, or the interface, then the security appliance drops the packet.

Note: The management-specific interface, if present, never floods packets even if this parameter is set to flood.

interface_name

The interface on which you want to enable ARP inspection.

no-flood

(Optional) Specifies that packets that do not exactly match a static ARP entry are dropped.

Was this article helpful?

+1 0

Post a comment