Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
702
Views
4
Helpful
6
Replies

arp inspection in routed mode

mo shea
Level 1
Level 1

‎06-10-2008 01:39 AM - edited ‎03-11-2019 05:57 AM

Hi

We have only one host connected to a separate interface (dmz2). It is natted to a Public IP to allow it access to a partner network.

I want to make sure that no one (internally) spoofs the IP of this host or uses it's IP. I was looking at placing a static arp entry

and using dynamic arp inspection but it seems that this works only in transparent mode, but we have a routed mode running.

Is there any other way?

All help is appreciated

Labels:
0 Helpful
6 Replies 6

Farrukh Haroon
VIP Alumni
VIP Alumni

‎06-10-2008 03:40 AM

You could put a VLAN access-map or port-acl on the switch connected to the DMZ VLAN.

Also you can still put static arp enties in Routed mode, however ARP inspection is not supported in routed mode.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a2.html#wp1600694

Regards

Farrukh

mo shea
Level 1
Level 1
In response to Farrukh Haroon

‎06-10-2008 08:28 AM

Thanks for the response.

I placed a static arp entry on the interface, but it seems if any other pc uses the same IP, it can pass through.

As for the port acl, due you mean to use a mac list on the port.

Thanks again.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to mo shea

‎06-10-2008 11:10 AM

yes or a VLAN access-map on the whole VLAN, whatever suits you, both are mutually exclusive.

Regards

Farrukh

0 Helpful

Amadou TOURE
Level 1
Level 1

‎06-10-2008 11:32 AM

Hello,

The following link could help also if you have the required IOS software on your switch.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swdynarp.html

0 Helpful

mo shea
Level 1
Level 1
In response to Amadou TOURE

‎06-10-2008 01:28 PM

Thanks for the feedback

I was wondering if it is possible using VACL, to limit access based on both the host's IP AND MAC address, since using a mac list on the port blocks mac address, but doesnt check IP addresses. I hope arp inspection can be made available on the ASA routed mode.

Thanks again

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to mo shea

‎06-10-2008 11:37 PM

Its possible, but there is a very important Caveat, which I should have mentioned earlier, this is true for both mac ACLs on layer 2 (port ACLs) and mac ACLs inside Vlan Access Lists (VACLs):

"IP packets are matched against standard or extended IP access lists. *Non-IP packets* are only matched against named MAC extended access lists."

The ARP Inspection option on the switch is also a good suggestion made by amad.

Regards

Farrukh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card