09-13-2010 01:41 PM
The goal is to catch people accidentally plugging an unauthorized device into a 5505. Can MARS monitor the 5505 ARP table or something else and trigger based on a MAC not being in a pre-defined list?
09-13-2010 05:13 PM
If you are running in transparent mode, ARP inspection might do what you're looking for.
From the ASA "Configuration Guide using the CLI" for 8.2:
When you enable ARP inspection, the adaptive security appliance compares the MAC address, IP address, and source interface in all ARP packets to static entries in the ARP table, and takes the following actions:
If the IP address, MAC address, and source interface match an ARP entry, the packet is passed through.
If there is a mismatch between the MAC address, the IP address, or the interface, then the adaptive security appliance drops the packet.
If the ARP packet does not match any entries in the static ARP table, then you can set the adaptive security appliance to either forward the packet out all interfaces (flood), or to drop the packet
In addition to the action listed above, there are matching syslog messages. If MARS does not already trigger events based on those messages, you could add them using a custom parser.
This only works in transparent mode, though. Not sure what would work for routed mode.
09-14-2010 05:58 AM
Routed mode. Also, this "accident" wouldn't necessarily generate an alert since it could be a new static IP. I was hoping MARS could dig into the ARP table somehow and parse it periodically as opposed to wait for an alert.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: