arp inspection in routed mode

Unanswered Question
Jun 10th, 2008
User Badges:


We have only one host connected to a separate interface (dmz2). It is natted to a Public IP to allow it access to a partner network.

I want to make sure that no one (internally) spoofs the IP of this host or uses it's IP. I was looking at placing a static arp entry

and using dynamic arp inspection but it seems that this works only in transparent mode, but we have a routed mode running.

Is there any other way?

All help is appreciated

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
mo shea Tue, 06/10/2008 - 08:28
User Badges:

Thanks for the response.

I placed a static arp entry on the interface, but it seems if any other pc uses the same IP, it can pass through.

As for the port acl, due you mean to use a mac list on the port.

Thanks again.

Farrukh Haroon Tue, 06/10/2008 - 11:10
User Badges:
  • Red, 2250 points or more

yes or a VLAN access-map on the whole VLAN, whatever suits you, both are mutually exclusive.



mo shea Tue, 06/10/2008 - 13:28
User Badges:

Thanks for the feedback

I was wondering if it is possible using VACL, to limit access based on both the host's IP AND MAC address, since using a mac list on the port blocks mac address, but doesnt check IP addresses. I hope arp inspection can be made available on the ASA routed mode.

Thanks again

Farrukh Haroon Tue, 06/10/2008 - 23:37
User Badges:
  • Red, 2250 points or more

Its possible, but there is a very important Caveat, which I should have mentioned earlier, this is true for both mac ACLs on layer 2 (port ACLs) and mac ACLs inside Vlan Access Lists (VACLs):

"IP packets are matched against standard or extended IP access lists. *Non-IP packets* are only matched against named MAC extended access lists."

The ARP Inspection option on the switch is also a good suggestion made by amad.




This Discussion