Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

mac-address auto

hi all,

i'm going to configure an ASA for multiple security context and ran into this command.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/m.html#wp2043127

the design would be the 'outside' interface G0/0 will be shared by the security contexts but will assigned with different public IP addresses.

the 'inside' interface G0/0.x will be subinterfaces with different VLANs and private IP addresses.

is this command necessary and what are the pros and cons when enabled and if it's disabled?

 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hello johnlloyd_13,There is a

Hello

There is a very detailed explanation for the use on this command on the command reference for the ASA. This is an extract: 

To allow contexts to share interfaces, we suggest that you assign unique MAC addresses to each shared context interface. The MAC address is used to classify packets within a context. If you share an interface, but do not have unique MAC addresses for the interface in each context, then the destination IP address is used to classify packets. The destination address is matched with the context NAT configuration, and this method has some limitations compared to the MAC address method. See the Cisco ASA 5500 Series Configuration Guide using the CLI for information about classifying packets.

In the rare circumstance that the generated MAC address conflicts with another private MAC address in your network, you can manually set the MAC address for the interface within the context. See the mac-address command to manually set the MAC address.

In other words you will need to use this command unless you want to setup each mac-address manually. This is the complete document:http://tools.cisco.com/squish/2D5ff

Please let us know if you have any additional question and I hope you find this information helpful.

 

2 REPLIES
Cisco Employee

Hello johnlloyd_13,There is a

Hello

There is a very detailed explanation for the use on this command on the command reference for the ASA. This is an extract: 

To allow contexts to share interfaces, we suggest that you assign unique MAC addresses to each shared context interface. The MAC address is used to classify packets within a context. If you share an interface, but do not have unique MAC addresses for the interface in each context, then the destination IP address is used to classify packets. The destination address is matched with the context NAT configuration, and this method has some limitations compared to the MAC address method. See the Cisco ASA 5500 Series Configuration Guide using the CLI for information about classifying packets.

In the rare circumstance that the generated MAC address conflicts with another private MAC address in your network, you can manually set the MAC address for the interface within the context. See the mac-address command to manually set the MAC address.

In other words you will need to use this command unless you want to setup each mac-address manually. This is the complete document:http://tools.cisco.com/squish/2D5ff

Please let us know if you have any additional question and I hope you find this information helpful.

 

hi,thanks for clarifying!we

hi,

thanks for clarifying!

we have another context based ASA that don't have this command but works fine.

might as well enable it.

1065
Views
0
Helpful
2
Replies
CreatePlease to create content