Configuring ARP Inspection and Bridging
Parameters
Transparent Firewall Mode Only
This chapter describes how to enable ARP inspection and how to customize bridging operations for the
security appliance. In multiple context mode, the commands in this chapter can be entered in a security
context, but not the system.
This chapter includes the following sections:
•
•
Configuring ARP Inspection
This section describes ARP inspection and how to enable it, and includes the following topics:
•
•
•
ARP Inspection Overview
By default, all ARP packets are allowed through the security appliance. You can control the flow of ARP
packets by enabling ARP inspection.
When you enable ARP inspection, the security appliance compares the MAC address, IP address, and
source interface in all ARP packets to static entries in the ARP table, and takes the following actions:
•
•
•
OL-10088-01
Configuring ARP Inspection, page 26-1
Customizing the MAC Address Table, page 26-3
ARP Inspection Overview, page 26-1
Adding a Static ARP Entry, page 26-2
Enabling ARP Inspection, page 26-2
If the IP address, MAC address, and source interface match an ARP entry, the packet is passed
through.
If there is a mismatch between the MAC address, the IP address, or the interface, then the security
appliance drops the packet.
If the ARP packet does not match any entries in the static ARP table, then you can set the security
appliance to either forward the packet out all interfaces (flood), or to drop the packet.
C H A P T E R
Cisco Security Appliance Command Line Configuration Guide
26
26-1