Auto Mac feature for shared interfaces on ASA context

Answered Question
Sep 14th, 2010
User Badges:

Hi All,


I am configuring a shared outside interface on all the contexts. I have read in the document that I have to enable auto mac feature for the traffic to return back to the context.


So please tell me if i am correct here


when defining a context on the system context, i have to add some extra commands as follows


context CTX1

allocate-interface GigabitEthernet0/0.1 outside_customerA
mac-address auto GigabitEthernet0/0.1 a2d2.0400.11bc a2d2.0400.11bd

allocate-interface GigabitEthernet0/1.50 inside_customerA

allocate-interface GigabitEthernet0/2.60 dmz_customerA


context CTX2
allocate-interface GigabitEthernet0/0.1 outside_customerA
mac-address auto GigabitEthernet0/0.1 b2e2.0500.22bc b2e2.0500.22bd

allocate-interface GigabitEthernet0/1.51 inside_customerB

allocate-interface GigabitEthernet0/2.61 dmz_customerB


So the above configuration - the outside Interface as you can see is shared between 2 contexts but the MAC address as different. So would this be an ideal config to implement in a production environment. Please give me your thoughts and suggestions for the best way to implement this


Thanks

Correct Answer by Kureli Sankar about 6 years 9 months ago

That command goes in the system space (global command).

It will auto generate mac addresses for all the interfaces in all the contexts. If you look at the command mode. You can configure the command only in system space in multiple context mode.

Command Modes

The following table shows the modes in which you can enter the command:


Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration



-KS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
sidcracker Tue, 09/14/2010 - 21:09
User Badges:

Hi Kusankar,


Thanks for your reply. Is there a way to configure the MAC Addresses without actually explicitly mentioning it in the context. Can the ASA automatically allocate it?


Thanks

Kureli Sankar Tue, 09/14/2010 - 21:21
User Badges:
  • Cisco Employee,

Yes you can do that with the global command

mac-address auto

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2043127


4. mac-address auto command in global configuration mode (multiple context mode only).


mac-address auto

Auto-generates MAC addresses (active and standby) for shared interfaces in multiple context mode.


-KS

sidcracker Tue, 09/14/2010 - 21:25
User Badges:

Kusankar,


I just read that. Now say I have 4 sub interfaces assigned to each context and I have 10 contexts. Out of the 4 subinterfaces, only the outside subinterface is a shared interface used by all contexts. Rest have different vlans and subnets.


Now if I issue the command "mac-address auto" on each context, How will it know which subinterface to automatically generate the MAC Address for?


Thanks

Correct Answer
Kureli Sankar Tue, 09/14/2010 - 21:28
User Badges:
  • Cisco Employee,

That command goes in the system space (global command).

It will auto generate mac addresses for all the interfaces in all the contexts. If you look at the command mode. You can configure the command only in system space in multiple context mode.

Command Modes

The following table shows the modes in which you can enter the command:


Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration



-KS

Actions

This Discussion