05-18-2014 04:12 AM - edited 03-11-2019 09:12 PM
hi all,
i'm going to configure an ASA for multiple security context and ran into this command.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/m.html#wp2043127
the design would be the 'outside' interface G0/0 will be shared by the security contexts but will assigned with different public IP addresses.
the 'inside' interface G0/0.x will be subinterfaces with different VLANs and private IP addresses.
is this command necessary and what are the pros and cons when enabled and if it's disabled?
Solved! Go to Solution.
05-18-2014 07:21 PM
Hello johnlloyd_13,
There is a very detailed explanation for the use on this command on the command reference for the ASA. This is an extract:
To allow contexts to share interfaces, we suggest that you assign unique MAC addresses to each shared context interface. The MAC address is used to classify packets within a context. If you share an interface, but do not have unique MAC addresses for the interface in each context, then the destination IP address is used to classify packets. The destination address is matched with the context NAT configuration, and this method has some limitations compared to the MAC address method. See the Cisco ASA 5500 Series Configuration Guide using the CLI for information about classifying packets.
In the rare circumstance that the generated MAC address conflicts with another private MAC address in your network, you can manually set the MAC address for the interface within the context. See the mac-address command to manually set the MAC address.
In other words you will need to use this command unless you want to setup each mac-address manually. This is the complete document:http://tools.cisco.com/squish/2D5ff
Please let us know if you have any additional question and I hope you find this information helpful.
05-18-2014 07:21 PM
Hello johnlloyd_13,
There is a very detailed explanation for the use on this command on the command reference for the ASA. This is an extract:
To allow contexts to share interfaces, we suggest that you assign unique MAC addresses to each shared context interface. The MAC address is used to classify packets within a context. If you share an interface, but do not have unique MAC addresses for the interface in each context, then the destination IP address is used to classify packets. The destination address is matched with the context NAT configuration, and this method has some limitations compared to the MAC address method. See the Cisco ASA 5500 Series Configuration Guide using the CLI for information about classifying packets.
In the rare circumstance that the generated MAC address conflicts with another private MAC address in your network, you can manually set the MAC address for the interface within the context. See the mac-address command to manually set the MAC address.
In other words you will need to use this command unless you want to setup each mac-address manually. This is the complete document:http://tools.cisco.com/squish/2D5ff
Please let us know if you have any additional question and I hope you find this information helpful.
05-18-2014 08:05 PM
hi,
thanks for clarifying!
we have another context based ASA that don't have this command but works fine.
might as well enable it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide