ASA Classifier Criteria

Rodrigo Gurriti · ‎02-23-2011

Hello

I'm a little confused, when should I use the command "mac-address auto"? I know that the ASA has some issues when doing multiple context. I read a few Cisco docs but it inst clear to me.

I found the following doc about, but it has only a few examples and hard to understand

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html#wp1134280

1 - When the Doc say "sharing an interface", would that include the sub-interfaces on different vlans or only when you share the same physical and logical details?

Ex.

interface ethernet 0/0
no shutdown

interface ethernet 0/0.1
vlan 10
no shutdown

interface ethernet 0/0.2
vlan 20
no shutdown

.....

context customerA
   description This is the context for customer A
   allocate-interface Ethernet0/0 int1
   allocate-interface Ethernet0/1.1 int2
   config-url disk0://contexta.cfg

context customerB
   description This is the context for customer B
   allocate-interface Ethernet0/0 int1
   allocate-interface Ethernet0/1.2 int2
   config-url disk0://contextb.cfg

I know for fact that Ethernet0/0 is shared lol but is the Ethernet0/1.1 and Ethernet0/1.2 shared ?

2- The Doc say that the valid classifier criteria is:

•Unique Interfaces
•Unique MAC Addresses
•NAT Configuration

Why an unique IP address wouldn't be a valid classifier ?

3- On which ocasion would be necessary a configuration of mac-address auto?

Thank you

PAUL GILBERT ARIAS · ‎02-23-2011

1. Share interface means having multiple contexts sharing the same physical or logical interface with the same IP. That happens when the ASA is configured with multiple context and with only one internet connection with one IP. If that is the case then mac addres-auto will help you clasify the traffic to the right context.

2. The classifiers are basically telling you how to forward the traffic to the right context. If you are sharing an interface but it is configured with different IP on each context then the forwarding will be based on the IP. If the Interface IP is the same on a shared interface then the forwarding will be based on the MAC address. The last classifier is NAT. You could be sharing the IP and have static NAT configured on each context, that will take the forwarding decision.

3. mac address auto will be used when the interface is shared and you are using the same IP.

In case my explanation is not clear then you could check this link:

Usage Guidelines

http://www.cisco.com/en/US/partner/docs/security/asa/asa72/command/reference/m_72.html#wp1788375

I hope this helps.

jubetz · ‎02-23-2011

Hi,

Share an interface means to allocate either a sub-interface or physical interface to at least two different contexts. They must have different IP addresses.

Ethernet0/1.1 and Ethernet0/1.2 are not shared in this case. They would be in different vlans.

Unique IP address isn't valid classifier criteria because the destination IP address in the IP packet won't be the firewall's IP address for through-traffic. That piece of information is not available. The dest. mac address will be the firewall, though, which is mapped to a next hop IP address.

Mac-address-auto is recommended because it automatically provides a unique mac address to interfaces on shared interfaces and then you never really have to worry about the packet classifier. You don't have to use this, but then you need to manually hard-code mac addresses or use translations to provide the classifier the information it needs to determine which context the packet belongs to.

Regards,

-Justin