Exam 300-710 topic 1 question 36 discussion

The case already has the bridge group configured, any change of the firewall mode would cause the routing impact. Only option A is acceptable. From the link below, I believe no matter then bridge group is on routed mode or transparent mode, it needs access rule to pass the multicast traffic when using bridge group.

Creating a firewall rule to allow CDP traffic (option A) might seem like a straightforward solution, but it's important to consider how Cisco Firepower Threat Defense (FTD) operates in different firewall modes. When the FTD is in routed mode, it functions at Layer 3 and doesn't support CDP (Cisco Discovery Protocol) or multicast traffic by default. Switching the FTD to transparent mode (option C) would enable Layer 2 features, such as CDP and multicast, because in transparent mode, the device acts more like a bridge, allowing Layer 2 traffic to pass through. So, for full functionality including gathering information about neighboring Cisco devices and supporting multicast traffic, changing the firewall mode to transparent is the most appropriate solution.

Changing the firewall mode to routed (option D) would allow the FTD device to participate in Layer 3 routing, which can help with gathering information about neighboring devices and supporting multicast traffic. However, this mode requires each interface to be on a different subnet, which might not align with your current network setup using bridge groups. On the other hand, changing the firewall mode to transparent (option C) allows the firewall to operate at Layer 2, passing traffic between interfaces without being seen as a router hop. This mode supports protocols like CDP (Cisco Discovery Protocol) and multicast traffic, which are essential for gathering information about neighboring devices and using multicast in the environment. So, while routed mode (option D) could work, transparent mode (option C) is generally more suitable for environments using bridge groups and needing Layer 2 connectivity.

You are correct! Changing the firewall mode to transparent (option C) would resolve the issue. In transparent mode, the firewall operates at Layer 2, allowing it to pass traffic between interfaces without being seen as a router hop. This mode supports protocols like CDP (Cisco Discovery Protocol) and multicast traffic, which are essential for gathering information about neighboring devices and using multicast in the environmen

I understand your perspective. However, creating a firewall rule to allow CDP traffic (**A**) would only address the discovery of neighboring Cisco devices through CDP. It would not solve the multicast issue in the environment. To enable both CDP and multicast functionalities, the firewall needs to operate at Layer 3, which is achieved by: **D. Change the firewall mode to routed** Switching to routed mode will allow the Cisco FTD to handle Layer 3 tasks, including CDP and multicast routing, thereby resolving the issues faced by the organization. If you have any further questions or need more clarification, I'm here to help!

Guidelines for Multicast Routing Firewall Mode Supported only in routed firewall mode. Transparent firewall mode is not supported. https://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/multicast_routing_for_firepower_threat_defense.html

Allows CDP and multicast by default in transparent mode

Correct answer is: A https://community.cisco.com/t5/security-knowledge-base/what-do-you-need-to-know-about-transparent-firewall-asa-or-ftd/ta-p/3773884 NON-IP traffic will be blocked by default in transparent firewall mode.

"In routed mode, some types of traffic cannot pass through the ASA even if you allow it in an access rule. The bridge group, however, can allow almost any traffic through using either an access rule (for IP traffic) or an EtherType rule (for non-IP traffic): IP traffic—In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an access rule, including unsupported dynamic routing protocols and DHCP (unless you configure DHCP relay). Within a bridge group, you can allow this traffic with an access rule (using an extended ACL). Non-IP traffic—AppleTalk, IPX, BPDUs, and MPLS, for example, can be configured to go through using an EtherType rule." Based on the above, changing the mode to routed will not solve the issue. Furthermore, in transparent mode non-IP traffic is blocked by default. Answer B is the least possible since we already have bridge groups. So we are left with A

Broadcast and multicast traffic can be passed using access rules.

IP traffic—In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an access rule, including unsupported dynamic routing protocols and DHCP (unless you configure DHCP relay). Within a bridge group, you can allow this traffic with an access rule (using an extended ACL)

see gc999 link

This organization use bridge groups already -> Answer B is not correct. Answer A seems to be not correct as the firewall rule only allows CDP traffic, not multicast. So only answer C is left. Note: Bridge groups are supported in both transparent and routed firewall mode.

Bridge groups can't pass traffic between each others in Transparent mode.

The firewall is in Transparent mode, but CDP with BVI in transparent mode has no limitation, so there must be rule implemented to allow CDP. For me the answer is A

The inability to gather information about neighboring Cisco devices or use multicast in a Cisco FTD environment that uses bridge groups is likely due to the fact that the firewall is operating in routed mode. In order to resolve this issue and enable the necessary features, the firewall mode needs to be changed to transparent mode. In transparent mode, the firewall operates as a bridge between the two interfaces, allowing multicast traffic to pass through and enabling the organization to gather information about neighboring Cisco devices. In addition, it is not necessary to create a bridge group when operating in transparent mode, as the firewall acts as a transparent bridge between the two interfaces.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/intro-fw.html Search for CDP and do your own reading.