Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASA as default gateway and user tracking :-(

My customer uses an ASA firewall as a default gateway.

In the Supported Devices Table for Cisco Prime LAN Management  Solution 4.1 I see:

The following features are not supported:

  • Network Topology Layer 2 Services

Now I realize that the user tracking needs to get an ARP table from this device to provide IP details to the user tracking reports.

Very simple, very straight forward. Not?

But it is a part of the "Network Topology Layer 2 Services".

This means it probably won't try to get the ARP table.... I guess my customer is out of luck here.

Now if the switch would have an IP address in that VLAN and have a route to the firewall, could I set the default gateway to the switch's IP address and get the ARP table from the switch in user tracking?

Would there be another way to "fool" usertracking with a list of IP mac relations?

I know I can use the "End Host Table Import" feature but it will still leave the IP column empty.

Thanks for any comments.



Hall of Fame Super Silver

ASA as default gateway and user tracking :-(

Hi Michel,

I believe the solution of using an SVI on the switch as the default gateway is the most elegant solution / hack. I recall Joe Clarke recommended a similar solution with a one-armed router a while back.

One thought that comes to mind is would the customer lose any first hop redundancy (i.e., is the ASA part of an HA pair) and, if so, can you build it back in?

ASA as default gateway and user tracking :-(

Thanks mklemovitch,

There are indeed 2 ASA's. I'm not sure about the redundancy setup, but if anything is to work for the endhosts if the primary ASA goes down, then the second ASA has to take the same IP address as the primary. endhosts are not smart about their default gateway.

So for my switch that would be the same as for the current endhosts.

The only thing I wonder about is, will user tracking read the ARP cache from the switch. Will it think of the switch as a layer 3 device?

I don't know how UT works, I assumed that there would be a table with a list of known mac and IP addresses but I can't find it in the campus database.

If I was to do the user tracking then I would simply read all ARP cache from every device. I think I would drop any dupe IP entries deleting the entry having a cisco OUI mac address. And use the remaing to update my user tracking table.

I would love to be able to hack the UT and add a list of mac/IP records from a source of my choice.



CreatePlease login to create content