1-6
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring Access Rules
Licensing Requirements for Access Rules
Supported EtherTypes and Other Traffic
An EtherType rule controls the following:
• EtherType identified by a 16-bit hexadecimal number, including common types IPX and MPLS
unicast or multicast.
• Ethernet V2 frames.
• BPDUs, which are permitted by default. BPDUs are SNAP-encapsulated, and the ASA is designed
to specifically handle BPDUs.
• Trunk port (Cisco proprietary) BPDUs. Trunk BPDUs have VLAN information inside the payload,
so the ASA modifies the payload with the outgoing VLAN if you allow BPDUs.
The following types of traffic are not supported:
• 802.3-formatted frames—These frames are not handled by the rule because they use a length field
as opposed to a type field.
Access Rules for Returning Traffic
Because EtherTypes are connectionless, you need to apply the rule to both interfaces if you want traffic
to pass in both directions.
Allowing MPLS
If you allow MPLS, ensure that Label Distribution Protocol and Tag Distribution Protocol TCP
connections are established through the ASA by configuring both MPLS routers connected to the ASA
to use the IP address on the ASA interface as the router-id for LDP or TDP sessions. (LDP and TDP
allow MPLS routers to negotiate the labels (addresses) used to forward packets.)
On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is
the interface connected to the ASA.
hostname(config)# mpls ldp router-id interface force
Or
hostname(config)# tag-switching tdp router-id interface force
Licensing Requirements for Access Rules
Prerequisites
Before you can create an access rule, create the access list. See Chapter 1, “Adding an Extended Access
Control List,” and Chapter 1, “Adding an EtherType Access List,” for more information.
Model License Requirement
All models Base License.
To Next Page
Loading...
Need help?
General
