On Tue, 14 Apr 2009 10:58:38 +0200 Stokkenes Vidar Vidar.Stokkenes@hn-ikt.no wrote:
Can someone please explain how NAV deals with Cisco ASA (or general DMZ/firewall appliances) when you have... lets say 10 virtual interfaces (sub interfaces, or VLAN interfaces)? Logically these different virtual interfaces are separated from eachother (like a general 'GW' or 'GSW' device), and I would imagine that NAV is confused about this.
I'm not sure I understand what you're getting at here. It's a device, it has interfaces, why would NAV be confused by that?
In my scenario, my NAV box is logically located on a Cisco ASA subinterface (a "DMZ"), but even if I add my default gateway (my vlans default GW) to NAV, it doesn't seem to poll ARP info from the Cisco ASA appliance.
As I said earlier, I can imagine that NAV doesn't know how to deal with or parse the output of its ARP table as it looks like something like this:
DMZ_1 192.168.1.130 0011.850f.2e01 DMZ_1 192.168.1.111 000c.29d0.772b
[snip]
Where did you get this output from, and why would you think NAV would try to retrieve and parse this?
ARP data is retrieved by SNMP, from the ipNetToMediaTable defined in RFC 1213 (although this table was deprecated by RFC 4293, which defined the IF-MIB. It's still populated by all devices I've seen, though).
By all means, maybe I am mistaking - but can someone please enlighten me how to deal with these devices in NAV? Do I have to add *every* subinterface to NAV, or would it be sufficient to add whichever side is pointing towards my management network? As it appears now, NAV doesn't seem to poll ARP tables from this device (most likely because it doesn't know how to parse the table..)
Again, the table you pasted above looks like something you might have pulled from the command line interface on the ASA, and has no bearing on your problem.
You should add the ASA device to NAV using its loopback address (if any), and make sure full SNMP access is allowed from your NAV server to this address.
While I don't know anything specific about the Cisco ASA, as a firewall it is likely to function purely as a layer 3 routing device - it should therefore be added to NAV using the GW category.
Once added to NAV, and given a few minutes to be probed by the getDeviceData backend process, you should check the SNMP profile of the device. Go to the web interface's report tool, look it up in the Router report and click the number in its SNMP column. For the ARP cache to be polled by NAV, the oidkey ipNetToMediaPhysAddress must be present in the profile.
Does the firewall's interfaces appear in its list of router ports in NAV?
I also understand that even if I managed to poll ARP data from this device, I would never be able to see a box's physical (port) location as the MAC-port map table is located on another device (the core and edge switch)
I'm not sure how this relates to your other questions? If you are talking about tracking end-user machines (or servers), this can only be done if you use NAV to monitor the switch that the machine is physically connected to.