Hello,
Can someone please explain how NAV deals with Cisco ASA (or general DMZ/firewall appliances) when you have... lets say 10 virtual interfaces (sub interfaces, or VLAN interfaces)? Logically these different virtual interfaces are separated from eachother (like a general 'GW' or 'GSW' device), and I would imagine that NAV is confused about this. In my scenario, my NAV box is logically located on a Cisco ASA subinterface (a "DMZ"), but even if I add my default gateway (my vlans default GW) to NAV, it doesn't seem to poll ARP info from the Cisco ASA appliance.
As I said earlier, I can imagine that NAV doesn't know how to deal with or parse the output of its ARP table as it looks like something like this:
DMZ_1 192.168.1.130 0011.850f.2e01 DMZ_1 192.168.1.111 000c.29d0.772b DMZ_1 192.168.1.116 000c.2949.e0dd DMZ_1 192.168.1.153 000c.29fd.a981 DMZ_1 192.168.1.152 0013.2100.3a5b DMZ_1 192.168.1.112 000d.9d4b.039f DMZ_1 192.168.1.151 0015.1748.2291 DMZ_1 192.168.1.115 0015.1748.2025 DMZ_1 192.168.1.110 0015.1748.2639 DMZ_2 192.168.2.18 001a.a04e.6701 DMZ_2 192.168.2.13 0050.56a5.1974 DMZ_2 192.168.2.31 4a62.1283.06f1 DMZ_2 192.168.2.14 0050.56a5.4802 DMZ_2 192.168.2.30 0050.56b2.25a5 DMZ_2 192.168.2.29 0050.56b2.7c29 DMZ_2 192.168.2.200 001a.e3b1.2888 DMZ_2 192.168.2.27 0050.56b2.1531 DMZ_2 192.168.2.26 0050.56b2.5466 DMZ_2 192.168.2.10 0022.55ca.bf60 DMZ_2 192.168.2.11 0015.1720.97d6 DMZ_2 192.168.2.25 001e.c9d2.45ad DMZ_2 192.168.2.202 0022.919a.541b DMZ_2 192.168.2.20 0015.1774.6ed8 DMZ_2 192.168.2.16 0015.1715.1f3c DMZ_2 192.168.2.12 0015.1720.95c5 DMZ_2 192.168.2.17 0015.1715.1f31 DMZ_2 192.168.2.22 0011.435a.f430 DMZ_2 192.168.2.15 0015.171e.6381 DMZ_2 192.168.2.28 0050.56b2.7394 DMZ_2 192.168.2.21 0050.56b2.4c62
By all means, maybe I am mistaking - but can someone please enlighten me how to deal with these devices in NAV? Do I have to add *every* subinterface to NAV, or would it be sufficient to add whichever side is pointing towards my management network? As it appears now, NAV doesn't seem to poll ARP tables from this device (most likely because it doesn't know how to parse the table..)
I also understand that even if I managed to poll ARP data from this device, I would never be able to see a box's physical (port) location as the MAC-port map table is located on another device (the core and edge switch)
Thanks for any replies, and happy belated easter!
------------------------------------------------------ Vidar Stokkenes Networking Consulant Networking and telecom Department HN IKT - Tromsø
Tlf: +47 76 16 61 87 / +47 77 66 99 55 Cell: +47 95 87 99 42 e-mail: vidar.stokkenes@hn-ikt.no
Before printing, think about the environment
On Tue, 14 Apr 2009 10:58:38 +0200 Stokkenes Vidar Vidar.Stokkenes@hn-ikt.no wrote:
Can someone please explain how NAV deals with Cisco ASA (or general DMZ/firewall appliances) when you have... lets say 10 virtual interfaces (sub interfaces, or VLAN interfaces)? Logically these different virtual interfaces are separated from eachother (like a general 'GW' or 'GSW' device), and I would imagine that NAV is confused about this.
I'm not sure I understand what you're getting at here. It's a device, it has interfaces, why would NAV be confused by that?
In my scenario, my NAV box is logically located on a Cisco ASA subinterface (a "DMZ"), but even if I add my default gateway (my vlans default GW) to NAV, it doesn't seem to poll ARP info from the Cisco ASA appliance.
As I said earlier, I can imagine that NAV doesn't know how to deal with or parse the output of its ARP table as it looks like something like this:
DMZ_1 192.168.1.130 0011.850f.2e01 DMZ_1 192.168.1.111 000c.29d0.772b
[snip]
Where did you get this output from, and why would you think NAV would try to retrieve and parse this?
ARP data is retrieved by SNMP, from the ipNetToMediaTable defined in RFC 1213 (although this table was deprecated by RFC 4293, which defined the IF-MIB. It's still populated by all devices I've seen, though).
By all means, maybe I am mistaking - but can someone please enlighten me how to deal with these devices in NAV? Do I have to add *every* subinterface to NAV, or would it be sufficient to add whichever side is pointing towards my management network? As it appears now, NAV doesn't seem to poll ARP tables from this device (most likely because it doesn't know how to parse the table..)
Again, the table you pasted above looks like something you might have pulled from the command line interface on the ASA, and has no bearing on your problem.
You should add the ASA device to NAV using its loopback address (if any), and make sure full SNMP access is allowed from your NAV server to this address.
While I don't know anything specific about the Cisco ASA, as a firewall it is likely to function purely as a layer 3 routing device - it should therefore be added to NAV using the GW category.
Once added to NAV, and given a few minutes to be probed by the getDeviceData backend process, you should check the SNMP profile of the device. Go to the web interface's report tool, look it up in the Router report and click the number in its SNMP column. For the ARP cache to be polled by NAV, the oidkey ipNetToMediaPhysAddress must be present in the profile.
Does the firewall's interfaces appear in its list of router ports in NAV?
I also understand that even if I managed to poll ARP data from this device, I would never be able to see a box's physical (port) location as the MAC-port map table is located on another device (the core and edge switch)
I'm not sure how this relates to your other questions? If you are talking about tracking end-user machines (or servers), this can only be done if you use NAV to monitor the switch that the machine is physically connected to.
-
Morten Brekkevold -
Stokkenes Vidar