Adding A Static Arp Entry; Enabling Arp Inspection - Cisco PIX 500 Series Configuration Manual

Configuring ARP Inspection
ARP inspection prevents malicious users from impersonating other hosts or routers (known as ARP
spoofing). ARP spoofing can enable a "man-in-the-middle" attack. For example, a host sends an
ARP request to the gateway router; the gateway router responds with the gateway router MAC address.
The attacker, however, sends another ARP response to the host with the attacker MAC address instead
of the router MAC address. The attacker can now intercept all the host traffic before forwarding it on to
the router.
ARP inspection ensures that an attacker cannot send an ARP response with the attacker MAC address,
so long as the correct MAC address and the associated IP address are in the static ARP table.

Adding a Static ARP Entry

ARP inspection compares ARP packets with static ARP entries in the ARP table. Although hosts identify
a packet destination by an IP address, the actual delivery of the packet on Ethernet relies on the Ethernet
MAC address. When a router or host wants to deliver a packet on a directly connected network, it sends
an ARP request asking for the MAC address associated with the IP address, and then delivers the packet
to the MAC address according to the ARP response. The host or router keeps an ARP table so it does not
have to send ARP requests for every packet it needs to deliver. The ARP table is dynamically updated
whenever ARP responses are sent on the network, and if an entry is not used for a period of time, it times
out. If an entry is incorrect (for example, the MAC address changes for a given IP address), the entry
times out before it can be updated.
The transparent firewall uses dynamic ARP entries in the ARP table for traffic to and from the security
Note
appliance, such as management traffic.
To add a static ARP entry, enter the following command:
hostname(config)# arp interface_name ip_address mac_address
For example, to allow ARP responses from the router at 10.1.1.1 with the MAC address 0009.7cbe.2100
on the outside interface, enter the following command:
hostname(config)# arp outside 10.1.1.1 0009.7cbe.2100

Enabling ARP Inspection

To enable ARP inspection, enter the following command:
hostname(config)# arp-inspection interface_name enable [flood | no-flood]
Where flood forwards non-matching ARP packets out all interfaces, and no-flood drops non-matching
packets.
The default setting is to flood non-matching packets. To restrict ARP through the security appliance to
Note
only static entries, then set this command to no-flood.
Cisco Security Appliance Command Line Configuration Guide
26-2
The dedicated management interface, if present, never floods packets even if this parameter
Note
is set to flood.
Chapter 26 Configuring ARP Inspection and Bridging Parameters
OL-12172-03