Hi Manny,Many thanks for your reply, I am still unable to 'launch network sniffer appication' from the ASDM.I get the following error after following your steps:/usr/local/bin/wireshark does not exist.
Here's a weird one. I was setting up a Cisco ASA 5505 for a branch office with an ADSL service that uses MAC registration to recognize authorized devices for DHCP address assignment. Should be easy to find the MAC of the port connected to the ISP's modem, right? Telnet into the ASA, enable, run a quick 'show interface Ethernet0/0' (. The default behavior of switchports with Cisco devices is to use the MAC address of the VLAN interface (SVI) for communication. Hence you see 219d as the MAC address on the outside. This will be the case for all switchports in that VLAN.
Say you connect Eth0/1 to some other device and put it in the same vlan as Eth0/0, you will the see the MAC again as 219d.Also, the ASA5505 assigns MAC addresses sequentially after the MAC address of Eth0/7 for every Layer 3 Vlan interface. I am guessing that your ISP side VLAN is VLAN 2 and hence you see the MAC is 2 more than the MAC of Eth0/7 ( 219b). So if you were to create a Vlan 3, say for DMZ, it will use the MAC address of 219e.
Aug 18, 2016 Java headaches with Cisco ASDM-IDM launcher v1.7(0) by CrimsonKidA. This person is a verified professional. But if you want the ASA to set the default route based on dhcp, then you need to configure: ip address dhcp setroute. As opposed to just.
Ah, that is interesting, Frol.It makes me wonder if the ASA assigns these seemingly sequential ghost MACs to any VLANs that are created during configuration. It does seem more than coincidental that there are 7 hardware ports, 0/0 to 0/7 numbered:2195 to:219b (I confirmed these exist), then two additional MACs:219c and the aforementioned:219d, which the ISP was seeing as attached to my outside interface.So if you submit those mac-address commands you so kindly quoted earlier to the ISP-facing VLAN, will all the physical interfaces (just one in this case) on that VLAN then appear to bear the made up MAC you attached to the VLAN?I guess I assumed MAC addresses would have to be globally unique to be of any value as an identifier. I suppose the ISP wouldn't ever know the difference.
Doublehorn, at least those fake MACs shown on the list on my switch. BTW, are you sure, that they will be transparent for ISP via the modem?For the uniqueness, I think that's why Cisco has their recommendations.MAC Address FormatThe ASA generates the MAC address using the following format:A2xx.yyzz.zzzzWhere xx.yy is a user-defined prefix, and zz.zzzz is an internal counter generated by the ASA. For the standby MAC address, the address is identical except that the internal counter is increased by 1.For an example of how the prefix is used, if you set a prefix of 77, then the ASA converts 77 into the hexadecimal value 004D (yyxx). When used in the MAC address, the prefix is reversed (xxyy) to match the ASA native form:A24D.00zz.zzzzFor a prefix of 1009 (03F1), the MAC address is:A2F1.03zz.zzzz. The default behavior of switchports with Cisco devices is to use the MAC address of the VLAN interface (SVI) for communication. Hence you see 219d as the MAC address on the outside.
This will be the case for all switchports in that VLAN. Say you connect Eth0/1 to some other device and put it in the same vlan as Eth0/0, you will the see the MAC again as 219d.Also, the ASA5505 assigns MAC addresses sequentially after the MAC address of Eth0/7 for every Layer 3 Vlan interface. I am guessing that your ISP side VLAN is VLAN 2 and hence you see the MAC is 2 more than the MAC of Eth0/7 ( 219b). So if you were to create a Vlan 3, say for DMZ, it will use the MAC address of 219e. Ah, thanks so much for weighing in Prapanch.Frol and I were kind of on the right track, but not quite. In any case, in order to register ASA devices with the ISP, I'll need to be able to predict what MAC my ISP facing VLAN will be advertising. So I suppose the question is, is there a CLI command for showing the MAC that a VLAN will be advertising?I see that it's maybe possible on a 5505 to manually set the MAC of a VLAN interface, but after reading the literature here I'm honestly no closer to understanding this MAC / VLAN relationship than before.
I don't really care what the MAC is going to be, I just need to be able to view it reliably somehow.Any thoughts? I know this thread is a bit old, but it has been quite helpful in understanding this mess.Can anyone explain why a VLAN needs it's own sort of supplemental MAC address? I thought MAC addresses were reserved for use by hardware interfaces. Why can't Cisco just use the MAC address for Eth0/0 (or whatever you're using) instead of making up a new one for the VLAN 'outside'?
In my mind, this gives that interface 2 MAC addresses and that just doesn't make sense to me.Don't get me wrong, I'm assuming there's a good reason, I just don't know what it could possibly be. Jon8579 wrote:I know this thread is a bit old, but it has been quite helpful in understanding this mess.Can anyone explain why a VLAN needs it's own sort of supplemental MAC address? I thought MAC addresses were reserved for use by hardware interfaces. Why can't Cisco just use the MAC address for Eth0/0 (or whatever you're using) instead of making up a new one for the VLAN 'outside'? In my mind, this gives that interface 2 MAC addresses and that just doesn't make sense to me.Don't get me wrong, I'm assuming there's a good reason, I just don't know what it could possibly be.Maybe for the routing tables?
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2023
Categories |