Monitoring in Transparent Mode
All traffic flows based on MAC address lookup via bridging. MAC addresses are either
statically assigned by the administrator or dynamically learned through traffic over an
interface. The Security Appliance lists all known MAC addresses in the MAC address table.
This table is used by the Security Appliance to switch traffic that passes through it, based on
any filters applied to each interface. To display the current MAC address table, you can use
the show mac-address-table command in privileged mode, as shown in Example 6-14.
Table 6-17 arp-inspection ethertype Command Parameters
Parameter Description
interface_name The interface on which you want ARP inspection.
enable Enables ARP inspection.
flood (Default) Specifies that packets not matching any element of a static ARP
entry are flooded out of all interfaces except the originating interface. If a
mismatch occurs between the MAC address, IP address, or interface, the
Security Appliance drops the packet.
no-flood (Optional) Specifies that packets not exactly matching a static ARP entry
are dropped.
Example 6-14 show mac-address-table Command Output
pix# show mac-address-table
interface mac address type Age(min)
inside 0010.7cbe.6101 static
inside 0008.e3bc.5ee0 dynamic 5
outside 0050.8DFB.19C2 dynamic 5
The Security Appliance will learn MAC addresses from the interface by default. This can be
a dangerous setting to allow on a secured network. If a malicious user spoofed (faked) the
MAC address of a network device already connected to the network, or just used a random
MAC address, that user could gain access to the secured network. The Security Appliance
would see the new MAC address and add it to the MAC table, giving the user access to that
part of the network. You can disable the Security Appliance’s ability to learn new MAC
addresses using the mac-learn command in global-configuration mode:
mac-learn interface_name disable
This will allow only static MAC addresses into the MAC address table. If the same malicious
user attempted to spoof the MAC address of an entry in the static table but on the wrong
interface, or tried to use a random MAC address not in the table, the MAC address and all
packets from that user would be dropped. An administrator can assign static MAC addresses
through the following command:
mac-address-table static interface_name mac_address