How the asa classifies packets, Valid classifier criteria – Cisco ASA 5505 User Manual

Page 203

Advertising
background image

5-3

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 5 Configuring Multiple Context Mode

Information About Security Contexts

logging into the admin context grants you administrator privileges over all contexts, you might need to
restrict access to the admin context to appropriate users. The admin context must reside on flash memory,
and not remotely.

If your system is already in multiple context mode, or if you convert from single mode, the admin context
is created automatically as a file on the internal flash memory called admin.cfg. This context is named
“admin.” If you do not want to use admin.cfg as the admin context, you can change the admin context.

How the ASA Classifies Packets

Each packet that enters the ASA must be classified, so that the ASA can determine to which context to
send a packet. This section includes the following topics:

Valid Classifier Criteria, page 5-3

Classification Examples, page 5-4

Note

If the destination MAC address is a multicast or broadcast MAC address, the packet is duplicated and
delivered to each context.

Valid Classifier Criteria

This section describes the criteria used by the classifier and includes the following topics:

Unique Interfaces, page 5-3

Unique MAC Addresses, page 5-3

NAT Configuration, page 5-4

Note

For management traffic destined for an interface, the interface IP address is used for classification.

The routing table is not used for packet classification.

Unique Interfaces

If only one context is associated with the ingress interface, the ASA classifies the packet into that
context. In transparent firewall mode, unique interfaces for contexts are required, so this method is used
to classify packets at all times.

Unique MAC Addresses

If multiple contexts share an interface, then the classifier uses the interface MAC address. The ASA lets
you assign a different MAC address in each context to the same shared interface. By default, shared
interfaces do not have unique MAC addresses; the interface uses the burned-in MAC address in every
context. An upstream router cannot route directly to a context without unique MAC addresses. You can
set the MAC addresses manually when you configure each interface (see the

“Configuring the MAC

Address and MTU” section on page 8-9

), or you can automatically generate MAC addresses (see the

“Automatically Assigning MAC Addresses to Context Interfaces” section on page 5-22

).

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals