Configuring the ARP Cache

A firewall maintains a cache of Address Resolution Protocol (ARP) entries that are learned when it overhears ARP requests or ARP reply packets on its interfaces. ARP is used to resolve a host's MAC address based on its IP address, and vice versa.

You can use the following commands to configure ARP operations: 1. Define a static ARP entry:

Firewall(config)# arp if name ip address mac address [alias]

ARP entries normally are created as the firewall hears responses to ARP requests on each interface. There might be times when you need to configure a static entry for hosts that do not answer ARP requests on their interfaces. Static ARP entries do not age out over time.

Specify the firewall interface name if_name (inside or outside, for example) where the host can be found. The host's IP address and MAC address (in dotted-triplet format) must also be given.

Use the alias keyword to create a static proxy ARP entry, where the firewall responds to ARP requests on behalf of the configured host IP address—whether or not it actually exists.

For example, you can use the following command to configure a static ARP entry for a machine that can be found on the inside interface. Its MAC address and IP address are 0006.5b02.a841 and 192.168.1.199, respectively:

Firewall(config)# arp inside 0006.5b02.a841 192.168.1.199

2. Set the ARP persistence timer:

Firewall(config)# arp timeout seconds

ARP entries dynamically collected are held in the firewall's cache for a fixed length of time. During this time, no new ARP information is added or changed for a specific cached host address. By default, ARP entries are held for 14,400 seconds (4 hours). You can set the persistence timer to seconds (1 to 1,215,752 seconds for PIX 6.3 or 60 to 4,294,967 seconds for ASA and FWSM).

You can display the current ARP cache contents with the following command:

Firewall# show arp [statistics]

For example, the following ARP entries have been created on a firewall:

Firewall# show arp stateful 192.168.199.1 0030.8587.546e lan-fo 192.168.198.2 0030.8587.5433 outside 12.16.11.1 0003.4725.2f97 outside 12.16.11.2 0005.5f93.37fc outside 12.16.11.3 00d0.01e6.6ffc inside 192.168.1.1 0003.4725.2e32 inside 192.168.1.4 00d0.0457.3bfc inside 192.168.1.3 0007.0d55.a80a Firewall#

Be aware that the firewall maintains ARP entries for its own interfaces too, as indicated by the gray shaded entries.

You can add the statistics keyword to display counters for various ARP activities. Consider the following output:

Firewall# show arp statistics Number of ARP entries: PIX : 11

Dropped blocks in ARP: 10 Maximum Queued blocks: 17 Queued blocks: 0

Interface collision ARPs Received: 0 ARP-defense Gratuitous ARPS sent: 0 Total ARP retries: 70 Unresolved hosts: 0 Maximum Unresolved hosts: 2 Firewall#

If a host's IP address changes or its network interface is replaced, an existing ARP entry can become stale and will be stuck in the firewall's ARP table until it expires. If this happens, you can clear the entire ARP cache contents by using the clear arp EXEC command.

If you decide to clear the ARP cache, you should do so only during a maintenance time when the network is not busy; otherwise, there might be a pause in network traffic passing through the firewall while the ARP cache is being rebuilt.

Although you cannot clear individual ARP cache entries, you can configure a static ARP entry for the IP address in question so that it is paired with a bogus MAC address. After that is done, remove the command that was just used. The bogus static ARP entry is removed, and the firewall relearns an ARP entry based on dynamic information from the host.

Was this article helpful?

+2 0

Post a comment