Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

arp inspection in routed mode

Hi

We have only one host connected to a separate interface (dmz2). It is natted to a Public IP to allow it access to a partner network.

I want to make sure that no one (internally) spoofs the IP of this host or uses it's IP. I was looking at placing a static arp entry

and using dynamic arp inspection but it seems that this works only in transparent mode, but we have a routed mode running.

Is there any other way?

All help is appreciated

6 REPLIES

Re: arp inspection in routed mode

You could put a VLAN access-map or port-acl on the switch connected to the DMZ VLAN.

Also you can still put static arp enties in Routed mode, however ARP inspection is not supported in routed mode.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a2.html#wp1600694

Regards

Farrukh

New Member

Re: arp inspection in routed mode

Thanks for the response.

I placed a static arp entry on the interface, but it seems if any other pc uses the same IP, it can pass through.

As for the port acl, due you mean to use a mac list on the port.

Thanks again.

Re: arp inspection in routed mode

yes or a VLAN access-map on the whole VLAN, whatever suits you, both are mutually exclusive.

Regards

Farrukh

New Member

Re: arp inspection in routed mode

Hello,

The following link could help also if you have the required IOS software on your switch.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swdynarp.html

New Member

Re: arp inspection in routed mode

Thanks for the feedback

I was wondering if it is possible using VACL, to limit access based on both the host's IP AND MAC address, since using a mac list on the port blocks mac address, but doesnt check IP addresses. I hope arp inspection can be made available on the ASA routed mode.

Thanks again

Re: arp inspection in routed mode

Its possible, but there is a very important Caveat, which I should have mentioned earlier, this is true for both mac ACLs on layer 2 (port ACLs) and mac ACLs inside Vlan Access Lists (VACLs):

"IP packets are matched against standard or extended IP access lists. *Non-IP packets* are only matched against named MAC extended access lists."

The ARP Inspection option on the switch is also a good suggestion made by amad.

Regards

Farrukh

313
Views
4
Helpful
6
Replies