How A L2 Firewall Works (Transparent Mode)
As a packet comes into the Aggregation switch, destined for Server IP address of 10.10.1.30, that packet is destined for Vlan1273 on the Agg switch. As the Agg switch sends out an ARP request to get the MAC address of the Server 10.10.1.30, the ARP is sent out all ports with Vlan 1273 configured. As the ARP comes into the ASA, it then broadcasts over across its bridge-group 30, and the destination is then within the Layer2 Vlan of 273. It traverses back to the Agg switch, in Vlan 273, and all ports with Vlan 273. The Leaf switch sees the ARP request, and forwards it out all ports with Vlan 273 (L2) on the Leaf switch. The server gets the ARP request, and responds with its MAC address, traversing back across the Leaf switch, through the Agg switch on Vlan 273, and to the ASA on Vlan 273. When the ASA receives the ARP reply, it forwards it back across the bridge-group 30 to Vlan 1273, and on to the Agg switch in Vlan 1273. There is now two way communication, from Vlan 1273 across to Vlan 273, and vice versa.
Notice that in the ASA configuration, the ACL allows all traffic GLOBALLY, for simplicity for our example.
Post a Comment
Your comment will be reviewed for approval. Thank you for submitting your comments.