Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

FWSM: How to permit Solaris Jumpstart (uses RARP)?

Can anyone offer a suggestion regarding this problem? I have a firewall service module (FWSM) running code 2.3(1) in transparent mode. On the inside VLAN I have a Sun server that is to be rebuilt using the Sun "Jumpstart" method. When the "boot net -install" command is given at the Sun's OpenBoot 'ok' prompt, the server sends a RARP packet, asking to be given an IP address. I can see this RARP packet in a capture of the server's switchport traffic. I never see the packet on the other side of the firewall, however. ARP inspection is disabled (as by default), and the documentation I read indicates that that should be OK. A "show arp" in the firewall context does show that the FW context does have a good ARP entry.


Christopher Ursich

  • Other Security Subjects

Re: FWSM: How to permit Solaris Jumpstart (uses RARP)?

Hi .. is the switch port where the server is connected configured as trunk ..? and if it is do you have a native VLAN configured on it ..?

Another think to look at could be the possibility that the firewall is not seing those packets as normal IP traffic and hence you might have to create an EtherType access-list which will specifically allowed thoses packets through ..

Re: FWSM: How to permit Solaris Jumpstart (uses RARP)?

Hi, Fernando.

The server's switchport is not a trunk; it's just regular "access" mode.

I investigated doing that. At least in Firewall Management Center (part of CiscoWorks VMS), RARP is not one of the options when creating an ethertype access-list entry. The choices are: IPX, BPDU, MPLS-UNICAST, MPLS-MULTICAST, and "Other" (where you need to enter a hex value).

From my Ethereal captures, I infer that RARP is considered to be a subset of ARP. Since page 7-3 of the FWSM configuration guide says: "By default, ARP inspection is disabled on all interfaces; all ARP packets are allowed through the FWSM," I thought it should work.