Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ARP Logic Question

Hi,

I posted this in both firewall and LAN section to get two points of view:

Can anyonehelp me understand an issue with ARP logic?  I installed a multi-context firewall and did not use the auto mac command.  The router showed (for example) for the subinterfaces on the contexts

arp ip x.x.x.30  mac xxxx.xxxx.fee1

arp ip x.x.x.31  mac xxxx.xxxx.fee1

arp ip x.x.x.32  mac xxxx.xxxx.fee1

IP traffic to the various contexts never flowed.  I had to implement the auto mac command which gave each context its own MAC.  My question is, is it against the logic to have multiple IPs for one MAC?  I did not think it was.  Why did I have to use teh auto-mac command on the firewall then?  Thanks for any info....

Rob

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ARP Logic Question

Hi Rob,

Without knowing what your config looks like, I would guess that traffic failed without the auto-generated MACs because you didn't have NAT statements setup for the addresses in each context. When interfaces are shared in multiple context mode, the shared interfaces will all use the same MAC address by default (as you noticed). In order to determine which context a packet needs to go to when it is received by the ASA, it tries to match the destination IP to a NAT statement in a context since the MAC will always be the same. This link will explain the process a little better:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html#wp1146806

Specifically, you want to look at the "Unique MAC Addresses" and "NAT Configuration" sections. They explain the issue you were having:

If you do not have unique MAC addresses, then the classifier intercepts the packet and performs a destination IP address lookup....The classifier matches the destination IP address to either a static command or a global command.

To fix the problem, you can either have the ASA auto-generate unique MACs for the contexts, or setup NAT like the examples noted in the link above.

Hope that helps.

-Mike

2 REPLIES
Cisco Employee

Re: ARP Logic Question

Hi Rob,

Without knowing what your config looks like, I would guess that traffic failed without the auto-generated MACs because you didn't have NAT statements setup for the addresses in each context. When interfaces are shared in multiple context mode, the shared interfaces will all use the same MAC address by default (as you noticed). In order to determine which context a packet needs to go to when it is received by the ASA, it tries to match the destination IP to a NAT statement in a context since the MAC will always be the same. This link will explain the process a little better:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html#wp1146806

Specifically, you want to look at the "Unique MAC Addresses" and "NAT Configuration" sections. They explain the issue you were having:

If you do not have unique MAC addresses, then the classifier intercepts the packet and performs a destination IP address lookup....The classifier matches the destination IP address to either a static command or a global command.

To fix the problem, you can either have the ASA auto-generate unique MACs for the contexts, or setup NAT like the examples noted in the link above.

Hope that helps.

-Mike

New Member

Re: ARP Logic Question

Mike,

Great.  Thank you very much.

258
Views
0
Helpful
2
Replies