How to know the connection between ASA and 6509 ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-21-2015 12:02 PM - edited 03-05-2019 01:31 AM
Hi, Two ASA firewalls work as failover. We suppose the primary ASA1 inside interface ip address is 192.168.1.1/24. From Catalyst 6509, we can see the ip address 192.168.1.1 and its mac address(both are from the ASA1) through show ip arp in the 6509. But when we show cdp neighbor in the 6509, we cannot see the ASA firewall. In the ASA1, we can see the 6509' ip address(vlan) and mac by show arp. Showing mac-address table in 6509 can not indicate the its relative port. So we do not know which port in the 6509 is connect to the ASA1. My question is how we can know which port in 6509 connect to the ASA1 ? Thank you
- Labels:
-
Other Routing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-21-2015 01:33 PM
The ASA doesn't support CDP, so you can't use it to find neighbors.
But you should see the MAC address (which is seen in "show interface" on the ASA) on the switch.
As a last option, you could failover to the secondary ASA, log on to the other ASA (which is now the secondary) and shut the interface. On the c6k you'll see the port go down.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-21-2015 02:24 PM
Thanks for your reply. Yes we can see mac of ASA and the switch by command show arp, but show mac-address-table in the switch do not show relative port. That is why we do not know which switch port are connect to The ASA.
Shunting down interface of ASA is not acceptable because it is in production environment
I think each of failover asa(primary and secondary) must have two cable connected to each of two 6509. So each of 6509 also has two cable connected to two ASA, respectively
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-21-2015 02:44 PM
I assume that you did something wrong. The MAC should show up in the switch:
ASA5520/pri/act# sh interface inside | i MAC MAC address 0000.0c00.1111, MTU 1500
Core-SW#sh mac address-table address 0000.0c00.1111 Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 101 0000.0c00.1111 DYNAMIC Gi1/0/1 Total Mac Addresses for this criterion: 1 Core-Sw#
For shutting down the ASA-interface:
You can shutdown the interface on the standby ASA without disrupting you communication as the standby ASA doesn't forward any traffic. And the "shut" command doesn't get replicated from the standby to the activa ASA.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-21-2015 08:05 PM
You are right with "shut" and mac-address-table.
If shut, the boss would know that and he will... though it does not hurt. With mac-address-table, if the SW get mac address from vlan, it does not show that ports, right ?