How The Security Appliance Classifies Packets; Valid Classifier Criteria - Cisco ASA 5505 Configuration Manual

Chapter 6 Configuring Multiple Context Mode
If your system is already in multiple context mode, or if you convert from single mode, the admin context
is created automatically as a file on the internal flash memory called admin.cfg. This context is named
"admin." If you do not want to use admin.cfg as the admin context, you can change the admin context.

How the Security Appliance Classifies Packets

Each packet that enters the adaptive security appliance must be classified, so that the adaptive security
appliance can determine to which context to send a packet. This section includes the following topics:
•
•
Note If the destination MAC address is a multicast or broadcast MAC address, the packet is duplicated and
delivered to each context.

Valid Classifier Criteria

This section describes the criteria used by the classifier and includes the following topics:
•
•
•
For management traffic destined for an interface, the interface IP address is used for classification.
Note
The routing table is not used for packet classification.
Unique Interfaces
If only one context is associated with the ingress interface, the adaptive security appliance classifies the
packet into that context. In transparent firewall mode, unique interfaces for contexts are required, so this
method is used to classify packets at all times.
Unique MAC Addresses
If multiple contexts share an interface, then the classifier uses the interface MAC address. The adaptive
security appliance lets you assign a different MAC address in each context to the same shared interface,
whether it is a shared physical interface or a shared subinterface. By default, shared interfaces do not
have unique MAC addresses; the interface uses the physical interface burned-in MAC address in every
context. An upstream router cannot route directly to a context without unique MAC addresses. You can
set the MAC addresses manually when you configure each interface (see the
Interface Parameters" section on page
"Automatically Assigning MAC Addresses to Context Interfaces" section on page
NAT Configuration
If you do not use unique MAC addresses, then the mapped addresses in your NAT configuration are used
to classify packets. We recommend using MAC addresses instead of NAT, so that traffic classification
can occur regardless of the completeness of the NAT configuration.
OL-20339-01
Valid Classifier Criteria, page 6-3
Classification Examples, page 6-4
Unique Interfaces, page 6-3
Unique MAC Addresses, page 6-3
NAT Configuration, page 6-3
8-26), or you can automatically generate MAC addresses (see the
Cisco ASA 5500 Series Configuration Guide using ASDM
Information About Security Contexts
"Configuring Advanced
6-19).
6-3