Monday, January 8, 2018

Cisco Firewall: How A Cisco ASA L2 Firewall Works (Transparent Mode)

I'd like to explain how the Cisco ASA L2 firewall works.  I find that most people really don't understand how this works, so I'm going to attempt to explain as best I can.

How A L2 Firewall Works (Transparent Mode)
As a packet comes into the Aggregation switch, destined for Server IP address of, that packet is destined for Vlan1273 on the Agg switch. As the Agg switch sends out an ARP request to get the MAC address of the Server, the ARP is sent out all ports with Vlan 1273 configured.  As the ARP comes into the ASA, it then broadcasts over across its bridge-group 30, and the destination is then within the Layer2 Vlan of 273.  It traverses back to the Agg switch, in Vlan 273, and all ports with Vlan 273.  The Leaf switch sees the ARP request, and forwards it out all ports with Vlan 273 (L2) on the Leaf switch.  The server gets the ARP request, and responds with its MAC address, traversing back across the Leaf switch, through the Agg switch on Vlan 273, and to the ASA on Vlan 273.  When the ASA receives the ARP reply, it forwards it back across the bridge-group 30 to Vlan 1273, and on to the Agg switch in Vlan 1273.  There is now two way communication, from Vlan 1273 across to Vlan 273, and vice versa. 

Notice that in the ASA configuration, the ACL allows all traffic GLOBALLY, for simplicity for our example.

No comments:

Post a Comment

Your comment will be reviewed for approval. Thank you for submitting your comments.