Comments inline.... On Mon, May 24, 2010 at 8:58 PM, B <[email protected]> wrote:
> Hello, > > I have a couple questions about Transparent FW. > > 1. Why would you use the arp-inspection command with the flood option? This > allows the unmatching packets to still be flooded. In my testing it still > allows the ARP packets to pass when no static ARP entries are defined. Does > it still serve a purpose with the flood option? > If an ARP packet has no matching IP/MAC mapping entry and if the flood option is enabled, is allowed to transit. If no-flood is enabled, the ARP packet that doesn't have entries will be dropped. For inspection to work, you to need to add mappings manually. The purpose of flood, is whether you want to drop or allow, the ARP packets that doesn't have entries configured. > > 2. As I understand it, we need to allow multicast traffic in both > directions, such as OSPF and PIM hellos. But in the ASA 8.2 Configuration > Guide (Chapter 4-2), it says IPv4-mapped multicast MAC addresses > (0100.5E00.0000 to 0100.5EFE.FFFF) are allowed. If so, then why are OSPF, > PIM dropped without an ACL (even from inside->outside). They use MACs in > that range. Just curious as to what the ASA guide is getting at. > > UDP based mutlicast packets like RIP are allowed. For l3 multicast, I think the ACL is mandate. > Thanks, > > B > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
