Application Control Engine Module Routing and Bridging Configuration Guide (Software Version A1(2)) - Configuring ARP [Cisco Services Modules]

Table Of Contents

Configuring ARP

Adding a Static ARP Entry

Enabling ARP Inspection

Configuring the ARP Retry Attempts

Configuring the ARP Retry Interval

Configuring the ARP Request Interval

Enabling the Learning of MAC Addresses

Configuring the ARP Learned Interval

Displaying ARP Information

Displaying IP Address-to-MAC Address Mapping

Displaying ARP Statistics

Displaying ARP Inspection Configuration

Displaying ARP Timeout Values

Clearing ARP Learned Entries from the ARP Table

Clearing ARP Statistics

Configuring ARP

The Address Resolution Protocol (ARP) on the ACE can manage and learn the mapping of IP to Media Access Control (MAC) information to forward and transmit packets. The ACE creates an ARP cache entry when it receives an ARP packet or you configure an IP address on the ACE, for example, an IP address for a real server, gateway, or an interface VLAN.

You can also configure static ARP entries for IP to Media Access Control (MAC) translations and ARP inspection to prevent ARP spoofing. ARP inspection ensures that an attacker cannot send an ARP response with the attacker MAC address if the correct MAC address and the associated IP address are in the static ARP table.

This chapter describes how to configure ARP parameters, enable ARP inspection, and includes the following topics:

•Adding a Static ARP Entry

•Enabling ARP Inspection

•Configuring the ARP Retry Attempts

•Configuring the ARP Retry Interval

•Configuring the ARP Request Interval

•Enabling the Learning of MAC Addresses

•Configuring the ARP Learned Interval

To display ARP information on the ACE, see the "Displaying ARP Information" section.

Adding a Static ARP Entry

To add a static ARP entry in the ARP table, use the arp command in configuration mode. You can create a static ARP entry at the context level. You must configure static ARPs for bridged interfaces on the specific interface configuration mode.

Note When you enable ARP inspection, the ACE compares ARP packets with static ARP entries in the ARP table to determine what action to take. For more information, see the "Enabling ARP Inspection" section.

The syntax for the arp command is:

arp ip_address mac_address
The arguments are:

•ip_address—IP address for an ARP table entry. Enter the IP address in dotted-decimal notation (for example, 172.16.56.76).

•mac_address—Hardware MAC address for the ARP table entry. Enter the MAC address in dotted-hexadecimal notation (for example, 00.60.97.d5.26.ab).

For example, to allow ARP responses from the router at 10.1.1.1 with the MAC address 00.02.9a.3b.94.d9, enter the following command:
host1/Admin(config)# arp 10.1.1.1 00.02.9a.3b.94.d9
To remove a static ARP entry, use the no arp command. For example, enter:
host1/Admin(config)# no arp 10.1.1.1 00.02.9a.3b.94.d9
Enabling ARP Inspection

ARP inspection prevents malicious users from impersonating other hosts or routers, known as ARP spoofing. ARP spoofing can enable a "man-in-the-middle" attack. For example, a host sends an ARP request to the gateway router. The gateway router responds with the gateway router MAC address.

However, the attacker sends another ARP response to the host with the attacker MAC address instead of the router MAC address. The attacker can now intercept all the host traffic before forwarding it on to the router. ARP inspection ensures that an attacker cannot send an ARP response with the attacker MAC address, as long as the correct MAC address and the associated IP address are in the static ARP table.

ARP inspection is valid for bridged interfaces. By default, ARP inspection is disabled on all interfaces, allowing all ARP packets through the ACE. When you enable ARP inspection, the ACE compares the MAC address, IP address, and source interface in all ARP packets to static entries in the ARP table, and takes the following actions:

•If the IP address, MAC address, and source interface match an ARP entry, the ACE allows the packet to pass

•If a mismatch occurs between the MAC address, the IP address, or the interface, then the ACE drops the packet

•If the ARP packet does not match any entries in the static ARP table, then you can set the ACE to either forward the packet out all interfaces (flood), or to drop the packet

To enable ARP inspection, use the arp inspection enable command in configuration mode. The syntax for this command is:

arp inspection enable [flood | no-flood]
The options are:

•flood—Enables ARP forwarding of non-matching ARP packets. The ACE forwards all ARP packets to all interfaces in the bridge group. This is the default setting.

•no-flood—Disables ARP forwarding for the interface and drops non-matching ARP packets.

For example, to enable ARP inspection, and to drop all non-matching ARP packets, enter the following command:
host1/Admin(config)# arp inspection enable no-flood
To disable ARP inspection, use the no arp inspection enable command. For example, enter:
host1/Admin(config)# no arp inspection enable
Configuring the ARP Retry Attempts

To configure the number of ARP attempts before the ACE flags learned and configured hosts as down, use the arp retries command in configuration mode. You configure this command per context. The syntax for the command is:

arp retries number
The number argument is the number of ARP retry attempts. Enter a number from 2 to 15. The default is 3.

For example, to configure a retry attempts at 6, enter:
host1/Admin(config)# arp retries 6
To reset the number of ARP retry attempts to the default of 3, use the no arp retries command. For example, enter:
host1/Admin(config)# no arp retries
Configuring the ARP Retry Interval

To configure the interval when the ACE sends ARP retry attempts to any learned or configured hosts, use the arp rate command in configuration mode. You configure this command per context. The syntax for the command is:

arp rate seconds
The seconds argument is the number of seconds between ARP retry attempts to hosts. Enter a number from 1 to 60. The default is 10.

For example, to configure the retry attempt interval of 15 seconds, enter:
host1/Admin(config)# arp rate 15
To reset the retry attempt interval to the default of 10 seconds, use the no arp rate command. For example, enter:
host1/Admin(config)# no arp rate
Configuring the ARP Request Interval

To configure the refresh interval for existing ARP entries of configured host addresses, use the arp interval command in configuration mode. You configure this command per context. The syntax for the command is:

arp interval seconds
The seconds argument is the number in seconds between sending ARP requests to the host. Enter a number from 15 to 31536000. The default is 300.

For example, to configure a request period of 15 seconds, enter:
host1/Admin(config)# arp interval 15
To reset the ARP request interval to the default of 300 seconds, use the no arp interval command. For example, enter:
host1/Admin(config)# no arp interval
Enabling the Learning of MAC Addresses

By default, the ACE learns MAC addresses from host responses. To enable the ACE to learn MAC addresses on all traffic, use the arp learned-mode enable command in configuration mode. You configure this command per context. For bridged interfaces, this command allows them to learn ARP information from ARP packets; normally the ACE forwards at Layer 2 without learning any ARP information.

The syntax for this command is:

arp learned-mode enable
For example, to enable the learning of MAC addresses on all traffic, enter the following command:
host1/Admin(config-if)# arp learned-mode enable
To reset the default behavior of learning MAC addresses from host responses, use the no arp learned-mode command. For example, enter:
host1/Admin(config-if)# no arp learned-mode enable
Configuring the ARP Learned Interval

To configure the refresh interval for existing ARP entries for learned host addresses, use the arp learned-interval command in configuration mode. You configure this command per context. The syntax for the command is:

arp learned-interval seconds
The seconds argument is the number of seconds between ARP requests for learned addresses. Enter a number from 60 to 31536000. The default is 14400.

For example, to configure a learned-interval of 800 seconds, enter:
host1/Admin(config-if)# arp learned-interval 800
To reset the learned-interval to the default of 14,400 seconds, use the no arp learned-interval command. For example, enter:
host1/Admin(config-if)# no arp learned-interval
Displaying ARP Information

You can display ARP address mapping, statistics, and timeout intervals. For more information, see the following sections:

•Displaying IP Address-to-MAC Address Mapping

•Displaying ARP Statistics

•Displaying ARP Timeout Values

Note The show arp internal command is used for debugging purposes. The output for this command is for use by trained Cisco personnel as an aid in debugging and troubleshooting the ACE. For information on the command syntax, see the Cisco Application Control Engine Module Command Reference.

Displaying IP Address-to-MAC Address Mapping

To display the current active IP address-to-MAC address mapping in the ARP table, use the show arp command in Exec mode. The syntax for this command is:

show arp
Table 4-1 describes the fields in the show arp command output.

Table 4-1 Field Descriptions for the show arp Command

Field

Description

Context

The current context.

IP ADDRESS

The IP address of the system for ARP mapping.

MAC-ADDRESS

The MAC address of the system mapped to the IP address.

Interface

Interface name for this entry

Type

The type of ARP entry. The possible types are LEARNED, GATEWAY, INTERFACE, VSERVER, RSERVER, and NAT.

Encap

A pointer to the adjacency entry, if any, for this host; Layer 2 and switch header rewrite information

Next ARP(s)

The time in seconds that this dynamic ARP entry is valid

Status

The state of the system. The possible values are up or down.

For example, enter:
host1/admin# show arp
Displaying ARP Statistics

To display the ARP statistics globally or for a specified VLAN, use the show arp statistics command in Exec mode. The syntax of this command is:

show arp statistics [vlan number]
Table 4-2 describes the fields in the show arp statistics command output.

Table 4-2 Field Descriptions for the show arp statistics Command
Output

Field

Description

RX Packets

The ARP packets received.

TX Packets

The ARP packets transmitted.

Bridged Packets

The number of bridged ARP packets.

Requests Recvd

The ARP requests received.

Response Recvd

The ARP responses received.

Packets Dropped

The number of dropped ARP packets.

Collision Detected

The number of detected collisions.

RX Errors

The number of error on received ARP packets.

TX Errors

The number of errors on transmitted ARP packets.

Bridged Errors

The number of bridged errors.

Requests Sent

The number of ARP requests sent.

Response Sent

The number of ARP responses sent.

Inspect Failed

The number of packets failing ARP inspection.

Gratuitous ARP sent

The number of gratuitous ARP packets sent.

Resolution requests

The number of resolution requests.

Hosts learned

The number of host learned.

Encap-miss msg

The number of packets that contain no matching ARP entry; each learned ARP entry should correspond to an Encap. When a packet does not have a matching entry, the ACE considers it an Encap miss.

Pings attempted for Encap-miss msg

The number of times that the ACE recognizes that a ping attempt needs to occur when an Encap miss for a destination packet IP address not on an existing bridge-group subnet occurs.

Pings quenched for Encap-miss msg

The number of times that the ACE quells an effort to ping for the same destination packet IP address if the Encap miss for that address occurs repeatedly and too fast.

Pings rejected for Encap-miss msg

The number of times that the ACE rejects ping attempts for destination IP addresses when the Encap miss for that address are too many to handle. Similar to the quenched pings, these misses are unique.

Pings Encap-miss responded to

The number of actual pings sent for a missed IP address. The number of this counter should match for the Pings attempted for Encap-miss msg counter.

For example, enter:
host1/admin# show arp statistics
You can also display ARP traffic statistics by using the show ip traffic command. This command displays the number of received and sent packets, and associated errors, requests, and responses.

Displaying ARP Inspection Configuration

To display the ARP inspection configuration, use the show arp inspection command in Exec mode. The syntax for this command is:

show arp inspection
Table 4-3 describes the fields in the show arp inspection command output.

Table 4-3 Field Descriptions for the show arp inspection
Command

Field

Description

Context

The name of the current context

ARP Inspection

Whether ARP inspection is enabled

Flooding

Whether flooding is enabled

Displaying ARP Timeout Values

To display the ARP timeout values, use the show arp timeout command in Exec mode. The syntax for this command is:

show arp timeout
Table 4-4 describes the fields in the show arp timeout command output.

Table 4-4 Field Descriptions for the show arp timeout
Command

Field

Description

Refresh Time

The interval in seconds between ARP requests sent to the ACE to validate the cache entry.

Learned Address

The interval in seconds when the ACE sends ARP requests for learned hosts.

Configured Address

The interval in seconds that the ACE sends ARP refresh requests for configured hosts. By default, the interval is 300 seconds.

Retry Rate

The interval in seconds when the ACE sends ARP retry attempts to hosts.

Max Retries per Host

The number of ARP attempts before the ACE flags the host as down.

Clearing ARP Learned Entries from the ARP Table

To clear the ARP the learned entries in the ARP cache table, use the clear arp command. The syntax for this command is:

clear arp [no-refresh]
The no-refresh option clears the learned ARP entries in the cache table without performing an ARP on the entries. Without this option, this command performs an ARP on the entries.

For example, to clear the ARP learned entries with an re-ARP on the entries:
host1/Admin# clear arp
Clearing ARP Statistics

To clear the ARP statistics counters, use the clear arp statistics command. The syntax for this command is:

clear arp statistics [interface_name]
Include the interface_name option to clear the statistic counters for the specified interface. Without this option, this command clears all counters for all interfaces.

For example, to clear the ARP statistic counters globally, enter:
host1/Admin# clear arp statistics