Solved: ARP Logic Question

robert.horrigan · ‎07-28-2010

Hi,

I posted this in both firewall and LAN section to get two points of view:

Can anyonehelp me understand an issue with ARP logic? I installed a multi-context firewall and did not use the auto mac command. The router showed (for example) for the subinterfaces on the contexts

arp ip x.x.x.30 mac xxxx.xxxx.fee1

arp ip x.x.x.31 mac xxxx.xxxx.fee1

arp ip x.x.x.32 mac xxxx.xxxx.fee1

IP traffic to the various contexts never flowed. I had to implement the auto mac command which gave each context its own MAC. My question is, is it against the logic to have multiple IPs for one MAC? I did not think it was. Why did I have to use teh auto-mac command on the firewall then? Thanks for any info....

Rob

mirober2 · ‎07-28-2010

Hi Rob,

Without knowing what your config looks like, I would guess that traffic failed without the auto-generated MACs because you didn't have NAT statements setup for the addresses in each context. When interfaces are shared in multiple context mode, the shared interfaces will all use the same MAC address by default (as you noticed). In order to determine which context a packet needs to go to when it is received by the ASA, it tries to match the destination IP to a NAT statement in a context since the MAC will always be the same. This link will explain the process a little better:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html#wp1146806

Specifically, you want to look at the "Unique MAC Addresses" and "NAT Configuration" sections. They explain the issue you were having:

If you do not have unique MAC addresses, then the classifier intercepts the packet and performs a destination IP address lookup....The classifier matches the destination IP address to either a static command or a global command.

To fix the problem, you can either have the ASA auto-generate unique MACs for the contexts, or setup NAT like the examples noted in the link above.

Hope that helps.

-Mike

View solution in original post

mirober2 · ‎07-28-2010

Hi Rob,

Without knowing what your config looks like, I would guess that traffic failed without the auto-generated MACs because you didn't have NAT statements setup for the addresses in each context. When interfaces are shared in multiple context mode, the shared interfaces will all use the same MAC address by default (as you noticed). In order to determine which context a packet needs to go to when it is received by the ASA, it tries to match the destination IP to a NAT statement in a context since the MAC will always be the same. This link will explain the process a little better:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html#wp1146806

Specifically, you want to look at the "Unique MAC Addresses" and "NAT Configuration" sections. They explain the issue you were having:

If you do not have unique MAC addresses, then the classifier intercepts the packet and performs a destination IP address lookup....The classifier matches the destination IP address to either a static command or a global command.

To fix the problem, you can either have the ASA auto-generate unique MACs for the contexts, or setup NAT like the examples noted in the link above.

Hope that helps.

-Mike

robert.horrigan · ‎07-28-2010

Mike,

Great. Thank you very much.