Preserving mac addresses from branch location

Answered Question
Apr 21st, 2009

We brought a branch location online awhile back via a site to site T1 and a couple of 1841s. Everything is running great, but a problem I'm having is that the branch location client's mac address is showing up in my firewall logs as the mac for the 1841 FastEthernet interface on the Headquarters side. I would like to be able to preserve the clients mac addresses so that they show up in the firewall logs correctly. Thanks for the help

Correct Answer by Jon Marshall about 7 years 10 months ago

Jerrod


mac-addresses are not preserved across L3 hops so unless your branch is connected to the HQ site with a L2 link which would also mean the 1841 routers on either side would have to be bridging the connection, then you won't be able to preserve the mac-address.


So when the packets arrive at HQ and are sent from the 1841 to your firewall the src mac-address will always be the 1841 fast ethernet interface. The src IP will obviously be the client.


This is normal TCP/IP behaviour.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
lamav Tue, 04/21/2009 - 08:11

Hi:


It seems as though proxy arp is enabled on your router's LAN interface.


HTH


Victor

Correct Answer
Jon Marshall Tue, 04/21/2009 - 08:54

Jerrod


mac-addresses are not preserved across L3 hops so unless your branch is connected to the HQ site with a L2 link which would also mean the 1841 routers on either side would have to be bridging the connection, then you won't be able to preserve the mac-address.


So when the packets arrive at HQ and are sent from the 1841 to your firewall the src mac-address will always be the 1841 fast ethernet interface. The src IP will obviously be the client.


This is normal TCP/IP behaviour.


Jon

lamav Tue, 04/21/2009 - 09:38

Wow, I read the post back asswards...:-)


Sorry, been a rough week. ..


Jon, naturally, is 100% correct. The source and destination IP addresses are always preserved, but the MAC-addresses are re-written by each forwarding device on a hop-by-hop basis.


Sheeew..that was bad one!


Jon, as a conciliatory gesture for being so stupid, I rated your post ;-)


Victor



Jon Marshall Tue, 04/21/2009 - 11:59

Victor


No problem, i figured you just misread the question. You could trawl through my posts and find some really bad answers :-)


Jon

Actions

This Discussion