Chapter 19
Configuring ARP Inspection and Bridging Parameters
Customizing the MAC Address Table
This section describes the MAC address table, and includes the following topics:
•
•
•
•
•
MAC Address Table Overview
The FWSM learns and builds a MAC address table in a similar way as a normal bridge or switch: when
a device sends a packet through the FWSM, the FWSM adds the MAC address to its table. The table
associates the MAC address with the source interface and a bridge group so that the FWSM knows to
send any packets addressed to the device out the correct interface. A MAC address can have more than
one entry in the table if it sent traffic through more than one bridge group. When the FWSM needs to
determine the egress interface to deliver a packet to that MAC address, then the FWSM uses the entry
for the bridge group that contains the ingress interface for the packet.
Because the FWSM is a firewall, if the destination MAC address of a packet is not in the table, the
FWSM does not flood the original packet on all interfaces of the bridge group as a normal bridge does.
Instead, it generates the following packets for directly connected devices or for remote devices:
•
•
The original packet is dropped.
Adding a Static MAC Address
Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular
MAC address enters an interface. You can add static MAC addresses to the MAC address table if desired.
One benefit to adding static entries is to guard against MAC spoofing. If a client with the same
MAC address as a static entry attempts to send traffic to an interface that does not match the static entry,
then the FWSM drops the traffic and generates a system log message.
To add a static MAC address to the MAC address table, enter the following command:
hostname(config)# mac-address-table static interface_name mac_address
The interface_name is the source interface.
Setting the MAC Address Timeout
The default timeout value for dynamic MAC address table entries is 5 minutes, but you can change the
timeout. To change the timeout, enter the following command:
hostname(config)# mac-address-table aging-time timeout_value
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
MAC Address Table Overview, page 19-3
Adding a Static MAC Address, page 19-3
Setting the MAC Address Timeout, page 19-3
Disabling MAC Address Learning, page 19-4
Viewing the MAC Address Table, page 19-4
Packets for directly connected devices—The FWSM generates an ARP request for the destination
IP address, so that the FWSM can learn which interface receives the ARP response.
Packets for remote devices—The FWSM generates a ping to the destination IP address so that the
FWSM can learn which interface receives the ping reply.
Customizing the MAC Address Table
19-3