https://community.cisco.com/t5/network-security/arp-inspection-in-routed-mode/m-p/925396#M918662 <P>Hi</P><P></P><P>We have only one host connected to a separate interface (dmz2). It is natted to a Public IP to allow it access to a partner network.</P><P>I want to make sure that no one (internally) spoofs the IP of this host or uses it's IP. I was looking at placing a static arp entry</P><P>and using dynamic arp inspection but it seems that this works only in transparent mode, but we have a routed mode running. </P><P></P><P>Is there any other way?</P><P></P><P>All help is appreciated</P> Mon, 11 Mar 2019 12:57:14 GMT mo shea 2019-03-11T12:57:14Z https://community.cisco.com/t5/network-security/arp-inspection-in-routed-mode/m-p/925396#M918662 <P>Hi</P><P></P><P>We have only one host connected to a separate interface (dmz2). It is natted to a Public IP to allow it access to a partner network.</P><P>I want to make sure that no one (internally) spoofs the IP of this host or uses it's IP. I was looking at placing a static arp entry</P><P>and using dynamic arp inspection but it seems that this works only in transparent mode, but we have a routed mode running. </P><P></P><P>Is there any other way?</P><P></P><P>All help is appreciated</P> Mon, 11 Mar 2019 12:57:14 GMT https://community.cisco.com/t5/network-security/arp-inspection-in-routed-mode/m-p/925396#M918662 mo shea 2019-03-11T12:57:14Z https://community.cisco.com/t5/network-security/arp-inspection-in-routed-mode/m-p/925397#M918663 <HTML><HEAD></HEAD><BODY><P>You could put a VLAN access-map or port-acl on the switch connected to the DMZ VLAN.</P><P></P><P>Also you can still put static arp enties in Routed mode, however ARP inspection is not supported in routed mode.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a2.html#wp1600694" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a2.html#wp1600694</A></P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Tue, 10 Jun 2008 10:40:59 GMT https://community.cisco.com/t5/network-security/arp-inspection-in-routed-mode/m-p/925397#M918663 Farrukh Haroon 2008-06-10T10:40:59Z https://community.cisco.com/t5/network-security/arp-inspection-in-routed-mode/m-p/925398#M918664 <HTML><HEAD></HEAD><BODY><P>Thanks for the response.</P><P></P><P>I placed a static arp entry on the interface, but it seems if any other pc uses the same IP, it can pass through.</P><P></P><P>As for the port acl, due you mean to use a mac list on the port.</P><P></P><P>Thanks again.</P></BODY></HTML> Tue, 10 Jun 2008 15:28:24 GMT https://community.cisco.com/t5/network-security/arp-inspection-in-routed-mode/m-p/925398#M918664 mo shea 2008-06-10T15:28:24Z https://community.cisco.com/t5/network-security/arp-inspection-in-routed-mode/m-p/925399#M918665 <HTML><HEAD></HEAD><BODY><P>yes or a VLAN access-map on the whole VLAN, whatever suits you, both are mutually exclusive.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Tue, 10 Jun 2008 18:10:46 GMT https://community.cisco.com/t5/network-security/arp-inspection-in-routed-mode/m-p/925399#M918665 Farrukh Haroon 2008-06-10T18:10:46Z https://community.cisco.com/t5/network-security/arp-inspection-in-routed-mode/m-p/925400#M918666 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>The following link could help also if you have the required IOS software on your switch.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swdynarp.html" target="_blank">http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swdynarp.html</A></P></BODY></HTML> Tue, 10 Jun 2008 18:32:15 GMT https://community.cisco.com/t5/network-security/arp-inspection-in-routed-mode/m-p/925400#M918666 Amadou TOURE 2008-06-10T18:32:15Z https://community.cisco.com/t5/network-security/arp-inspection-in-routed-mode/m-p/925401#M918667 <HTML><HEAD></HEAD><BODY><P>Thanks for the feedback</P><P></P><P>I was wondering if it is possible using VACL, to limit access based on both the host's IP AND MAC address, since using a mac list on the port blocks mac address, but doesnt check IP addresses. I hope arp inspection can be made available on the ASA routed mode.</P><P></P><P>Thanks again</P></BODY></HTML> Tue, 10 Jun 2008 20:28:54 GMT https://community.cisco.com/t5/network-security/arp-inspection-in-routed-mode/m-p/925401#M918667 mo shea 2008-06-10T20:28:54Z https://community.cisco.com/t5/network-security/arp-inspection-in-routed-mode/m-p/925402#M918669 <HTML><HEAD></HEAD><BODY><P>Its possible, but there is a very important Caveat, which I should have mentioned earlier, this is true for both mac ACLs on layer 2 (port ACLs) and mac ACLs inside Vlan Access Lists (VACLs):</P><P></P><P>"IP packets are matched against standard or extended IP access lists. *Non-IP packets* are only matched against named MAC extended access lists."</P><P></P><P>The ARP Inspection option on the switch is also a good suggestion made by amad.</P><P></P><P>Regards</P><P></P><P>Farrukh</P><P></P></BODY></HTML> Wed, 11 Jun 2008 06:37:29 GMT https://community.cisco.com/t5/network-security/arp-inspection-in-routed-mode/m-p/925402#M918669 Farrukh Haroon 2008-06-11T06:37:29Z