6-11
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 6 Configuring Multiple Context Mode
Information About Security Contexts
Information About MAC Addresses
To allow contexts to share interfaces, we suggest that you assign unique MAC addresses to each shared
context interface (see the “Automatically Assigning MAC Addresses to Context Interfaces” section on
page 6-19).
The MAC address is used to classify packets within a context. If you share an interface, but do not have
unique MAC addresses for the interface in each context, then the destination IP address is used to
classify packets. The destination address is matched with the context NAT configuration, and this
method has some limitations compared to the MAC address method. See the “How the Security
Appliance Classifies Packets” section on page 6-3 for information about classifying packets.
In the rare circumstance that the generated MAC address conflicts with another private MAC address in
your network, you can manually set the MAC address for the interface within the context. See the
“Configuring Advanced Interface Parameters” section on page 8-26 to manually set the MAC address.
This section includes the following topics:
• Default MAC Address, page 6-11
• Interaction with Manual MAC Addresses, page 6-11
• Failover MAC Addresses, page 6-11
• MAC Address Format, page 6-11
Default MAC Address
By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical
interface use the same burned-in MAC address.
All auto-generated MAC addresses start with A2. The auto-generated MAC addresses are persistent
across reloads.
Interaction with Manual MAC Addresses
If you manually assign a MAC address and also enable auto-generation, then the manually assigned
MAC address is used. If you later remove the manual MAC address, the auto-generated address is used.
Because auto-generated addresses start with A2, you cannot start manual MAC addresses with A2 if you
also want to use auto-generation.
Failover MAC Addresses
For use with failover, the adaptive security appliance generates both an active and standby MAC address
for each interface. If the active unit fails over and the standby unit becomes active, the new active unit
starts using the active MAC addresses to minimize network disruption. See the “MAC Address Format”
section for more information.
For upgrading failover units with the legacy version of the mac-address auto command before the
prefix keyword was introduced, see the mac-address auto command in the Cisco ASA 5500 Series
Command Reference.
MAC Address Format
The adaptive security appliance generates the MAC address using the following format:
To Next Page
Loading...
Need help?
General
