5-12
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 5 Configuring the Transparent or Routed Firewall
Customizing the MAC Address Table for the Transparent Firewall
Because the adaptive security appliance is a firewall, if the destination MAC address of a packet is not
in the table, the adaptive security appliance does not flood the original packet on all interfaces as a
normal bridge does. Instead, it generates the following packets for directly connected devices or for
remote devices:
• Packets for directly connected devices—The adaptive security appliance generates an ARP request
for the destination IP address, so that the adaptive security appliance can learn which interface
receives the ARP response.
• Packets for remote devices—The adaptive security appliance generates a ping to the destination IP
address so that the adaptive security appliance can learn which interface receives the ping reply.
The original packet is dropped.
Licensing Requirements for the MAC Address Table
The following table shows the licensing requirements for this feature.
Default Settings
The default timeout value for dynamic MAC address table entries is 5 minutes.
By default, each interface, including the optional management interface, automatically learns the MAC
addresses of entering traffic, and the adaptive security appliance adds corresponding entries to the MAC
address table.
Guidelines and Limitations
Context Mode Guidelines
• Supported in single and multiple context mode.
• In multiple context mode, configure the MAC address table within each context.
Firewall Mode Guidelines
Supported only in transparent firewall mode. Routed mode is not supported.
Additional Guidelines
In transparent firewall mode, the management interface updates the MAC address table in the same
manner as a data interface; therefore you should not connect both a management and a data interface to
the same switch unless you configure one of the switch ports as a routed port (by default Cisco Catalyst
switches share a MAC address for all VLAN switch ports). Otherwise, if traffic arrives on the
management interface from the physically-connected switch, then the adaptive security appliance
updates the MAC address table to use the management interface to access the switch, instead of the data
interface. This action causes a temporary traffic interruption; the adaptive security appliance will not
re-update the MAC address table for packets from the switch to the data interface for at least 30 seconds
for security reasons.
Model License Requirement
All models Base License.
To Next Page
Loading...
Need help?
General
