Configuring the mac address table, Adding a static mac address, Setting the mac address timeout – Cisco ASA 5505 User Manual
Page 187
4-15
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 4 Configuring the Transparent or Routed Firewall
Customizing the MAC Address Table for the Transparent Firewall
Additional Guidelines
In transparent firewall mode, the management interface updates the MAC address table in the same
manner as a data interface; therefore you should not connect both a management and a data interface to
the same switch unless you configure one of the switch ports as a routed port (by default Cisco Catalyst
switches share a MAC address for all VLAN switch ports). Otherwise, if traffic arrives on the
management interface from the physically-connected switch, then the ASA updates the MAC address
table to use the management interface to access the switch, instead of the data interface. This action
causes a temporary traffic interruption; the ASA will not re-update the MAC address table for packets
from the switch to the data interface for at least 30 seconds for security reasons.
Configuring the MAC Address Table
This section describes how you can customize the MAC address table and includes the following
sections:
•
Adding a Static MAC Address, page 4-15
•
Setting the MAC Address Timeout, page 4-15
•
Disabling MAC Address Learning, page 4-16
Adding a Static MAC Address
Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular
MAC address enters an interface. You can add static MAC addresses to the MAC address table if desired.
One benefit to adding static entries is to guard against MAC spoofing. If a client with the same
MAC address as a static entry attempts to send traffic to an interface that does not match the static entry,
then the ASA drops the traffic and generates a system message. When you add a static ARP entry (see
the
“Adding a Static ARP Entry” section on page 4-11
), a static MAC address entry is automatically
added to the MAC address table.
To add a static MAC address to the MAC address table, enter the following command:
Setting the MAC Address Timeout
The default timeout value for dynamic MAC address table entries is 5 minutes, but you can change the
timeout. To change the timeout, enter the following command:
Command
Purpose
mac-address-table static
interface_name
mac_address
Example:
hostname(config)# mac-address-table static
inside 0009.7cbe.2100
Adds a static MAC address entry.
The interface_name is the source interface.