Enabling arp inspection, Monitoring arp inspection – Cisco ASA 5505 User Manual

4-12

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 4 Configuring the Transparent or Routed Firewall

Configuring ARP Inspection for the Transparent Firewall

Examples

For example, to allow ARP responses from the router at 10.1.1.1 with the MAC address 0009.7cbe.2100
on the outside interface, enter the following command:

hostname(config)# arp outside 10.1.1.1 0009.7cbe.2100

What to Do Next

Enable ARP inspection according to the

“Enabling ARP Inspection” section on page 4-12

.

Enabling ARP Inspection

This section describes how to enable ARP inspection.

Detailed Steps

Examples

For example, to enable ARP inspection on the outside interface, and to drop all non-matching ARP
packets, enter the following command:

hostname(config)# arp-inspection outside enable no-flood

Monitoring ARP Inspection

To monitor ARP inspection, perform the following task:

Command

Purpose

arp-inspection

interface_name enable

[flood | no-flood]

Example:

hostname(config)# arp-inspection outside

enable no-flood

Enables ARP inspection.

The flood keyword forwards non-matching ARP packets out all interfaces,
and no-flood drops non-matching packets.

Note

The default setting is to flood non-matching packets. To restrict
ARP through the ASA to only static entries, then set this command
to no-flood.

Command

Purpose

show arp-inspection

Shows the current settings for ARP inspection on all interfaces.