7-3
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 7 Configuring Bridging Parameters and ARP Inspection
Configuring ARP Inspection
Viewing the MAC Address Table
You can view the entire MAC address table (including static and dynamic entries for both interfaces), or
you can view the MAC address table for an interface.
To view the MAC address table, enter the following command:
FWSM/contexta# show mac-address-table [
interface_name
]
The following example shows the entire MAC address table:
FWSM/contexta# show mac-address-table
interface mac address type Time Left
-----------------------------------------------------------------------
outside 0009.7cbe.2100 static -
inside 0010.7cbe.6101 static -
inside 0009.7cbe.5101 dynamic 10
The following example shows the MAC address table for the inside interface:
FWSM/contexta# show mac-address-table inside
interface mac address type Time Left
-----------------------------------------------------------------------
inside 0010.7cbe.6101 static -
inside 0009.7cbe.5101 dynamic 10
Configuring ARP Inspection
This section describes ARP inspection and how to enable it, and includes the following topics:
• ARP Inspection Overview, page 7-3
• Adding a Static ARP Entry, page 7-4
• Enabling ARP Inspection, page 7-4
ARP Inspection Overview
By default, ARP inspection is disabled on all interfaces; all ARP packets are allowed through the FWSM.
When you enable ARP inspection, the FWSM compares the MAC address, IP address, and source
interface in all ARP packets to static entries in the ARP table, and takes the following actions:
• If the IP address, MAC address, and source interface match an ARP entry, the packet is passed
through.
• If there is a mismatch between the MAC address, the IP address, or the interface, then the FWSM
drops the packet.
• If the ARP packet does not match any entries in the static ARP table, then you can set the FWSM to
either forward the packet out all interfaces (flood), or to drop the packet.
ARP inspection prevents malicious users from impersonating other hosts or routers (known as ARP
spoofing). ARP spoofing can enable a “man-in-the-middle” attack. For example, a host sends an
ARP request to the gateway router; the gateway router responds with the gateway router MAC address.
To Next Page
Loading...
Need help?
General