Chapter 3
Enabling Multiple Context Mode
How the Security Appliance Classifies Packets
Each packet that enters the security appliance must be classified, so that the security appliance can
determine to which context to send a packet. This section includes the following topics:
•
•
•
If the destination MAC address is a multicast or broadcast MAC address, the packet is duplicated and
Note
delivered to each context.
Valid Classifier Criteria
This section describes the criteria used by the classifier, and includes the following topics:
•
•
•
Unique Interfaces
If only one context is associated with the ingress interface, the security appliance classifies the packet
into that context. In transparent firewall mode, unique interfaces for contexts are required, so this method
is used to classify packets at all times.
Unique MAC Addresses
If multiple contexts share an interface, then the classifier uses the interface MAC address. The security
appliance lets you assign a different MAC address in each context to the same shared interface, whether
it is a shared physical interface or a shared subinterface. By default, shared interfaces do not have unique
MAC addresses; the interface uses the physical interface burned-in MAC address in every context. An
upstream router cannot route directly to a context without unique MAC addresses. You can set the MAC
addresses manually when you configure each interface (see the
page
Addresses to Context Interfaces" section on page
NAT Configuration
If you do not have unique MAC addresses, then the classifier intercepts the packet and performs a
destination IP address lookup. All other fields are ignored; only the destination IP address is used. To
use the destination address for classification, the classifier must have knowledge about the subnets
located behind each security context. The classifier relies on the NAT configuration to determine the
subnets in each context. The classifier matches the destination IP address to either a static command or
a global command. In the case of the global command, the classifier does not need a matching nat
command or an active NAT session to classify the packet. Whether the packet can communicate with the
destination IP address after classification depends on how you configure NAT and NAT control.
For example, the classifier gains knowledge about subnets 10.10.10.0, 10.20.10.0 and 10.30.10.0 when
the context administrators configure static commands in each context:
•
OL-10088-01
Valid Classifier Criteria, page 3-3
Invalid Classifier Criteria, page 3-4
Classification Examples, page 3-5
Unique Interfaces, page 3-3
Unique MAC Addresses, page 3-3
NAT Configuration, page 3-3
7-2), or you can automatically generate MAC addresses (see the
Context A:
"Configuring the Interface" section on
6-11).
Cisco Security Appliance Command Line Configuration Guide
Security Context Overview
"Automatically Assigning MAC
3-3