Configure ARP Inspection
By default, all ARP packets are allowed between bridge group members. You can control the flow of ARP packets by enabling ARP inspection.
ARP inspection prevents malicious users from impersonating other hosts or routers (known as ARP spoofing). ARP spoofing can enable a “man-in-the-middle” attack. For example, a host sends an ARP request to the gateway router; the gateway router responds with the gateway router MAC address. The attacker, however, sends another ARP response to the host with the attacker MAC address instead of the router MAC address. The attacker can now intercept all the host traffic before forwarding it on to the router.
ARP inspection ensures that an attacker cannot send an ARP response with the attacker MAC address, so long as the correct MAC address and the associated IP address are in the static ARP table.
When you enable ARP inspection, the FTD device compares the MAC address, IP address, and source interface in all ARP packets to static entries in the ARP table, and takes the following actions:
-
If the IP address, MAC address, and source interface match an ARP entry, the packet is passed through.
-
If there is a mismatch between the MAC address, the IP address, or the interface, then the FTD device drops the packet.
-
If the ARP packet does not match any entries in the static ARP table, then you can set the FTD device to either forward the packet out all interfaces (flood), or to drop the packet.
Note
The dedicated interface never floods packets even if this parameter is set to flood.
Procedure
Step 1 |
Select Firepower Threat Defense policy. and create or edit the |
Step 2 |
Select ARP Inspection. |
Step 3 |
Add entries to the ARP inspection table. |
Step 4 |
Add static ARP entries according to Add a Static ARP Entry. |
Step 5 |
Click Save. You can now go to and deploy the policy to assigned devices. The changes are not active until you deploy them. |