Monitor ARP table on ASA 5505 with MARS v6.0

Unanswered Question
Sep 13th, 2010

The goal is to catch people accidentally plugging an unauthorized device into a 5505.  Can MARS monitor the 5505 ARP table or something else and trigger based on a MAC not being in a pre-defined list?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mikecrowe4ICS_2 Mon, 09/13/2010 - 17:13

If you are running in transparent mode, ARP inspection might do what you're looking for.

From the ASA "Configuration Guide using the CLI" for 8.2:

When you enable ARP inspection, the adaptive security appliance compares  the MAC address, IP address, and source interface in all ARP packets to  static entries in the ARP table, and takes the following actions:

    • If the IP address, MAC address, and source interface match an ARP entry, the packet is passed through.

    • If  there is a mismatch between the MAC address, the IP address, or the  interface, then the adaptive security appliance drops the packet.

    • If  the ARP packet does not match any entries in the static ARP table, then  you can set the adaptive security appliance to either forward the  packet out all interfaces (flood), or to drop the packet

In addition to the action listed above, there are matching syslog messages.  If MARS does not already trigger events based on those messages, you could add them using a custom parser.

This only works in transparent mode, though.  Not sure what would work for routed mode.

panderson25 Tue, 09/14/2010 - 05:58

Routed mode.  Also, this "accident" wouldn't necessarily generate an alert since it could be a new static IP.  I was hoping MARS could dig into the ARP table somehow and parse it periodically as opposed to wait for an alert.


This Discussion