Kings. Cool down. I know how ARP works. I just ment that it would be easy for Cisco to add an arp-entry automatically when the virtual ip is created. If we should refer to plain logic without questioning the way Cisco thinks the most logical way for us to do to add l2-l3-mapping for the virtual IP would be to manually add an ARP-entry. Doing a static doesn´t feel very logical. At least not for me.
But thanks for your input! /J 2010/4/26 Kingsley Charles <[email protected]> > It is not "that´s just the way it is. Noone knows why". > > That is the answer. > > Ok, issue "sh arp" on the ASA: > > Do you see ASA's interface IP address to MAC address mappings? > > Similarly, issue "sh arp" on an IOS router. You can see router's Ethernet > interfaces IP address to MAC address mapping. Also note the age is "-", > meaning it does not timeout > > > ARP table should have the mappings of other devices in the ethernet domain. > Just think, why does the ARP table have it's own interfaces mappings. > > In Ethernet, a devices will process a frame only if the frame has a > destination MAC address that is same as the interfaces MAC address. As soon > you configure IP address for an interface, the devices knows that the > IP address belongs to it and will reply, if there is ARP request for that > IP address. > > For cases like NAT, virtual NAT, SSLVPN where these features uses IP > Address but doesn't have MAC. You need L2 addresses for these address. > Mostly, the L2 addresses are interface MAC address on which it is > configured. > > If there is no L2 address for these feature IP address, then if there host > sending request for that feature IP address, the device will not respond > with an ARP reply as there is not L2 address. > > Only with static rule, you the ASA to use interface MAC address for the APR > reply when there is host sending an ARP request for the virtual telnet IP > address > > > Some examples: > > ASA Virtual telnet or http, add a static rule. This will assoicate outside > interface MAC to the virtual IP Address mostly. Any ARP request to the > virtual IP Address, ARP reply is sent with the interfaces MAC address > > IOS NAT rules - You can observe that for the outside Global address, the > nat outside MAC address are used. When using NAT, check "sh arp". > > > > > With regards > Kings > > On Mon, Apr 26, 2010 at 3:22 PM, Jimmy Larsson <[email protected]> wrote: > >> Oh, sounds like another "that´s just the way it is. Noone knows why". ;) >> >> Thanks alot for the explanation, Kings! >> >> /Jimmy >> >> 2010/4/26 Kingsley Charles <[email protected]> >> >> In an Ethernet environment, ARP is used to resolve IP to MAC addresses. >>> >>> With ASA, when you configure an IP Address for an interface, then it adds >>> a mapping of the interface IP address to MAC address. Any host sending ARP >>> request to reach the ASA interface, the ASA sends a ARP reply. >>> >>> Now when you configure a virtual telnet and host is sending an ARP >>> request to the virtual address, the ASA needs to reply to it. >>> >>> Only if you configure static rule for the virtual address, the ASA will >>> add a mac address mapping of it's interface for the virtual IP address. Now >>> the ASA send APR reply. >>> >>> >>> With regards >>> Kings >>> On Mon, Apr 26, 2010 at 2:33 PM, Jimmy Larsson <[email protected]>wrote: >>> >>>> Yeah, I understand that. But the task is about traffic TO the ASA not >>>> thru it. Why doing a static for the virtual ip? Anyone? >>>> >>>> Br Jimmy >>>> >>>> >>>> 2010/4/26 Stojanco Cavdarov <[email protected]> >>>> >>>> Hi Jimmy >>>>> >>>>> I can't answer why is needed, but we had huge discussion for static >>>>> NAT, and if I understood it, the conclusion was that >>>>> >>>>> static (inside,outside) 1.1.1.1 2.2.2.2, and >>>>> static (outside,inside) 2.2.2.2 1.1.1.1 >>>>> >>>>> ... will do the same thing. So if you're using (in,out) incomming >>>>> packets with src OR dst address 2.2.2.2 will be translated to 1.1.1.1, >>>>> outgoing packets from OR to: 1.1.1.1 will be translated to 2.2.2.2 >>>>> >>>>> I might be wrong on this though. >>>>> >>>>> On Mon, Apr 26, 2010 at 10:03 AM, Jimmy Larsson >>>>> <[email protected]>wrote: >>>>> >>>>>> Hi >>>>>> >>>>>> In task 1.9 I create a virtual-telnet for authentication of inbound >>>>>> traffic. But why is the "static (inside,outside) 192.1.24.9 192.1.24.9" >>>>>> needed? I telnet to the virtual ip from outside (R2). Why static? and >>>>>> why to >>>>>> inside? >>>>>> >>>>>> Br Jimmy >>>>>> >>>>>> >>>>>> -- >>>>>> ------- >>>>>> Jimmy Larsson >>>>>> Ryavagen 173 >>>>>> s-26030 Vallakra >>>>>> Sweden >>>>>> http://blogg.kvistofta.nu >>>>>> ------- >>>>>> >>>>>> _______________________________________________ >>>>>> For more information regarding industry leading CCIE Lab training, >>>>>> please visit www.ipexpert.com >>>>>> >>>>>> >>>>> >>>> >>>> >>>> -- >>>> ------- >>>> Jimmy Larsson >>>> Ryavagen 173 >>>> s-26030 Vallakra >>>> Sweden >>>> http://blogg.kvistofta.nu >>>> ------- >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> >>> >> >> >> -- >> ------- >> Jimmy Larsson >> Ryavagen 173 >> s-26030 Vallakra >> Sweden >> http://blogg.kvistofta.nu >> ------- >> > > -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu -------
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
