The PIX Security Appliance learns and builds a MAC address table in a
similar way as a normal bridge or switch. When a device sends a packet through
the PIX, it adds the MAC address to its table
. The table
associates the MAC address with the source interface so that the PIX knows to
send any packets addressed to the device out the correct interface.
Because the PIX Security Appliance is a firewall, if the destination MAC
address of a packet is not in the table, the PIX does not flood the original
packet on all interfaces as a normal bridge does. Instead, it generates the
following packets for directly connected devices or for remote devices:
-
Packets for directly connected devices – The PIX Security Appliance
generates an ARP request for the destination IP address, so that PIX can learn
which interface receives the ARP response.
-
Packets for remote devices – The PIX Security Appliance generates a
ping to the destination IP address so that the PIX can learn which interface
receives the ping reply.
The Original Packet is Dropped.
By default, each interface
automatically learns the MAC addresses of entering traffic, and the PIX
Security Appliance adds corresponding entries to the MAC address table. MAC
address learning can be disabled if desired, however, unless MAC addresses are
statically added to the table, no traffic can pass through the PIX
.
Normally, MAC addresses are added to the MAC address table dynamically as
traffic from a particular MAC address enters an interface. Static MAC addresses
can be added to the MAC address table if desired
. One benefit to
adding static entries is to guard against MAC spoofing. If a client with the
same MAC address as a static entry attempts to send traffic to an interface
that does not match the static entry, then PIX Security Appliance drops the
traffic and generates a system message.
The entire MAC address table,
including static and dynamic entries for both interfaces, can be viewed, or the
MAC address table for a single interface can be viewed
.
Two new
debug commands have been introduced with regard to
transparent firewall mode
:
-
debug arp inspection – Show debug messages for ARP
inspection.
-
debug mac-address-table – Shows debug messages for the
MAC address table.