Cisco Systems ASA 5550 Network Router User Manual

Open as PDF

of 2086

11-3

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter 11 Configuring Multiple Context Mode

Information About Security Contexts

How the ASA Classifies Packets

Each packet that enters the ASA must be classified, so that the ASA can determine to which context to

send a packet. This section includes the following topics:

• Valid Classifier Criteria, page 11-3

• Classification Examples, page 11-4

Note If the destination MAC address is a multicast or broadcast MAC address, the packet is duplicated and

delivered to each context.

Valid Classifier Criteria

This section describes the criteria used by the classifier and includes the following topics:

• Unique Interfaces, page 11-3

• Unique MAC Addresses, page 11-3

• NAT Configuration, page 11-3

Note For management traffic destined for an interface, the interface IP address is used for classification.

The routing table is not used for packet classification.

Unique Interfaces

If only one context is associated with the ingress interface, the ASA classifies the packet into that

context. In transparent firewall mode, unique interfaces for contexts are required, so this method is used

to classify packets at all times.

Unique MAC Addresses

If multiple contexts share an interface, then the classifier uses the interface MAC address. The ASA lets

you assign a different MAC address in each context to the same shared interface. By default, shared

interfaces do not have unique MAC addresses; the interface uses the burned-in MAC address in every

context. An upstream router cannot route directly to a context without unique MAC addresses. You can

set the MAC addresses manually when you configure each interface (see the “Configuring the MAC

Address and MTU” section on page 14-12), or you can automatically generate MAC addresses (see the

“Automatically Assigning MAC Addresses to Context Interfaces” section on page 11-20).

NAT Configuration

If you do not use unique MAC addresses, then the mapped addresses in your NAT configuration are used

to classify packets. We recommend using MAC addresses instead of NAT, so that traffic classification

can occur regardless of the completeness of the NAT configuration.

previous next

Top Automotive Device Types

Top Automotive Brands

Top Baby Care Device Types

Top Baby Care Brands

Top Car Audio & Video Device Types

Top Car Audio & Video Brands

Top Cellphone Device Types

Top Cellphone Brands

Top Communications Device Types

Top Communications Brands

Top Computer Device Types

Top Computer Brands

Top Fitness Device Types

Top Fitness Brands

Top Home Audio Device Types

Top Home Audio Brands

Top Household Appliance Device Types

Top Household Appliance Brands

Top Kitchen Appliance Device Types

Top Kitchen Appliance Brands

Top Laundry Appliance Device Types

Top Laundry Appliance Brands

Top Lawn & Garden Device Types

Top Lawn & Garden Brands

Top Marine Equipment Device Types

Top Marine Equipment Brands

Top Musical Instrument Device Types

Top Musical Instrument Brands

Top Outdoor Cooking Device Types

Top Outdoor Cooking Brands

Top Personal Care Device Types

Top Personal Care Brands

Top Photography Device Types

Top Photography Brands

Top Portable Media Device Types

Top Portable Media Brands

Top Power Tools Device Types

Top Power Tools Brands

Top TV and Video Device Types

Top TV and Video Brands

Top Videogame Device Types

Top Videogame Brands

Cisco Systems ASA 5550 Network Router User Manual