topic Re: mutliple context sharing interfaces in Network Security

mutliple context sharing interfaces

techkamleshs — Mon, 11 Mar 2019 20:22:23 GMT

is it possible to assign same IP to shared interface in multiple context ? i have gone through below cisco document but this explain example in which logical interfaces are given different VLAN ID and assigned a unique MAC . so how is the interface considered to be shared in this eg ?

in the link http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml the heading "Assign the Same IP Address to the Shared Interfaces in the Multiple Context Mode" has following eg

if interface is shared the example should be something like this

interface Ethernet0.1
mac-address 0000.0707.0000

<context2 configuration>
!
interface Ethernet0.1 ----------------------> currently this is Ethernet0.2 in example
mac-address 0000.0808.0000

Re: mutliple context sharing interfaces

Shrikant Sundaresh — Mon, 18 Apr 2011 11:59:50 GMT

Hi Kamlesh,

The Physical interface Ethernet 0, is being split into two logical interfaces 0.1 and 0.2, and these are shared amongst the multiple contexts.

The physical interface, is thus being shared by both contexts.

Hope this clears things up.

-Shrikant

P.S.: Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks.

Re: mutliple context sharing interfaces

techkamleshs — Tue, 19 Apr 2011 09:06:52 GMT

Hi Shrikant ,

the example given is not really of a shared interface . A shared interface would not be separated by a different VLAN tag and that interface should be part of both context (whether logical or physical)

Re: mutliple context sharing interfaces

techkamleshs — Fri, 22 Apr 2011 11:17:10 GMT

Hi experts

any ideas on this question and document ?

Re: mutliple context sharing interfaces

brquinn — Fri, 22 Apr 2011 14:31:19 GMT

Kamlesh,

First, a shared interface is either a physical interface or sub-interface on the same subnet/vlan. Because each context has an interface in the same subnet, the IP addresses should be different. So...

Q. Is it possible to assign same IP to shared interface in multiple context?

A. Yes this is possible, but strongly discouraged. The subnet will be the same, but the IPs should be different because it behaves like any other duplicate IP in your network.

Q. I have gone through below cisco document but this explain example in which logical interfaces are given different VLAN ID and assigned a unique MAC. So how is the interface considered to be shared in this example?

A. In your example, the sub-interface Ethernet0.1 in context1 would have to be configured with the same subnet and vlan as Ethernet0.1 in context2.

Regarding the link, I think it is just saying that it is possible to assign the same IP to interfaces in 2 contexts so long as their mac-addresses are different. Keep in mind that I would NOT suggest doing this. If you do, you would have to manually configure the arp entries for all other hosts in that subnet. Otherwise, when a host sends an arp for your duplicate IP, it's a race to see which interface replies first. (this is very bad)

Bottom line, you should not configure duplicate IPs on your shared interface if it can be avoided.

I hope this helps. If this answers your question, please mark it as resolved.

Thanks,

Brendan

Re: mutliple context sharing interfaces

techkamleshs — Tue, 26 Apr 2011 10:34:30 GMT

hi brendan,

your explanation was helpful

1.If it is possible to hav 2 shared i/f (whether logical or physical ) assigned to same context [ with the shared i/f having same IP and VLAN ID ]is it possible that we can differentiate them by assigning virtual mac to each of them [ in their individual contexts ] so that firewall can distinguish among them ? I dont know if this is possible .

2. If the link is providing explantion to assign the same IP to diffrent interfaces in 2 contexts , then the document heading should be changed as it is no longer a shared interface example then .