6-11
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 6 Adding and Managing Security Contexts
Automatically Assigning MAC Addresses to Context Interfaces
hostname(config-ctx)# config-url ftp://user1:passw0rd@10.1.1.1/configlets/sample.cfg
hostname(config-ctx)# member silver
Automatically Assigning MAC Addresses to Context Interfaces
To allow contexts to share interfaces, we suggest that you assign unique MAC addresses to each context
interface. The MAC address is used to classify packets within a context. If you share an interface, but do
not have unique MAC addresses for the interface in each context, then the destination IP address is used
to classify packets. The destination address is matched with the context NAT configuration, and this
method has some limitations compared to the MAC address method. See the “How the Security
Appliance Classifies Packets” section on page 3-3 for information about classifying packets.
By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical
interface use the same burned-in MAC address.
You can automatically assign private MAC addresses to each shared context interface by entering the
following command in the system configuration:
hostname(config)# mac-address auto
For use with failover, the security appliance generates both an active and standby MAC address for each
interface. If the active unit fails over and the standby unit becomes active, the new active unit starts using
the active MAC addresses to minimize network disruption.
When you assign an interface to a context, the new MAC address is generated immediately. If you enable
this command after you create context interfaces, then MAC addresses are generated for all interfaces
immediately after you enter the command. If you use the no mac-address auto command, the MAC
address for each interface reverts to the default MAC address. For example, subinterfaces of
GigabitEthernet 0/1 revert to using the MAC address of GigabitEthernet 0/1.
The MAC address is generated using the following format:
• Active unit MAC address: 12_slot.port_subid.contextid.
• Standby unit MAC address: 02_slot.port_subid.contextid.
For platforms with no interface slots, the slot is always 0. The port is the interface port. The subid is an
internal ID for the subinterface, which is not viewable. The contextid is an internal ID for the context,
viewable with the show context detail command. For example, the interface GigabitEthernet 0/1.200 in
the context with the ID 1 has the following generated MAC addresses, where the internal ID for
subinterface 200 is 31:
• Active: 1200.0131.0001
• Standby: 0200.0131.0001
In the rare circumstance that the generated MAC address conflicts with another private MAC address in
your network, you can manually set the MAC address for the interface within the context. See the
“Configuring the Interface” section on page 7-2 to manually set the MAC address.
Changing Between Contexts and the System Execution Space
If you log in to the system execution space (or the admin context using Telnet or SSH), you can change
between contexts and perform configuration and monitoring tasks within each context. The running
configuration that you edit in a configuration mode, or that is used in the copy or write commands,
To Next Page
Loading...
Need help?
General