Go CCIE Go!! - A Cisco Certified Internetwork Expert

Hello Anderson
Both features can work independently of each other. ARP inspection requires static mapping of all arp enties (Interface,IP and MAC). This is different from the Dynamic ARP inspection feature (on switches) which can work make decisions based on the DHCP binding table. But this is mostly due to the network positioning of a transparent firewall vs. a switch. In most topologies there would be only two devices directly connected to the ASA/PIX in transparent mode, so one could easily do these static mappings.
MAC-learning can be disabled to prevent MAC spoofing etc. as you suggest. However this would requires that static MAC entries are defined for all traffic bridged through the appliance. As per the documentation, once you add a static ARP entry a corresponding static MAC entry is automatically added for that IP/MAC pair.
One last thing that I would like to share, which I found quite important while studying for this feature. i.e. the mac-learning for the security appliance vs. regular switches. As per CCO:
” >”
Regards
Farrukh

On Dec 30, 2007 11:15 PM, Anderson Mota Alves wrote:
> Hi guys, > > I have a doubt when I need to configure ARP Inspection in a PIX in > transparent mode, I’ve seen from some workbooks that for the arp > inspection > section in a pix in transparent we also need to disable mac learning and > configure static entries for the mac address from both interface (inside > and > outside). The only thing I don’t get in here is the reason to disable mac > learning (for me this practise is to avoid Mac spoofing) with it’s > different > from arp spoofing. > > > Any input would be really appreciated, and HAPPY NEW YEAR !!!! > > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html