4-6
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 4 Access Rules
Controlling Network Access
EtherType Rules
This section describes EtherType rules.
•
Supported EtherTypes and Other Traffic, page 4-6
•
EtherType Rules for Returning Traffic, page 4-6
•
Supported EtherTypes and Other Traffic
An EtherType rule controls the following:
•
EtherType identified by a 16-bit hexadecimal number, including common types IPX and MPLS
unicast or multicast.
•
Ethernet V2 frames.
•
BPDUs, which are permitted by default. BPDUs are SNAP-encapsulated, and the ASA is designed
to specifically handle BPDUs.
•
Trunk port (Cisco proprietary) BPDUs. Trunk BPDUs have VLAN information inside the payload,
so the ASA modifies the payload with the outgoing VLAN if you allow BPDUs.
•
Intermediate System to Intermediate System (IS-IS).
The following types of traffic are not supported:
•
802.3-formatted frames—These frames are not handled by the rule because they use a length field
as opposed to a type field.
EtherType Rules for Returning Traffic
Because EtherTypes are connectionless, you need to apply the rule to both interfaces if you want traffic
to pass in both directions.
Allowing MPLS
If you allow MPLS, ensure that Label Distribution Protocol and Tag Distribution Protocol TCP
connections are established through the ASA by configuring both MPLS routers connected to the ASA
to use the IP address on the ASA interface as the router-id for LDP or TDP sessions. (LDP and TDP
allow MPLS routers to negotiate the labels (addresses) used to forward packets.)
On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The
interface
is
the interface connected to the ASA.
hostname(config)#
mpls ldp router-id
interface
force
Or
hostname(config)#
tag-switching tdp router-id
interface
force
Summary of Contents for ASA 5508-X
Page 11: ...P A R T 1 Access Control ...
Page 12: ......
Page 157: ...P A R T 2 Network Address Translation ...
Page 158: ......
Page 233: ...P A R T 3 Service Policies and Application Inspection ...
Page 234: ......
Page 379: ...P A R T 4 Connection Management and Threat Detection ...
Page 380: ......