06-28-2018 08:58 AM
Hello,
I have a doubt about how to interpret macs in rx pcap and tx pcap. I thought that:
when the traffic enter a layer 3 interface:
the mac destination addres in rx file must be the mac of ingress interface?
and in tx the source mac, must be the mac of eggres interface?
when the traffic enter a layer 2 interface:
the source and destination mac don't change, this is correct?
I had a problem with asymetric traffic , basically we had multiple links to the internet, our application was using NAT for ingress on one of our service links and our default internet access link for egress (which is a different link).
this problem could be understood by comparing the destination and the source mac addresses of the packets on rx and tx?
in this pcaps I saw stranged mac, but I don't know what I have to check to find this problem with nat?
06-28-2018 12:46 PM
You are correct in your assertions:
When a packet arrives on an L3 interface, that packet's destination MAC should be the firewall's ingress interface.
When a packet arrives on an L2 interface, it will have the destination MAC of the next L3 hop.
Some odd MAC addresses in captures can be caused by technologies like VRRP/HSRP or other tech that uses a virtual MAC address.
If you can provide additional detail specifics like the actual MAC prefix, as well as the specifics about the NAT problem you're seeing it would also help.
06-28-2018 12:46 PM
You are correct in your assertions:
When a packet arrives on an L3 interface, that packet's destination MAC should be the firewall's ingress interface.
When a packet arrives on an L2 interface, it will have the destination MAC of the next L3 hop.
Some odd MAC addresses in captures can be caused by technologies like VRRP/HSRP or other tech that uses a virtual MAC address.
If you can provide additional detail specifics like the actual MAC prefix, as well as the specifics about the NAT problem you're seeing it would also help.
06-29-2018 01:47 AM
hello,
Thank you very much for your help, the mac I see are for example for a SYN, [SYN, ACK]:
in rx pacap: RETURN
source: destination: source: destination:
cisco_b3:7d:77 Vmware_a6:5a:f0 Vmware_a6:99:e3 Vmware_a6:bc:05
(here why isn't palo alto mac?) (here why isn't palo alto mac?)
in tx pcap: RETURN
source: destination: source: destination:
Vmware_a6:bc:05 Vm_ware_a6:99:e3 Vmware_a6:5a:f0 All-HSRP-routers-e9
(here why isn't palo alto mac?) (here why isn't palo alto mac?)
how affect MAC addres seen in pcap when you do source or destination nat?
Thank you very much.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
