Last Updated on August 2, 2021 by Admin 3
Which of the following is true of BPDU traffic on a Cisco zonebased firewall in transparent mode? (Select the best answer.)
- It is denied by default.
- It is permitted only in the inbound direction.
- It is permitted only in the outbound direction.
- It is permitted in both inbound and outbound directions.
- It can be controlled by ARP inspection but not by access rules.
Bridge protocol data unit (BPDU) traffic is permitted in both inbound and outbound directions when a Cisco zonebased firewall, such as a Cisco Adaptive Security Appliance (ASA), is operating in transparent mode. In addition, Address Resolution Protocol (ARP) is permitted in both inbound and outbound directions when operating in transparent mode. The default bidirectional flow of ARP traffic in transparent mode is known as an implicit permit. All of the following traffic is implicitly permitted when a Cisco zonebased firewall is operating in transparent mode:
– IP version 4 (IPv4) traffic from a higher security interface to a lower security interface
– IPv6 traffic from a higher security interface to a lower security interface
– ARP traffic in both directions
– BPDU traffic in both directions
Thus a Cisco zonebased firewall operating in transparent mode implicitly permits certain types of traffic at both Layer 2 and Layer 3 of the Open Systems Interconnection (OSI) network model. However, when a Cisco zonebased firewall is operating in routed mode, only Layer 3 IPv4 and IPv6 traffic from a higher security interface to a lower security interface are implicitly permitted.
In either mode, an extended access rule is required to permit additional types of IPv4 traffic. To permit additional types of IPv6 traffic, an IPv6 access rule is required. ARP traffic, not BPDU traffic, can be controlled by ARP inspection but not by access rules. To permit other types of Layer 2 traffic, an EtherType rule is required.