Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
672
Views
0
Helpful
4
Replies

Mac address showing on Firewall Trunk Port

Go to solution
mahesh18
Level 6
Level 6

‎12-16-2013 09:34 AM - edited ‎03-11-2019 08:18 PM

Hi everyone,

We have switch connected to firewall.

Switch port is configured as trunk to carry 2 vlans.

From Firewall when i ping the switch management  IP and other SVI vlan  it works fine.

sh arp on firewall  shows

20bb.c0fa.b641

20bb.c0fa.b642

When i check the switch int

GigabitEthernet0/2 is up, line protocol is up (connected)

  Hardware is Gigabit Ethernet, address is 20bb.c0fa.b602 (bia 20bb.c0fa.b602)

Need to understand why firewall is showing mac address as 41 and 42 instead of 02?

Regards

Mahesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎12-16-2013 09:40 AM

Hi Mahesh,

Try to check the MAC address of the SVIs on the actual switch and compare them to the "show arp" output on the firewall.

For example

show interface vlan x

And so on on the switch.

The MAC address shown in the ASA ARP table should be of the SVIs on the switch since those are the ones holding the IP address you are sending ICMP to.

Hope this helps

- Jouni

View solution in original post

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎12-16-2013 10:15 AM

Mahesh

Just to add to Jouni's post.

When you ping the SVI IP address from the ASA you only need the mac address of the SVI not the actual mac address on gi0/0.  So the ASA will send an arp packet (if it doen't have the mac address in it's arp table already) asking for the mac address of the IP address you have sent a ping to.

As the IP address was configured on an SVI the switch responds with the mac address of the SVI. If the switch returned the mac address of the actual gi0/0 port then your ping would not work because there is no IP address configured on that port.

Jon

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎12-16-2013 09:40 AM

Hi Mahesh,

Try to check the MAC address of the SVIs on the actual switch and compare them to the "show arp" output on the firewall.

For example

show interface vlan x

And so on on the switch.

The MAC address shown in the ASA ARP table should be of the SVIs on the switch since those are the ones holding the IP address you are sending ICMP to.

Hope this helps

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎12-16-2013 10:13 AM

Hi Jouni,

You are spot on.

Best regards

Mahesh

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎12-16-2013 10:15 AM

Mahesh

Just to add to Jouni's post.

When you ping the SVI IP address from the ASA you only need the mac address of the SVI not the actual mac address on gi0/0.  So the ASA will send an arp packet (if it doen't have the mac address in it's arp table already) asking for the mac address of the IP address you have sent a ping to.

As the IP address was configured on an SVI the switch responds with the mac address of the SVI. If the switch returned the mac address of the actual gi0/0 port then your ping would not work because there is no IP address configured on that port.

Jon

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jon Marshall

‎12-16-2013 10:18 AM

Hi Jon,

It is my pleasure to get reply from you.

And as always your explanation is wonderfull.

Best Regards

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card