Cart
When your Cisco ASA is acting in Transparent mode, the MAC address table is obviously a key ingredient for the device. In this post, we will look at the MAC address table management capabilities that a network engineer will possess.
First of all, realize that when in Transparent mode, the Cisco ASA is acting somewhat like a traditional transparent switch that we are accustomed to. It will dynamically learn MAC addresses and store them in a table. The default timeout value for these dynamic learned addresses is 5 minutes.
Unlike a transparent switch, however, the device will not flood frames out interfaces for an unknown MAC address destination. Instead the ASA will respond with an ARP request for a directly connected device. If the destination is remote, the ASA will attempt to ping the remote device.
Adding Static MAC Addresses
You might wonder why you would ever want to add static MAC addresses to the Transparent mode ASA when, out of the box, this device is able to dynamically learn MAC addresses on the network. Well, the answer is simple. You can add the MAC addresses statically in order to guard against MAC address spoofing. If a computer criminal attempts to access the network using a MAC address that is already in the table statically, this traffic will be dropped. The ASA will also alert you that this happened with system message automatically. Keep in mind that if you add static ARP entries to the device, this will also add static MAC address tables automatically. The command to add a static MAC address entry is simple, as you might guess:
mac-address-table static interface_name mac_address
Setting the MAC Address Timeout
As we mentioned earlier, the default timeout value for dynamic MAC addresses is 5 minutes. You can control this value with the following command:
mac-address-table aging-time timeout_value
Disabling MAC Address Learning
In a VERY high security environment, you might want to prevent your Cisco ASA from learning MAC addresses dynamically altogether. In this case, you can turn off the automatic dynamic learning behavior on a per-interface basis. Obviously, in order to permit traffic through the Transparent device in this case, you must statically define all trusted MAC addresses. Here is the command to disable the dynamic learning:
mac-learn interface_name disable
Monitoring the MAC Address Table
Anytime you want to view the MAC address table on your Transparent ASA, simply use the following verification command:
show mac-address-table [interface_name]
Thanks so much for joining the IPexpert Blog for this series on ASA modes. We hope you will join is for more posts regarding this powerful Cisco device.
Anthony Sequeira CCIE, CCSI
Twitter: @compsolv
Facebook: http://www.facebook.com/compsolv
Tags: ASA, CCIE, CCIE Security, CCIE Security 3.0 Blueprint, ccie security blueprint, ccie security training, cisco asa, cisco asa firewall modes
Hello Anthony,
I wonder if you have had problems with the following ASA behaivor:
Unlike a transparent switch, however, the device will not flood frames out interfaces for an unknown MAC address destination. Instead the ASA will respond with an ARP request for a directly connected device. If the destination is remote, the ASA will attempt to ping the remote device.
I have a case where a device sends UDP traffic to a single destination, through an ASA in transparent mode. The sender has experienced a corruption of the MAC destination address. When it happens, the packets are dropped, but the ASA starts to send ARP requests to the IP destination to discover the right MAC. It gets the answers, but it will never get an answer with the wrong MAC, so the it remains as unknown and the situation becomes an undesired flood of ARP requests to the destination IP address, as intense in packets per second, as the dropped traffic.
I have not found a way to supress or limit the ARP requests from the ASA. I see this as a vulnerability of the ASA, as it could be used as an amplifier to flood the other side of the firewall with broadcast ARP requests.
Thanks in advance for your comments.
Oscar García