Configure ARP Inspection
By default, all ARP packets are allowed between bridge group members. You can control the flow of ARP packets by enabling ARP inspection.
ARP inspection prevents malicious users from impersonating other hosts or routers (known as ARP spoofing). ARP spoofing can enable a “man-in-the-middle” attack. For example, a host sends an ARP request to the gateway router; the gateway router responds with the gateway router MAC address. The attacker, however, sends another ARP response to the host with the attacker MAC address instead of the router MAC address. The attacker can now intercept all the host traffic before forwarding it on to the router.
ARP inspection ensures that an attacker cannot send an ARP response with the attacker MAC address, so long as the correct MAC address and the associated IP address are in the static ARP table.
When you enable ARP inspection, the Firepower Threat Defense device compares the MAC address, IP address, and source interface in all ARP packets to static entries in the ARP table, and takes the following actions:
If the IP address, MAC address, and source interface match an ARP entry, the packet is passed through.
If there is a mismatch between the MAC address, the IP address, or the interface, then the Firepower Threat Defense device drops the packet.
If the ARP packet does not match any entries in the static ARP table, then you can set the Firepower Threat Defense device to either forward the packet out all interfaces (flood), or to drop the packet.
The dedicated Diagnostic interface never floods packets even if this parameter is set to flood.
Select FTD policy.and create or edit an
Select ARP Inspection.
Add entries to the ARP inspection table.
Add static ARP entries according to Add a Static ARP Entry.
You can now click Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them.