Viewing The Mac Address Table; Configuring Arp Inspection; Arp Inspection Overview - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 7
Configuring Bridging Parameters and ARP Inspection
Viewing the MAC Address Table
You can view the entire MAC address table (including static and dynamic entries for both interfaces), or
you can view the MAC address table for an interface.
To view the MAC address table, enter the following command:
FWSM/contexta# show mac-address-table [ interface_name ]
The following example shows the entire MAC address table:
FWSM/contexta# show mac-address-table
interface
-----------------------------------------------------------------------
outside
inside
inside
The following example shows the MAC address table for the inside interface:
FWSM/contexta# show mac-address-table inside
interface
-----------------------------------------------------------------------
inside
inside
Configuring ARP Inspection
This section describes ARP inspection and how to enable it, and includes the following topics:
•
•
•
ARP Inspection Overview
By default, ARP inspection is disabled on all interfaces; all ARP packets are allowed through the FWSM.
When you enable ARP inspection, the FWSM compares the MAC address, IP address, and source
interface in all ARP packets to static entries in the ARP table, and takes the following actions:
•
•
•
ARP inspection prevents malicious users from impersonating other hosts or routers (known as ARP
spoofing). ARP spoofing can enable a "man-in-the-middle" attack. For example, a host sends an
ARP request to the gateway router; the gateway router responds with the gateway router MAC address.
OL-6392-01
mac address
0009.7cbe.2100
0010.7cbe.6101
0009.7cbe.5101
mac address
0010.7cbe.6101
0009.7cbe.5101
ARP Inspection Overview, page 7-3
Adding a Static ARP Entry, page 7-4
Enabling ARP Inspection, page 7-4
If the IP address, MAC address, and source interface match an ARP entry, the packet is passed
through.
If there is a mismatch between the MAC address, the IP address, or the interface, then the FWSM
drops the packet.
If the ARP packet does not match any entries in the static ARP table, then you can set the FWSM to
either forward the packet out all interfaces (flood), or to drop the packet.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
type
Time Left
static
-
static
-
dynamic
10
type
Time Left
static
-
dynamic
10
Configuring ARP Inspection
7-3
Advertisement
Table of Contents
Troubleshooting
