Set the ARP persistence timer:

Firewall(config)# arp timeout seconds

ARP entries dynamically collected are held in the firewall's cache for a fixed length of time. During this time, no new ARP information is added or changed for a specific cached host address. By default, ARP entries are held for 14,400 seconds (4 hours). You can set the persistence timer to seconds (1 to 1,215,752 seconds for PIX 6.3 or 60 to 4,294,967 seconds for ASA and FWSM).

You can display the current ARP cache contents with the following command: Firewall# show arp [statistics]

For example, the following ARP entries have been created on a firewall: Firewall# show arp

stateful 192.168.199.1 0030.8587.546e lan-fo 192.168.198.2 0030.8587.5433 outside 12.16.11.1 0003.4725.2f97 outside 12.16.11.2 0005.5f93.37fc outside 12.16.11.3 00d0.01e6.6ffc inside 192.168.1.1 0003.4725.2e32 inside 192.168.1.4 00d0.0457.3bfc inside 192.168.1.3 0007.0d55.a80a Firewall#

Be aware that the firewall maintains ARP entries for its own interfaces too, as indicated by the gray shaded entries.

the following output:

Firewall# show arp statistics Number of ARP entries: PIX : 11

Dropped blocks in ARP: 10 Maximum Queued blocks: 17 Queued blocks: 0

Interface collision ARPs Received: 0 ARP-defense Gratuitous ARPS sent: 0 Total ARP retries: 70

Unresolved hosts: 0

Maximum Unresolved hosts: 2 Firewall#

Tip

If a host's IP address changes or its network interface is replaced, an existing ARP entry can become stale and will be stuck in the firewall's ARP table until it expires. If this happens, you can clear the entire ARP cache contents by using the clear arp EXEC command.

If you decide to clear the ARP cache, you should do so only during a maintenance time when the network is not busy; otherwise, there might be a pause in network traffic passing through the firewall while the ARP cache is being rebuilt.

Although you cannot clear individual ARP cache entries, you can configure a static ARP entry for the IP address in question so that it is paired with a bogus MAC address. After that is done, remove the command that was just used. The bogus static ARP entry is removed, and the firewall relearns an ARP entry based on dynamic information from the host.

Configuring Interface MTU and Fragmentation

By default, any Ethernet interface has its maximum transmission unit (MTU) size set to 1500, which is the maximum and expected value for Ethernet frames. If a packet is larger than the MTU, it must be fragmented before being transmitted. You can use the following command to adjust an interface MTU:

Firewall(config)# mtu if_name bytes

If you need to, you can adjust the MTU of the interface named if_name to the size bytes (64 to 65,535 bytes). In some cases, you might need to reduce the MTU to avoid having to fragment encrypted packets where the encryption protocols add too much overhead to an already maximum-sized packet.

Cisco firewalls can participate in MTU discovery along an end-to-end IP routing path. This process follows RFC 1191, where the MTU is set to the smallest allowed MTU along the complete path.

You can display the current MTU configuration for all firewall interfaces by using the show mtu (PIX 6.3) or show running-config mtu (ASA and FWSM) command. Interface MTU settings are also displayed as a part of the show interface EXEC command output.

For example, the following output represents the MTU settings on a firewall's outside interface: Code View: Scroll / Show All

Firewall# show running-config mtu mtu outside 1500

mtu inside 1500 mtu dmz 1500 Firewall#

Firewall# show interface

Interface GigabitEthernet0 "", is up, line protocol is up Hardware is i82542 rev03, BW 1000 Mbps

(Full-duplex), Auto-Speed(1000 Mbps) Available but not configured via nameif MAC address 0003.4708.ec54, MTU not set IP address unassigned

17786900 packets input, 21111200936 bytes, 0 no buffer Received 171 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 131444 packets output, 89823504 bytes, 0 underruns

0 output errors, 0 collisions 0 late collisions, 191 deferred

input queue (curr/max blocks): hardware (0/25) software (0/0) output queue (curr/max blocks): hardware (0/5) software (0/0) Interface GigabitEthernet1.2 "outside", is up, line protocol is up VLAN identifier 2

MAC address 0003.4708.ec54, MTU 1500

IP address 10.1.1.1, subnet mask 255.0.0.0 Received 17683308 packets, 20714401393 bytes Transmitted 119650 packets, 86481250 bytes Dropped 95017 packets

[output for other interfaces omitted]

Notice that the outside interface is actually a logical interface (GigabitEthernet1.2) representing a VLAN on a physical trunk interface (GigabitEthernet1). An MTU is set only when the nameif command has been configured for an interface, as in the case of the logical interface named outside.

Tip

Hosts using TCP connections can also negotiate the maximum segment size (MSS) that is used. This is done as a TCP connection is initiated, and it occurs on a per-connection basis. As a result,

an MSS value can sometimes be chosen that is larger than the MTU being used along the path. This also results in TCP packets being fragmented so that they can be forwarded.

You can configure the firewall to govern the maximum MSS value negotiated on connections passing through it. The firewall overrides any request for an MSS value larger than its limit, and it replaces the MSS value in the TCP packet so that the negotiation is transparent to the end hosts.

You can use the following command to limit the TCP MSS size in all TCP connections: Firewall(config)# sysopt connection tcpmss [minimum] bytes

By default, the TCP MSS must be between 48 and 1380 bytes. You can adjust the maximum MSS limit to bytes or the minimum MSS to minimum bytes.

When a firewall receives packets that have been fragmented, it stores each fragment in a cache and virtually reassembles the fragments so that the original packet can be inspected. This allows the firewall to verify the order and integrity of each fragment and to discover malicious exploits that use fragmentation. This process is part of the FragGuard firewall feature.

You can configure how the firewall handles the packet fragments it receives with the following steps: