ASA 5505 macs

Rafael Jimenez · ‎09-14-2012

Hello,

I have a doubt about which mac-address should I give to the ISP.

The documentation says the mac used by the asa is the burnet-in mac. See bellow.

I gave to the isp2 the burned-in mac address, but they said that do not see any traffic.

To test the link, I just clone the burned-in mac in another cisco RV042 router and I got connection to internet.

In this moment Im not sure if the absence of traffic is due to the isp2 has a wrong mac.

I have configured the default routes to the other isp (isp1). Despite of this I think the isp2 should see some traffic.

Any ideas ?.

DOCS:

==========================================

I just read in the ASDM documentation the following:

MAC Address Overview

....

By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical interface use the same burned-in MAC address.

Julio Carvajal · ‎09-14-2012

Hello Rafael,

So you have 2 ISP's connection on your ASA.

You have an ASA 5505. Provide them the MAC address of the vlan interface where the port that goes to the ISP is.

This because of the built-in switch funcionality

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Rafael Jimenez · ‎09-14-2012

Check the show interface output: ( the burned-in mac is 0025.8451.7f48 )

Interface Vlan190 "isp1", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
        Description: Telmex ISP
        MAC address 0025.8451.7f48, MTU 1500
Traffic Statistics for "isp1":
        15688759 packets input, 8841431674 bytes
        5525417 packets output, 1555285198 bytes
        122332 packets dropped
      1 minute input rate 46 pkts/sec, 2404 bytes/sec
      1 minute output rate 14 pkts/sec, 4897 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 110 pkts/sec, 53165 bytes/sec
      5 minute output rate 101 pkts/sec, 46256 bytes/sec
      5 minute drop rate, 2 pkts/sec
Interface Vlan200 "isp2", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
        Description: UNE ISP
        MAC address 0025.8451.7f48, MTU 1500
Traffic Statistics for "isp2":
        1419 packets input, 293059 bytes
        9346 packets output, 416428 bytes
        933 packets dropped
      1 minute input rate 0 pkts/sec, 0 bytes/sec
      1 minute output rate 0 pkts/sec, 0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec, 0 bytes/sec
      5 minute output rate 0 pkts/sec, 0 bytes/sec
      5 minute drop rate, 0 pkts/sec
!

vlan190 is assined to e0/0, vlan 200 is assined to e0/1:

Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
        Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
        Input flow control is unsupported, output flow control is unsupported
        Description: Telmex ISP
        Available but not configured via nameif
        MAC address 0025.8451.7f40, MTU not set
        IP address unassigned

Interface Ethernet0/1 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
        Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
        Input flow control is unsupported, output flow control is unsupported
        Description: UNE ISP
        Available but not configured via nameif
        MAC address 0025.8451.7f41, MTU not set
        IP address unassigned

The burned-in mac is the same for all vlans. Its different for each physical interface.

Julio Carvajal · ‎09-14-2012

Correct,

That is why if you connect 2 interfaces to the same switch you will get some troubles ( both will use the same as they use the vlan built in MAC)

You can change the MAC address on a per vlan basis ( not on a per port basis)

Regards,

Rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC