cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
414
Views
0
Helpful
1
Replies

Cisco Firewall - Contexts

Jim Kerr
Level 1
Level 1

Hi All

I hope you can help with a number of questions I have around our existing Cisco firewall and the use of Contexts.

We have a router with an inside interface eg A.A.A.A connected to a L2 switch then to a Cisco 5550 firewall. The link in place between the switch and the firewall is a trunk.

The firewall is running in routed context mode already with just 1 context in place (besides admin).

The existing context has a number of logical interfaces assigned to it with incoming traffic to the firewall using a certain vlan on a sub interface 1.182. Sub interface 1.182 is a member of a redundant logical interface on the incoming physical interface 0/0.

There is a route in place on the router forwarding all traffic to an IP address on the firewall within context 1 – eg A.A.A.254 on logical interface 1.182

The problem is that we would now like to create another context on the firewall (context 2).

I’d like to know the best way to complete this task – whether I can re-use the existing incoming logical interface 1.182 that is used in Context1 or whether to create another sub interface eg 1.183 or alternatively use a completely different physical interface on the firewall and add another Ethernet connection to the switch.

If I can use the same logical interface used in Context 1, from what I have already read then I would need to make sure that the MAC address on the new context interface is different to the MAC in context 1 ?

Can I assign a different IP address to this shared logical interface within my new context2 ? and does it need to be in the same subnet as already used between the router and the firewall ie A.A.A.A.x – I would suspect so.

Also I guess I would need to put another static route on the router directing my required traffic to my IP address within Context 2?

Please could someone help with some guidance? The problem that I have is that I naturally want to avoid causing any upset to the existing Context1 and how it currently receives its traffic.

thanks

1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

If you are sharing a physical interface among contexts, the recommended practice is to manually assign unique MAC addresses. Reference.

It's not really necessary to use subinterfaces on the ASA unless a single physical interface in a given context is serving multiple logical interfaces. If the upstream device is a router then subinterfaces are used there in your example. If a switch, then a trunk.

Review Cisco Networking for a $25 gift card