ARP Inspection


 * Supported only in transparent firewall mode. Routed mode is not supported.

For ARP inspection on the ASA, create a static ARP table and enable on the interfaces.

Here we have 10 static entries for the inside interface. We are expecting the IP address listed to show up with the associated MAC address and if they are not, the traffic is dropped. On the outside interface there is a connected router that we are expecting traffic from ONLY which is a really 'locked-down' policy. arp inside 10.1.1.1 0000.0000.0001 arp inside 10.1.1.2 0000.0000.0002 arp inside 10.1.1.3 0000.0000.0003 arp inside 10.1.1.4 0000.0000.0004 arp inside 10.1.1.5 0000.0000.0005 arp inside 10.1.1.6 0000.0000.0006 arp inside 10.1.1.7 0000.0000.0007 arp inside 10.1.1.8 0000.0000.0008 arp inside 10.1.1.9 0000.0000.0009 arp inside 10.1.1.10 0000.0000.000a arp outside 12.1.1.1 1111.2222.3333

If we have devices other than the 10 specified we have an option to either flood or drop those devices' ARP requests. In this case we do have other devices but no other devices from the outside so we'll allow the flooding of MAC addresses from the inside but lock down the ingress from the outside to just the router MAC/IP binding. arp-inspection inside enable flood arp-inspection outside enable no-flood

Another option is for proxy-ARP or secondary subnets in which case we can allow ARP requests not from directly connected subnets: arp permit-nonconnected


 * In multiple context mode, configure the MAC address table within each context.

MAC Addresses
You can add static MAC addresses into the MAC table to prevent MAC spoofing. mac-address-table static inside 0009.7cbe.2100

You can change the aging from the default of 5 minutes to a different value from 5 to 720 minutes. mac-address-table aging-time 10

You can disable MAC address learning but be sure to have some static MAC addresses before you do because nothing will be learned and in that case nothing will be forwarded if you do not have a static MAC address list. mac-learn inside disable mac-learn outside disable