Which of the following is true of BPDU traffic on a Cisco zonebased firewall in transparent mode? (Select the
best answer.)
A.
It is denied by default.
B.
It is permitted only in the inbound direction.
C.
It is permitted only in the outbound direction.
D.
It is permitted in both inbound and outbound directions.
E.
It can be controlled by ARP inspection but not by access rules.
Explanation:
Bridge protocol data unit (BPDU) traffic is permitted in both inbound and outbound directions when a Cisco
zonebased firewall, such as a Cisco Adaptive Security Appliance (ASA), is operating in transparent mode. In
addition, Address Resolution Protocol (ARP) is permitted in both inbound and outbound directions when
operating in transparent mode. The default bidirectional flow of ARP traffic in transparent mode is known as animplicit permit. All of the following traffic is implicitly permitted when a Cisco zonebased firewall is operating in
transparent mode:
– IP version 4 (IPv4) traffic from a higher security interface to a lower security interface
– IPv6 traffic from a higher security interface to a lower security interface
– ARP traffic in both directions
– BPDU traffic in both directions
Thus a Cisco zonebased firewall operating in transparent mode implicitly permits certain types of traffic at both
Layer 2 and Layer 3 of the Open Systems Interconnection (OSI) network model. However, when a Cisco
zonebased firewall is operating in routed mode, only Layer 3 IPv4 and IPv6 traffic from a higher security
interface to a lower security interface are implicitly permitted.
In either mode, an extended access rule is required to permit additional types of IPv4 traffic. To permit
additional types of IPv6 traffic, an IPv6 access rule is required. ARP traffic, not BPDU traffic, can be controlled
by ARP inspection but not by access rules. To permit other types of Layer 2 traffic, an EtherType rule is
required.Cisco: Configuring Access Rules: General Information About Rules