7-4
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 7 Configuring Bridging Parameters and ARP Inspection
Configuring ARP Inspection
The attacker, however, sends another ARP response to the host with the attacker MAC address instead
of the router MAC address. The attacker can now intercept all the host traffic before forwarding it on to
the router.
ARP inspection ensures that an attacker cannot send an ARP response with the attacker MAC address,
so long as the correct MAC address and the associated IP address are in the static ARP table.
Adding a Static ARP Entry
ARP inspection compares ARP packets with static ARP entries in the ARP table.
To add a static ARP entry, enter the following command:
FWSM/contexta(config)# arp
interface_name ip_address mac_address
For example, to allow ARP responses from the router at 10.1.1.1 with the MAC address 0009.7cbe.2100
on the outside interface, enter the following command:
FWSM/contexta(config)# arp outside 10.1.1.1 0009.7cbe.2100
Enabling ARP Inspection
To enable ARP inspection, enter the following command:
FWSM/contexta(config)# arp-inspection
interface_name
enable [flood | no-flood]
Where flood (the default) forwards non-matching ARP packets out all interfaces, and no-flood drops
non-matching packets.
For example, to enable ARP inspection on the outside interface, and to drop all non-matching ARP
packets, enter the following command:
FWSM/contexta(config)# arp-inspection outside
enable no-flood
To Next Page
Loading...
Need help?
General