Customizing The Mac Address Table - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 26
Configuring ARP Inspection and Bridging Parameters
For example, to enable ARP inspection on the outside interface, and to drop all non-matching ARP
packets, enter the following command:
hostname(config)# arp-inspection outside enable no-flood
To view the current settings for ARP inspection on all interfaces, enter the show arp-inspection
command.
Customizing the MAC Address Table
This section describes the MAC address table, and includes the following topics:
•
•
•
•
•
MAC Address Table Overview
The security appliance learns and builds a MAC address table in a similar way as a normal bridge or
switch: when a device sends a packet through the security appliance, the security appliance adds the
MAC address to its table. The table associates the MAC address with the source interface so that the
security appliance knows to send any packets addressed to the device out the correct interface.
The ASA 5505 adaptive security appliance includes a built-in switch; the switch MAC address table
maintains the MAC address-to-switch port mapping for traffic within each VLAN. This section discusses
the bridge MAC address table, which maintains the MAC address-to-VLAN interface mapping for traffic
that passes between VLANs.
Because the security appliance is a firewall, if the destination MAC address of a packet is not in the table,
the security appliance does not flood the original packet on all interfaces as a normal bridge does.
Instead, it generates the following packets for directly connected devices or for remote devices:
•
•
The original packet is dropped.
Adding a Static MAC Address
Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular
MAC address enters an interface. You can add static MAC addresses to the MAC address table if desired.
One benefit to adding static entries is to guard against MAC spoofing. If a client with the same
MAC address as a static entry attempts to send traffic to an interface that does not match the static entry,
OL-10088-01
MAC Address Table Overview, page 26-3
Adding a Static MAC Address, page 26-3
Setting the MAC Address Timeout, page 26-4
Disabling MAC Address Learning, page 26-4
Viewing the MAC Address Table, page 26-4
Packets for directly connected devices—The security appliance generates an ARP request for the
destination IP address, so that the security appliance can learn which interface receives the ARP
response.
Packets for remote devices—The security appliance generates a ping to the destination IP address
so that the security appliance can learn which interface receives the ping reply.
Cisco Security Appliance Command Line Configuration Guide
Customizing the MAC Address Table
26-3
Advertisement
Table of Contents
Troubleshooting
