https://community.cisco.com/t5/network-security/cisco-firewall-contexts/m-p/2329437#M342477 <HTML><HEAD></HEAD><BODY><P>If you are sharing a physical interface among contexts, the recommended practice is to manually assign unique MAC addresses. <A href="http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/mode_contexts.html#wp1388020">Reference</A>.</P><P></P><P>It's not really necessary to use subinterfaces on the ASA unless a single physical interface in a given context is serving multiple logical interfaces. If the upstream device is a router then subinterfaces are used there in your example. If a switch, then a trunk.</P></BODY></HTML> Thu, 26 Sep 2013 12:32:04 GMT Marvin Rhoads 2013-09-26T12:32:04Z https://community.cisco.com/t5/network-security/cisco-firewall-contexts/m-p/2329436#M342476 <P>Hi All</P><P></P><P>I hope you can help with a number of questions I have around our existing Cisco firewall and the use of Contexts.</P><P></P><P>We have a router with an inside interface eg A.A.A.A connected to a L2 switch then to a Cisco 5550 firewall. The link in place between the switch and the firewall is a trunk.</P><P></P><P>The firewall is running in routed context mode already with just 1 context in place (besides admin). </P><P></P><P>The existing context has a number of logical interfaces assigned to it with incoming traffic to the firewall using a certain vlan on a sub interface 1.182. Sub interface 1.182 is a member of a redundant logical interface on the incoming physical interface 0/0.</P><P></P><P>There is a route in place on the router forwarding all traffic to an IP address on the firewall within context 1 – eg A.A.A.254 on logical interface 1.182</P><P></P><P>The problem is that we would now like to create another context on the firewall (context 2).</P><P></P><P>I’d like to know the best way to complete this task – whether I can re-use the existing incoming logical interface 1.182 that is used in Context1 or whether to create another sub interface eg 1.183 or alternatively use a completely different physical interface on the firewall and add another Ethernet connection to the switch.</P><P></P><P>If I can use the same logical interface used in Context 1, from what I have already read then I would need to make sure that the MAC address on the new context interface is different to the MAC in context 1 ?</P><P></P><P>Can I assign a different IP address to this shared logical interface within my new context2 ? and does it need to be in the same subnet as already used between the router and the firewall ie A.A.A.A.x – I would suspect so.</P><P></P><P>Also I guess I would need to put another static route on the router directing my required traffic to my IP address within Context 2?</P><P></P><P>Please could someone help with some guidance? The problem that I have is that I naturally want to avoid causing any upset to the existing Context1 and how it currently receives its traffic.</P><P></P><P>thanks</P> Tue, 12 Mar 2019 02:43:56 GMT https://community.cisco.com/t5/network-security/cisco-firewall-contexts/m-p/2329436#M342476 Jim Kerr 2019-03-12T02:43:56Z https://community.cisco.com/t5/network-security/cisco-firewall-contexts/m-p/2329437#M342477 <HTML><HEAD></HEAD><BODY><P>If you are sharing a physical interface among contexts, the recommended practice is to manually assign unique MAC addresses. <A href="http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/mode_contexts.html#wp1388020">Reference</A>.</P><P></P><P>It's not really necessary to use subinterfaces on the ASA unless a single physical interface in a given context is serving multiple logical interfaces. If the upstream device is a router then subinterfaces are used there in your example. If a switch, then a trunk.</P></BODY></HTML> Thu, 26 Sep 2013 12:32:04 GMT https://community.cisco.com/t5/network-security/cisco-firewall-contexts/m-p/2329437#M342477 Marvin Rhoads 2013-09-26T12:32:04Z