I would avoid the ffff.ffff.ffff as that's broadcast. There are some other ones for CDP, multicast etc, but you can look those up. For the CCIE test I would just use the mac address auto unless otherwise told.
I don't have the lab book in front of me but based on the name of the interface I assume that the Inside and DMZ are on different VLANs so they are in different broadcast domains. The only time you would be technically required to assign a mac addresses is when you have multiple context Firewalls on the same broadcast domain in other words they share an interface. For example ContextA and ContextB both having an outside interface on the same 192.168.1.X network going to the same gateway. Read this about classifier criteria, unique MAC Addresses: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html#wp1134027 Also try not to email me directly but cc the mailing list as we are all learning from each other. -B From: kamran shakil [mailto:[email protected]] Sent: Friday, February 04, 2011 1:23 PM To: Basem Hanna Subject: Re: [OSL | CCIE_Security] [imp] ASA: mac-address auto "NOT ALLOWED" well, i just wanted to clarify 2 things. 1> if mac-address auto is not to be used, then we can use command mac-address <aaaa.bbbb.cccc> right... well is there any logic to the command mac address or any number or alphabet (from a-f) can work... 2> my second query to my post is if anyone has access to Yusuf Config Labs cisco press book, in LAB 1 on Page 69 , you can see the MAC ADDRESS of INSIDE and DMZ2 interfaces are same ??? HOW is that ? can anyone see this and let me know is this an error or possible with some configuration !!!! regards, On Fri, Feb 4, 2011 at 10:14 PM, Basem Hanna <[email protected]<mailto:[email protected]>> wrote: Not sure what you're asking. You don't always have to use mac address auto. What problem are you having? what's not working? What did you try? -B From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of kamran shakil Sent: Friday, February 04, 2011 11:27 AM To: [email protected]<mailto:[email protected]> Subject: Re: [OSL | CCIE_Security] [imp] ASA: mac-address auto "NOT ALLOWED" Guys, This is F1 (Help call) . ... ~ .anyone ...did u check this out... i am doing most of the labs with mac-address auto , but seeing this lab i was stumped !!!! plz do reply.. On Fri, Feb 4, 2011 at 7:14 PM, kamran shakil <[email protected]<mailto:[email protected]>> wrote: well, for yusuf lab i have quoted the page 69 see the outputs for inside and dmz2 mac address. On Fri, Feb 4, 2011 at 3:22 PM, Bruno <[email protected]<mailto:[email protected]>> wrote: what makes you believe that they have the same mac? Is there any "show interface ethernetx/x" showing same mac? On Fri, Feb 4, 2011 at 7:18 AM, kamran shakil <[email protected]<mailto:[email protected]>> wrote: I was going thru Yusuf lab 1 and encountered something which made me write this email : " If you see Yusuf book ( Ref: lab 1, page 69), Interface Dmz2 and inside interface have same mac-address. " How the pkts will be forwarded in this case? Isn't it strange .... ( no mac-address auto) is defined already! How does this work !!! no manual mac-address command was used for the solution. regards, Kamran. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
