Cisco Systems ASA 5510 Network Router User Manual


  Open as PDF
of 2086
 
10-13
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 10 Configuring the Transparent or Routed Firewall
Customizing the MAC Address Table for the Transparent Firewall
Feature History for ARP Inspection
Table 10-2 lists the release history for each feature change and the platform release in which it was
implemented.
Customizing the MAC Address Table for the Transparent
Firewall
This section describes the MAC address table and includes the following topics:
Information About the MAC Address Table, page 10-13
Licensing Requirements for the MAC Address Table, page 10-14
Default Settings, page 10-14
Guidelines and Limitations, page 10-14
Configuring the MAC Address Table, page 10-14
Feature History for the MAC Address Table, page 10-16
Information About the MAC Address Table
The ASA learns and builds a MAC address table in a similar way as a normal bridge or switch: when a
device sends a packet through the ASA, the ASA adds the MAC address to its table. The table associates
the MAC address with the source interface so that the ASA knows to send any packets addressed to the
device out the correct interface.
The ASA 5505 includes a built-in switch; the switch MAC address table maintains the MAC
address-to-switch port mapping for traffic within each VLAN. This section only discusses the bridge
MAC address table, which maintains the MAC address-to-VLAN interface mapping for traffic that
passes between VLANs.
Because the ASA is a firewall, if the destination MAC address of a packet is not in the table, the ASA
does not flood the original packet on all interfaces as a normal bridge does. Instead, it generates the
following packets for directly connected devices or for remote devices:
Packets for directly connected devices—The ASA generates an ARP request for the destination IP
address, so that the ASA can learn which interface receives the ARP response.
Packets for remote devices—The ASA generates a ping to the destination IP address so that the ASA
can learn which interface receives the ping reply.
The original packet is dropped.
Table 10-3 Feature History for ARP Inspection
Feature Name Releases Feature Information
ARP inspection
7.0(1) ARP inspection compares the MAC address, IP address, and
source interface in all ARP packets to static entries in the
ARP table.
We introduced the following commands: arp,
arp-inspection, and show arp-inspection.