RE: transparent fw issues

CAM-All Catalyst switch models use a CAM table for Layer 2 switching. As
frames arrive on switch ports, the source MAC addresses are learned and
recorded in the CAM table. The port of arrival and the VLAN are both recorded
in the table, along with a timestamp. If a MAC address learned on one switch
port has moved to a different port, the MAC address and timestamp are recorded
for the most recent arrival port. Then, the previous entry is deleted. If a
MAC address is found already present in the table for the correct arrival
port, only its timestamp is updated.

That's from Cisco's documentation and easily viewable by doing a 'show mac
address-table'. From that you can see that learned MACs have a port and VLAN
association to them. So, the switch will see the MAC of the server
represented by the port that the firewall is connected to on the VLAN for the
PC. The firewall will have layer 2 entry corresponding to the interface on
which it's connected.

If you still don't believe that layer 2 traffic is passing through the
firewall, turn on ARP inspection on both firewall interfaces and clear the ARP
on your client.

-ryan

From: ehtesham ali [mailto:conect2ehtesham_at_gmail.com]
Sent: Sunday, November 14, 2010 1:46 PM
To: Ryan West
Cc: ccielab_at_groupstudy.com
Subject: Re: transparent fw issues

the article was very informative on what happens when a cam table of fw dint
find a mac address
 , but still pictrure is not clear as far as layer 2 processing is concerned
.

i believe my question is clear . to recall

same topology as above . when switch receaves frame destined for server from
pc , it will undergo a CAM lookup and forward the frame on to the port
connected to server .
as the switching decisons is basec on mac address , cam look up will guide
the swith to forward the frame to server,

 when will the switch forwards frames to fw ????????????

security experts kindly help me with this basic question :-)

On Sat, Nov 13, 2010 at 7:24 PM, Ryan West
<rwest_at_zyedge.com<mailto:rwest_at_zyedge.com>> wrote:ve
Here's a good article that should explain the MAC table creation for the ASA
while in transparent mode. In short, the switch is not going to pass frames
between VLANs unless it's explicitly bridged.
http://packetu.com/content/view/51/

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
[mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of
ehtesham ali
Sent: Saturday, November 13, 2010 6:09 AM
To: ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
Subject: transparent fw issues

Hi group ,
i have then following senario on transparent firewall . The pc and fw e0/1
belongs to vlan 10 and server , firewall e0/0 belongs to vlan 10.

 10.0.0.1
        pc1------------------------------[ swith
]-----------------------------------server 10.0.0.254
                                              | |
                                              | |
                                      e0/1 | | eo/o
                                             firewall.

when pc1 arps for server mac address. the server will respond to it . here i
get the logic of using two vlans even though the subnet is same

when pc 1 sends the frame with layer 2 dest add of server , the swithch will
forward the frame based on mac address table out to the port connected to
server

just wanted to know where does firewal come in.
kindly guide me if i am wrong. i want every packet destined to server should
first pass through the firewall in l2 mode.

if the pc is sendig frames with server mac add as l2 destination address..then
i believe the switch will just look at frames layer 2 header , looks in cam
table and simply forward it out of link connected to server.

thanks

Blogs and organic groups at http://www.ccie.net<http://www.ccie.net/>
Received on Sun Nov 14 2010 - 19:24:58 ART