Which of the following are true of ARP traffic on a Cisco zonebased firewall in transparent mode? (Select 2
choices.)

A.
It is denied by default.

B.
It is permitted only in the inbound direction.

C.
It is permitted only in the outbound direction.

D.
It is permitted in both inbound and outbound directions.

E.
It can be controlled by ARP inspection but not by access rules.

Explanation:
Address Resolution Protocol (ARP) traffic is permitted in both inbound and outbound directions when a Cisco
zonebased firewall, such as a Cisco Adaptive Security Appliance (ASA), is operating in transparent mode. In
addition, ARP can be controlled by ARP inspection, but not by access rules, on a Cisco ASA that is operating in
transparent mode. The default bidirectional flow of ARP traffic in transparent mode is known as an implicit
permit. All of the following traffic is implicitly permitted when a Cisco zonebased firewall is operating in
transparent mode:
– IP version 4 (IPv4) traffic from a higher security interface to a lower security interface
– IPv6 traffic from a higher security interface to a lower security interface
– ARP traffic in both directions
– Bridge protocol data unit (BPDU) traffic in both directions
Thus a Cisco zonebased firewall operating in transparent mode implicitly permits certain types of traffic at both
Layer 2 and Layer 3 of the Open Systems Interconnection (OSI) network model. However, when a Cisco
zonebased firewall is operating in routed mode, only Layer 3 IPv4 and IPv6 traffic from a higher security
interface to a lower security interface are implicitly permitted.
In either mode, an extended access rule is required to permit additional types of IPv4 traffic. To permit
additional types of IPv6 traffic, an IPv6 access rule is required. To permit other types of Layer 2 traffic, an
EtherType rule is required.

Cisco: Configuring Access Rules: General Information About Rules