ASDM 6.0 User Guide
Configuring Interfaces in Multiple Mode
Downloads: This chapterpdf (PDF - 218.0KB) The complete bookPDF (PDF - 28.5MB) | Feedback

Configuring Interfaces in Multiple Mode

Table Of Contents

Configuring Interfaces in Multiple Mode

Configuring Interfaces in the System Configuration

Configuring Physical Interfaces

Physical Interface Overview

Configuring and Enabling Physical Interfaces

Configuring Redundant Interfaces

Redundant Interface Overview

Adding a Redundant Interface

Configuring VLAN Subinterfaces and 802.1Q Trunking

Subinterface Overview

Adding a Subinterface

Interface Field Descriptions (System)

Interfaces (System)

Add/Edit Interface (System)

Add/Edit Redundant Interface (System)

Hardware Properties (System)

Allocating Interfaces to Contexts

Configuring Interface Parameters within each Context

Interface Parameters Overview

Default State of Interfaces

Default Security Level

Configuring Interface Parameters

Enabling Same Security Level Communication

Interface Field Descriptions (Context)

Interfaces (Context)

Edit Interface > General (Context)

Edit Interface > Advanced (Context)


Configuring Interfaces in Multiple Mode


This chapter describes how to configure and enable physical Ethernet interfaces, how to create redundant interface pairs, and how to add subinterfaces in the system configuration. If you have both fiber and copper Ethernet ports (for example, on the 4GE SSM for the ASA 5510 and higher series adaptive security appliance), this chapter describes how to configure the interface media type.

For each interface assigned to a context (physical, redundant, or subinterface), this chapter tells how to configure a name, security level, and IP address (routed firewall mode only).


Note To configure interfaces in single context mode, see Chapter 5, "Configuring Interfaces."


This chapter includes the following sections:

Configuring Interfaces in the System Configuration

Allocating Interfaces to Contexts

Configuring Interface Parameters within each Context

Configuring Interfaces in the System Configuration

In multiple context mode, you configure physical interface parameters and add redundant interfaces and subinterfaces in the system execution space.

This chapter includes the following sections:

Configuring Physical Interfaces

Configuring Redundant Interfaces

Configuring VLAN Subinterfaces and 802.1Q Trunking

Interface Field Descriptions (System)


Note If you use failover, you need to assign a dedicated interface as the failover link and an optional interface for Stateful Failover on the Failover: Setup tab. (You can use the same interface for failover and state traffic, but we recommend separate interfaces). You can use a physical interface, subinterface, or redundant interface for the failover and state links, as long as they are not assigned to a context. To use a subinterface, do not assign the physical interface to a context.


Configuring Physical Interfaces

This section describes how to configure settings for physical interfaces, and includes the following topics:

Physical Interface Overview

Configuring and Enabling Physical Interfaces

Physical Interface Overview

This section describes physical interfaces, and includes the following topics:

Default State of Physical Interfaces

Connector Types

Auto-MDI/MDIX Feature

Default State of Physical Interfaces

By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through it (either alone or as part of a redundant interface pair), or through a subinterface. For multiple context mode, if you allocate an interface (physical, redundant, or subinterface) to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must first enable the physical interface in the system configuration according to this procedure.

By default, the speed and duplex for copper (RJ-45) interfaces are set to auto-negotiate.

Connector Types

The ASA 5550 adaptive security appliance and the 4GE SSM for the ASA 5510 and higher adaptive security appliance include two connector types: copper RJ-45 and fiber SFP. RJ-45 is the default.

To use the fiber SFP connectors, you must set the media type to SFP. The fiber interface has a fixed speed and does not support duplex, but you can set the interface to negotiate link parameters (the default) or not to negotiate.

Auto-MDI/MDIX Feature

For RJ-45 interfaces on the ASA 5500 series adaptive security appliance, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled.

Configuring and Enabling Physical Interfaces

To configure and enable a physical interface, perform the following steps:


Step 1 In the Configuration > Device List pane, double-click System under the active device IP address.

Step 2 On the Context Management > Interfaces pane, click a physical interface that you want to configure, and click Edit.

Step 3 To enable the interface, check the Enable Interface check box.

Step 4 To add a description, enter text in the Description field.

Step 5 (Optional) To set the media type, duplex, and speed, click the Configure Hardware Properties button.

a. If you have an ASA 5550 adaptive security appliance or a 4GE SSM, you can choose either RJ-45 or SFP from the Media Type drop-down list.

RJ-45 is the default.

b. To set the duplex for RJ-45 interfaces, choose Full, Half, or Auto, depending on the interface type, from the Duplex drop-down list.

c. To set the speed, choose a value from the Speed drop-down list.

The speeds available depend on the interface type. For SFP interfaces, which are always 1000 Mbps, you can set the speed to Negotiate or Nonegotiate. Negotiate (the default) enables link negotiation, which exchanges flow-control parameters and remote fault information. Nonegotiate does not negotiate link parameters. For RJ-45 interfaces on the ASA 5500 series adaptive security appliance, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled.

d. Click OK to accept the Hardware Properties changes.

Step 6 Click OK to accept the Interface changes.


Configuring Redundant Interfaces

A logical redundant interface pairs an active and a standby physical interface. When the active interface fails, the standby interface becomes active and starts passing traffic. You can configure a redundant interface to increase the security appliance reliability. This feature is separate from device-level failover, but you can configure redundant interfaces as well as failover if desired. You can configure up to 8 redundant interface pairs.

All subsequent security appliance configuration refers to the logical redundant interface instead of the member physical interfaces.

This section describes how to configure redundant interfaces, and includes the following topics:

Redundant Interface Overview

Adding a Redundant Interface

Redundant Interface Overview

This section includes overview information about redundant interfaces, and includes the following topics:

Default State of Redundant Interfaces

Redundant Interfaces and Failover Guidelines

Redundant Interface MAC Address

Physical Interface Guidelines for Use in a Redundant Interface

Default State of Redundant Interfaces

When you add a redundant interface, it is enabled by default. However, the member interfaces must also be enabled to pass traffic.

Redundant Interfaces and Failover Guidelines

Follow these guidelines when adding member interfaces:

If you want to use a redundant interface for the failover or state link, then you must configure the redundant interface as part of the basic configuration on the secondary unit in addition to the primary unit.

If you use a redundant interface for the failover or state link, you must put a switch or hub between the two units; you cannot connect them directly. Without the switch or hub, you could have the active port on the primary unit connected directly to the standby port on the secondary unit.

You can monitor redundant interfaces for failover; be sure to reference the logical redundant interface name.

When the active interface fails over to the standby interface, this activity does not cause the redundant interface to appear to be failed when being monitored for device-level failover. Only when both physical interfaces fail does the redundant interface appear to be failed.

Redundant Interface MAC Address

The redundant interface uses the MAC address of the first physical interface that you add. If you change the order of the member interfaces in the configuration, then the MAC address changes to match the MAC address of the interface that is now listed first. Alternatively, you can assign a MAC address to the redundant interface, which is used regardless of the member interface MAC addresses (see the "Configuring Interface Parameters" section or the "Configuring Security Contexts" section on page 9-19). When the active interface fails over to the standby, the same MAC address is maintained so that traffic is not disrupted.

Physical Interface Guidelines for Use in a Redundant Interface

Follow these guidelines when adding member interfaces:

Both member interfaces must be of the same physical type. For example, both must be Ethernet.

When you add a physical interface to the redundant interface, the name, IP address, and security level is removed.


Caution If you are using a physical interface already in your configuration, removing the name will clear any configuration that refers to the interface.

If you shut down the active interface, then the standby interface becomes active.

Adding a Redundant Interface

You can configure up to 8 redundant interface pairs. To configure a redundant interface, perform the following steps:


Step 1 If you are not already in the System configuration mode, in the Configuration > Device List pane, double-click System under the active device IP address.

Step 2 On the Context Management > Interfaces pane, click Add > Redundant Interface.

Step 3 In the Redundant ID field, enter an integer between 1 and 8.

Step 4 From the Primary Interface drop-down list, choose the physical interface you want to be primary.

Be sure to pick an interface that does not have a subinterface and that has not already been allocated to a context.

Step 5 From the Secondary Interface drop-down list, choose the physical interface you want to be secondary.

Step 6 If the interface is not already enabled, check Enable Interface.

The interface is enabled by default. To disable it, uncheck the box.

Step 7 To add a description, enter text in the Description field.

The description can be up to 240 characters on a single line, without carriage returns. For multiple context mode, the system description is independent of the context description. In the case of a failover or state link, the description is fixed as "LAN Failover Interface," "STATE Failover Interface," or "LAN/STATE Failover Interface," for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.

Step 8 Click OK.


Configuring VLAN Subinterfaces and 802.1Q Trunking

This section describes how to configure a subinterface, and includes the following topics:

Subinterface Overview

Adding a Subinterface

Subinterface Overview

Subinterfaces let you divide a physical or redundant interface into multiple logical interfaces that are tagged with different VLAN IDs. An interface with one or more VLAN subinterfaces is automatically configured as an 802.1Q trunk. Because VLANs allow you to keep traffic separate on a given physical interface, you can increase the number of interfaces available to your network without adding additional physical interfaces or security appliances. This feature is particularly useful in multiple context mode so that you can assign unique interfaces to each context.

This section includes the following topics:

Default State of Subinterfaces

Maximum Subinterfaces

Default State of Subinterfaces

When you add a subinterface, it is enabled by default. However, the physical or redundant interface must also be enabled to pass traffic (see the "Configuring Physical Interfaces" section to enable physical interfaces. See the "Configuring Redundant Interfaces" section to enable redundant interfaces).

Maximum Subinterfaces

To determine how many subinterfaces are allowed for your platform, see Appendix A, "Feature Licenses and Specifications."

Adding a Subinterface

To add a subinterface and assign a VLAN to it, perform the following steps:


Step 1 If you are not already in the System configuration mode, in the Configuration > Device List pane, double-click System under the active device IP address.

Step 2 On the Context Management > Interfaces pane, click Add > Interface.

Step 3 From the Hardware Port drop-down list, choose the physical interface to which you want to add the subinterface.

Step 4 If the interface is not already enabled, check Enable Interface.

The interface is enabled by default. To disable it, uncheck the box.

Step 5 In the VLAN ID field, enter the VLAN ID between 1 and 4095.

Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information. For multiple context mode, you can only set the VLAN in the system configuration.

Step 6 In the Subinterface ID field, enter the subinterface ID as an integer between 1 and 4294967293.

The number of subinterfaces allowed depends on your platform. You cannot change the ID after you set it.

Step 7 (Optional) In the Description field, enter a description for this interface.

The description can be up to 240 characters on a single line, without carriage returns. For multiple context mode, the system description is independent of the context description. In the case of a failover or state link, the description is fixed as "LAN Failover Interface," "STATE Failover Interface," or "LAN/STATE Failover Interface," for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.

Step 8 Click OK.


Interface Field Descriptions (System)

This section includes the following topics:

Interfaces (System)

Add/Edit Interface (System)

Add/Edit Redundant Interface (System)

Hardware Properties (System)

Interfaces (System)

Fields

Interface—Displays the interface ID. All physical interfaces are listed automatically. Subinterfaces are indicated by the interface ID followed by .n, where n is the subinterface number.

Enabled—Indicates if the interface is enabled, Yes or No.

By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface or redundant interface. For multiple context mode, if you allocate an interface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.

Redundant—Shows if this interface is a redundant interface, Yes or No.

Member—Shows if this interface is a member of a redundant interface, Yes or No.

VLAN—Shows the VLAN assigned to a subinterface. Physical and redundant interfaces show "native," meaning that the interface is untagged.

Description—Displays a description. In the case of a failover or state link, the description is fixed as "LAN Failover Interface," "STATE Failover Interface," or "LAN/STATE Failover Interface," for example. You cannot edit this description.

Add > Interface—Adds a subinterface. See the "Configuring VLAN Subinterfaces and 802.1Q Trunking" section for more information.

Add > Redundant Interface—Adds a redundant interface. See the "Configuring Redundant Interfaces" section for more information.

Edit—Edits the selected interface.

Delete—Deletes the selected subinterface or redundant interface. You cannot delete physical interfaces or allocated interfaces in a context. If you assign an interface as the failover link or state link (see the Failover: Setup tab), you cannot delete the interface in this pane.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Interface (System)

Fields

Hardware Port—When you add a subinterface, you can choose any enabled physical interface to which you want to add a subinterface. If you do not see an interface ID, be sure that the interface is enabled.

Configure Hardware Properties—For a physical interface, opens the Hardware Properties (System) dialog box so you can set the media type, speed, and duplex.

Enable Interface—Enables this interface to pass traffic.

By default, all physical interfaces are shut down. You must enable the physical interface before any traffic can pass through an enabled subinterface or redundant interface. For multiple context mode, if you allocate an interface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.

VLAN ID—For a subinterface, sets the VLAN ID, between 1 and 4095. Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information. For multiple context mode, you can only set the VLAN in the system configuration.

Subinterface ID—Sets the subinterface ID as an integer between 1 and 4294967293. The number of subinterfaces allowed depends on your platform. You cannot change the ID after you set it.

Description—Sets an optional description up to 240 characters on a single line, without carriage returns. The system description is independent of the context description. In the case of a failover or state link, the description is fixed as "LAN Failover Interface," "STATE Failover Interface," or "LAN/STATE Failover Interface," for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Redundant Interface (System)

Fields

Redundant ID—Sets the redundant interface ID, between 1 and 8.

Primary Interface—Sets the primary interface. This interface becomes active by default.

Secondary Interface—Sets the secondary interface.

Enable Interface—Enables this interface to pass traffic.

By default, redundant interfaces are enabled. You must enable the physical interfaces before any traffic can pass through an enabled redundant interface. For multiple context mode, if you allocate an interface to a context, the interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.

Description—Sets an optional description up to 240 characters on a single line, without carriage returns. The system description is independent of the context description. In the case of a failover or state link, the description is fixed as "LAN Failover Interface," "STATE Failover Interface," or "LAN/STATE Failover Interface," for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Hardware Properties (System)

Fields

Hardware Port—Display only. Displays the interface ID.

Media Type—Sets the media type to RJ45 or SFP. The default is RJ45.

Duplex—Lists the duplex options for the interface, including Full, Half, or Auto, depending on the interface type.

Speed—Lists the speed options for the interface. The speeds available depend on the interface type. For SFP interfaces, which are always 1000 Mbps, and you can set the speed to Negotiate or Nonegotiate. Negotiate (the default) enables link negotiation, which exchanges flow-control parameters and remote fault information. Nonegotiate does not negotiate link parameters. For RJ-45 interfaces on the ASA 5500 series adaptive security appliance, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Allocating Interfaces to Contexts

To allocate interfaces to contexts, see the "Configuring Security Contexts" section on page 9-19.

Configuring Interface Parameters within each Context

Within each context, you configure the name, security level, and IP address of each interface. You can also enable same security level communication. This section includes the following topics:

Interface Parameters Overview

Configuring Interface Parameters

Enabling Same Security Level Communication

Interface Parameters Overview

This section describes interface parameters and includes the following topics:

Default State of Interfaces

Default Security Level

Default State of Interfaces

In multiple context mode, all allocated interfaces are enabled by default, no matter what the state of the interface is in the system execution space. However, for traffic to pass through the interface, the interface also has to be enabled in the system execution space. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.

In single mode or in the system execution space, interfaces have the following default states:

Physical interfaces—Disabled.

Redundant Interfaces—Enabled. However, for traffic to pass through the redundant interface, the member physical interfaces must also be enabled.

Subinterfaces—Enabled. However, for traffic to pass through the subinterface, the physical interface must also be enabled.

Default Security Level

The default security level is 0. If you name an interface "inside" and you do not set the security level explicitly, then the security appliance sets the security level to 100.


Note If you change the security level of an interface, and you do not want to wait for existing connections to time out before the new security information is used, you can clear the connections using the clear local-host command.


Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should assign your most secure network, such as the inside host network, to level 100. While the outside network connected to the Internet can be level 0. Other networks, such as DMZs can be in between. You can assign interfaces to the same security level. See the "Enabling Same Security Level Communication" section for more information.

The level controls the following behavior:

Network access—By default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface.

For same security interfaces, there is an implicit permit for interfaces to access other interfaces on the same security level or lower.

Inspection engines—Some application inspection engines are dependent on the security level. For same security interfaces, inspection engines apply to traffic in either direction.

NetBIOS inspection engine—Applied only for outbound connections.

SQL*Net inspection engine—If a control connection for the SQL*Net (formerly OraServ) port exists between a pair of hosts, then only an inbound data connection is permitted through the security appliance.

Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level to a lower level).

For same security interfaces, you can filter traffic in either direction.

NAT control—When you enable NAT control, you must configure NAT for hosts on a higher security interface (inside) when they access hosts on a lower security interface (outside).

Without NAT control, or for same security interfaces, you can choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword.

established command—This command allows return connections from a lower security host to a higher security host if there is already an established connection from the higher level host to the lower level host.

For same security interfaces, you can configure established commands for both directions.

Configuring Interface Parameters

To add or edit an interface, perform the following steps.


Step 1 In the Configuration > Device List pane, double-click the context name under the active device IP address > Contexts.

Step 2 On the Device Setup > Interfaces pane, click an interface that you want to configure, and click Edit.

The Add/Edit Interface dialog box appears with the General tab selected.

Step 3 In the Interface Name field, enter a name up to 48 characters in length.

Step 4 In the Security level field, enter a level between0 (lowest) and 100 (highest).

See the "Default Security Level" section for more information.

Step 5 (Optional) To set this interface as a management-only interface, check Dedicate this interface to management-only.

Through traffic is not accepted on a management-only interface.

Step 6 If the interface is not already enabled, check Enable Interface.

The interface is enabled by default. To disable it, uncheck the box.

Step 7 To set the IP address, use one of the following options.

In routed firewall mode, set the IP address for all interfaces. In transparent firewall mode, do not set the IP address for each interface, but rather set it for the whole security appliance or context. The exception is for the Management 0/0 management-only interface, which does not pass through traffic. To set the transparent firewall mode whole security appliance or context management IP address, see the Management IP Address pane. To set the IP address of the Management 0/0 interface or subinterface, use this procedure.

For use with failover, you must set the IP address and standby address manually; DHCP is not supported. Set the standby IP addresses on the Configuration > Device Management > High Availability > Failover > Interfaces tab.

To set the IP address manually, click Use Static IP and enter the IP address and mask.

To obtain an IP address from a DHCP server, click Obtain Address via DHCP.

a. (Optional) To obtain the default route from the DHCP server, check Obtain Default Route Using DHCP.

b. (Optional) To renew the lease, click Renew DHCP Lease.

Step 8 (Optional) In the Description field, enter a description for this interface.

The description can be up to 240 characters on a single line, without carriage returns. The system description is independent of the context description. In the case of a failover or state link, the description is fixed as "LAN Failover Interface," "STATE Failover Interface," or "LAN/STATE Failover Interface," for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.

Step 9 (Optional) To set the MTU, click the Advanced tab and enter the value in the MTU field, between 300 and 65,535 bytes.

The default is 1500 bytes

Step 10 (Optional) To manually assign a MAC address to this interface, on the Advanced tab enter a MAC address in the Active Mac Address field in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE.

If you use failover, enter the standby MAC address in the Standby Mac Address field. If the active unit fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption, while the old active unit uses the standby address.

By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical interface use the same burned-in MAC address. A redundant interface uses the MAC address of the first physical interface that you add. If you change the order of the member interfaces in the configuration, then the MAC address changes to match the MAC address of the interface that is now listed first. If you assign a MAC address to the redundant interface using this field, then it is used regardless of the member interface MAC addresses.

If you share an interface between contexts, you can assign a unique MAC address to the interface in each context. This feature lets the security appliance easily classify packets into the appropriate context. Using a shared interface without unique MAC addresses is possible, but has some limitations. See the "How the Security Appliance Classifies Packets" section on page 9-2 for more information. You can assign each MAC address manually, or you can automatically generate MAC addresses for shared interfaces in contexts. See the "Security Contexts" section on page 9-21 to automatically generate MAC addresses. If you automatically generate MAC addresses, you can use this option to override the generated address.

For interfaces that are not shared, you might want to assign unique MAC addresses to subinterfaces. For example, your service provider might perform access control based on the MAC address.

Step 11 Click OK.


Enabling Same Security Level Communication

By default, interfaces on the same security level cannot communicate with each other. Allowing communication between same-security interfaces lets you configure more than 101 communicating interfaces. If you use different levels for each interface and do not assign any interfaces to the same security level, you can configure only one interface per level (0 to 100).


Note If you enable NAT control, you do not need to configure NAT between same security level interfaces.


If you enable same security interface communication, you can still configure interfaces at different security levels as usual.

You can also enable communication between hosts connected to the same interface.

To enable interfaces on the same security level to communicate with each other, from the Configuration > Interfaces pane, check Enable traffic between two or more interfaces which are configured with same security level.

To enable communication between hosts connected to the same interface, check Enable traffic between two or more hosts connected to the same interface.

Interface Field Descriptions (Context)

This section includes the following topics:

Interfaces (Context)

Edit Interface > General (Context)

Edit Interface > Advanced (Context)

Interfaces (Context)

Fields

Interface—Displays the interface ID. All allocated interfaces are listed automatically. Subinterfaces are indicated by the interface ID followed by .n, where n is the subinterface number. Redundant interfaces are called Redundantn.

Name—Displays the interface name.

Enabled—Indicates if the interface is enabled, Yes or No. By default, all interfaces are enabled in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.

Security Level—Displays the interface security level between 0 and 100. By default, the security level is 0.

IP Address—Displays the IP address, or in transparent mode, the word "native." Transparent mode interfaces do not use IP addresses. To set the IP address for the context or the security appliance, see the Management IP Address pane.

Subnet Mask—For routed mode only. Displays the subnet mask.

Management Only—Indicates if the interface allows traffic to the security appliance or for management purposes only.

MTU—Displays the MTU. By default, the MTU is 1500.

Active MAC Address—Shows the active MAC address, if you assigned one manually on the Edit Interface > Advanced (Context) tab.

Standby MAC Address—Shows the standby MAC address (for failover), if you assigned one manually.

Description—Displays a description.

Add—Not applicable. You can only add subinterfaces and redundant interfaces in the system execution space.

Edit—Edits the selected interface.

Delete—Not applicable. You can only delete subinterfaces and redundant interfaces in the system execution space.

Enable traffic between two or more interfaces which are configured with same security levels—Enables communication between interfaces on the same security level. If you enable same security interface communication, you can still configure interfaces at different security levels as usual.

Enable traffic between two or more hosts connected to the same interface—Enables traffic to enter and exit the same interface.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Edit Interface > General (Context)

Fields

Hardware Port—Display only. Shows the interface ID.

Enable Interface—Enables this interface to pass traffic. In addition to this setting, you need to set an IP address (for routed mode) and a name before traffic can pass according to your security policy. Interfaces are enabled by default in the context. However, before traffic can pass through the context interface, you must also enable the interface in the system configuration. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.

Interface Name—Sets an interface name up to 48 characters in length.

Dedicate this interface to management only—Sets the interface to accept traffic to the security appliance only, and not through traffic.

Security Level—Sets the security level between 0 (lowest) and 100 (highest).The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces.

IP Address—For routed mode only. For multiple context mode, set the IP address in the context configuration.

Use Static IP—Manually sets the IP address.

IP address—Sets the IP address.

Subnet Mask—Sets the subnet mask.

Obtain Address via DHCP—Dynamically sets the IP address using DHCP.

Obtain Default Route Using DHCP—Obtains a default route from the DHCP server so that you do not need to configure a default static route.

Renew DHCP Lease—Renews the DHCP lease.

Description—Sets an optional description up to 240 characters on a single line, without carriage returns. For multiple context mode, the system description is independent of the context description.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Edit Interface > Advanced (Context)

Fields

MTU—Sets the MTU from 300 to 65,535 bytes. The default is 1500 bytes. For multiple context mode, set the MTU in the context configuration.

Mac Address Cloning—Manually assigns MAC addresses.

By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical interface use the same burned-in MAC address.

In multiple context mode, if you share an interface between contexts, you can assign a unique MAC address to the interface in each context. This feature lets the security appliance easily classify packets into the appropriate context. Using a shared interface without unique MAC addresses is possible, but has some limitations. See the "How the Security Appliance Classifies Packets" section on page 9-2 for more information. You can assign each MAC address manually, or you can automatically generate MAC addresses for shared interfaces in contexts. See the "Security Contexts" section on page 9-21 to automatically generate MAC addresses. If you automatically generate MAC addresses, you can use this option to override the generated address.

For single context mode, or for interfaces that are not shared in multiple context mode, you might want to assign unique MAC addresses to subinterfaces. For example, your service provider might perform access control based on the MAC address.

Active Mac Address—Assigns a MAC address to the interface in H.H.H format, where H is a 16-bit hexadecimal digit. For example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE.

Standby Mac Address—For use with failover, set the Standby Mac Address. If the active unit fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption, while the old active unit uses the standby address.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System