09-14-2010 06:27 PM - edited 03-11-2019 11:40 AM
Hi All,
I am configuring a shared outside interface on all the contexts. I have read in the document that I have to enable auto mac feature for the traffic to return back to the context.
So please tell me if i am correct here
when defining a context on the system context, i have to add some extra commands as follows
context CTX1
allocate-interface GigabitEthernet0/0.1 outside_customerA
mac-address auto GigabitEthernet0/0.1 a2d2.0400.11bc a2d2.0400.11bd
allocate-interface GigabitEthernet0/1.50 inside_customerA
allocate-interface GigabitEthernet0/2.60 dmz_customerA
context CTX2
allocate-interface GigabitEthernet0/0.1 outside_customerA
mac-address auto GigabitEthernet0/0.1 b2e2.0500.22bc b2e2.0500.22bd
allocate-interface GigabitEthernet0/1.51 inside_customerB
allocate-interface GigabitEthernet0/2.61 dmz_customerB
So the above configuration - the outside Interface as you can see is shared between 2 contexts but the MAC address as different. So would this be an ideal config to implement in a production environment. Please give me your thoughts and suggestions for the best way to implement this
Thanks
Solved! Go to Solution.
09-14-2010 09:28 PM
That command goes in the system space (global command).
It will auto generate mac addresses for all the interfaces in all the contexts. If you look at the command mode. You can configure the command only in system space in multiple context mode.
The following table shows the modes in which you can enter the command:
Command Mode | Firewall Mode | Security Context | |||
---|---|---|---|---|---|
Routed | Transparent | Single | Multiple | ||
Context | System | ||||
Global configuration | • | • | — | — | • |
-KS
09-14-2010 08:11 PM
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2043127
A sample like what you have (shared interface between contexts) is in the above link.
-KS
09-14-2010 09:09 PM
Hi Kusankar,
Thanks for your reply. Is there a way to configure the MAC Addresses without actually explicitly mentioning it in the context. Can the ASA automatically allocate it?
Thanks
09-14-2010 09:21 PM
Yes you can do that with the global command
mac-address auto
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2043127
4. mac-address auto command in global configuration mode (multiple context mode only).
mac-address auto | Auto-generates MAC addresses (active and standby) for shared interfaces in multiple context mode. |
-KS
09-14-2010 09:25 PM
Kusankar,
I just read that. Now say I have 4 sub interfaces assigned to each context and I have 10 contexts. Out of the 4 subinterfaces, only the outside subinterface is a shared interface used by all contexts. Rest have different vlans and subnets.
Now if I issue the command "mac-address auto" on each context, How will it know which subinterface to automatically generate the MAC Address for?
Thanks
09-14-2010 09:28 PM
That command goes in the system space (global command).
It will auto generate mac addresses for all the interfaces in all the contexts. If you look at the command mode. You can configure the command only in system space in multiple context mode.
The following table shows the modes in which you can enter the command:
Command Mode | Firewall Mode | Security Context | |||
---|---|---|---|---|---|
Routed | Transparent | Single | Multiple | ||
Context | System | ||||
Global configuration | • | • | — | — | • |
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide