Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 4.1
Configuring ARP Inspection and Bridging Parameters
Downloads: This chapterpdf (PDF - 369.0KB) The complete bookPDF (PDF - 8.06MB) | Feedback

Configuring ARP Inspection and Bridging Parameters

Table Of Contents

Configuring ARP Inspection and Bridging Parameters

Configuring ARP Inspection

ARP Inspection Overview

Adding a Static ARP Entry

Enabling ARP Inspection

Customizing the MAC Address Table

MAC Address Table Overview

Adding a Static MAC Address

Setting the MAC Address Timeout

Disabling MAC Address Learning

Viewing the MAC Address Table


Configuring ARP Inspection and Bridging Parameters


Transparent Firewall Mode Only

This chapter describes how to enable ARP inspection and how to customize bridging operations for the FWSM. In multiple context mode, the commands in this chapter can be entered in a security context, but not the system.

This chapter includes the following sections:

Configuring ARP Inspection

Customizing the MAC Address Table

Configuring ARP Inspection

This section describes ARP inspection and how to enable it, and includes the following topics:

ARP Inspection Overview

Adding a Static ARP Entry

Enabling ARP Inspection

ARP Inspection Overview

By default, all ARP packets are allowed through the FWSM. You can control the flow of ARP packets by enabling ARP inspection. ARP inspection settings apply to all bridge groups.

When you enable ARP inspection, the FWSM compares the MAC address, IP address, and source interface in all ARP packets to static entries in the ARP table, and takes the following actions:

If the IP address, MAC address, and source interface match an ARP entry, the packet is passed through.

If there is a mismatch between the MAC address, the IP address, or the interface, then the FWSM drops the packet.

If the ARP packet does not match any entries in the static ARP table, then you can set the FWSM to either forward the packet out all interfaces (flood), or to drop the packet.

ARP inspection prevents malicious users from impersonating other hosts or routers (known as ARP spoofing). ARP spoofing can enable a "man-in-the-middle" attack. For example, a host sends an ARP request to the gateway router; the gateway router responds with the gateway router MAC address. The attacker, however, sends another ARP response to the host with the attacker MAC address instead of the router MAC address. The attacker can now intercept all the host traffic before forwarding it on to the router.

ARP inspection ensures that an attacker cannot send an ARP response with the attacker MAC address, so long as the correct MAC address and the associated IP address are in the static ARP table.

Adding a Static ARP Entry

ARP inspection compares ARP packets with static ARP entries in the ARP table. To add a static ARP entry, enter the following command:

hostname(config)# arp interface_name ip_address mac_address

Where the interface_name is the source interface for the ARP packets. The ip_address is the source address, and mac_address is the associated MAC address.

For example, to allow ARP responses from the router at 10.1.1.1 with the MAC address 0009.7cbe.2100 on the outside interface, enter the following command:

hostname(config)# arp outside 10.1.1.1 0009.7cbe.2100

Note The transparent firewall uses dynamic ARP entries in the ARP table for traffic to and from the FWSM, such as management traffic.


Enabling ARP Inspection

To enable ARP inspection, enter the following command:

hostname(config)# arp-inspection interface_name enable [flood | no-flood]

Where the interface_name is the interface on which you want to enable ARP inspection. The flood keyword forwards non-matching ARP packets out all interfaces, and no-flood drops non-matching packets.


Note The default setting is to flood non-matching packets. To restrict ARP through the FWSM to only static entries, then set this command to no-flood.


For example, to enable ARP inspection on the outside interface, and to drop all non-matching ARP packets, enter the following command:

hostname(config)# arp-inspection outside enable no-flood

To view the current settings for ARP inspection on all interfaces, enter the show arp-inspection command.

Customizing the MAC Address Table

This section describes the MAC address table, and includes the following topics:

MAC Address Table Overview

Adding a Static MAC Address

Setting the MAC Address Timeout

Disabling MAC Address Learning

Viewing the MAC Address Table

MAC Address Table Overview

The FWSM learns and builds a MAC address table in a similar way as a normal bridge or switch: when a device sends a packet through the FWSM, the FWSM adds the MAC address to its table. The table associates the MAC address with the source interface and a bridge group so that the FWSM knows to send any packets addressed to the device out the correct interface. A MAC address can have more than one entry in the table if it sent traffic through more than one bridge group. When the FWSM needs to determine the egress interface to deliver a packet to that MAC address, then the FWSM uses the entry for the bridge group that contains the ingress interface for the packet.

Because the FWSM is a firewall, if the destination MAC address of a packet is not in the table, the FWSM does not flood the original packet on all interfaces of the bridge group as a normal bridge does. Instead, it generates the following packets for directly connected devices or for remote devices:

Packets for directly connected devices—The FWSM generates an ARP request for the destination IP address, so that the FWSM can learn which interface receives the ARP response.

Packets for remote devices—The FWSM generates a ping to the destination IP address so that the FWSM can learn which interface receives the ping reply.

The original packet is dropped.

Adding a Static MAC Address

Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular MAC address enters an interface. You can add static MAC addresses to the MAC address table if desired. One benefit to adding static entries is to guard against MAC spoofing. If a client with the same MAC address as a static entry attempts to send traffic to an interface that does not match the static entry, then the FWSM drops the traffic and generates a system log message.

To add a static MAC address to the MAC address table, enter the following command:

hostname(config)# mac-address-table static interface_name mac_address

The interface_name is the source interface.

Setting the MAC Address Timeout

The default timeout value for dynamic MAC address table entries is 5 minutes, but you can change the timeout. To change the timeout, enter the following command:

hostname(config)# mac-address-table aging-time timeout_value

The timeout_value (in minutes) is between 5 and 720 (12 hours). 5 minutes is the default.

Disabling MAC Address Learning

By default, each interface automatically learns the MAC addresses of entering traffic, and the FWSM adds corresponding entries to the MAC address table. You can disable MAC address learning if desired, however, unless you statically add MAC addresses to the table, no traffic can pass through the FWSM.

To disable MAC address learning, enter the following command:

hostname(config)# mac-learn interface_name disable

The no form of this command reenables MAC address learning. The clear configure mac-learn command reenables MAC address learning on all interfaces.

Viewing the MAC Address Table

You can view the entire MAC address table (including static and dynamic entries), the MAC address table for an interface, or the MAC address table for a bridge group. To view the MAC address table, enter the following command:

hostname# show mac-address-table [interface_name | bridge_group]

The following is sample output from the show mac-address-table command that shows the entire table:

hostname# show mac-address-table
interface				    mac address				       type			      Age min)   Group
-----------------------------------------------------------------------
outside					0009.7cbe.2100				   static				-        Eng
inside					0010.7cbe.6101				   static				-        Eng
inside					0009.7cbe.5101				   dynamic				10       Eng

The following is sample output from the show mac-address-table command that shows the table for the inside interface:

hostname# show mac-address-table inside
interface				    mac address       type			      Age min)   Group
-----------------------------------------------------------------------
inside					0010.7cbe.6101				   static				-        Eng
inside					0009.7cbe.5101				   dynamic				10       Eng