Cisco ASA 5500 Series Configuration Guide using ASDM, 6.3
Managing Multiple Context Mode
Downloads: This chapterpdf (PDF - 291.0KB) The complete bookPDF (PDF - 22.37MB) | Feedback

Configuring Multiple Context Mode

Table Of Contents

Configuring Multiple Context Mode

Information About Security Contexts

Common Uses for Security Contexts

Context Configuration Files

Context Configurations

System Configuration

Admin Context Configuration

How the Security Appliance Classifies Packets

Valid Classifier Criteria

Classification Examples

Cascading Security Contexts

Management Access to Security Contexts

System Administrator Access

Context Administrator Access

Information About Resource Management

Resource Limits

Default Class

Class Members

Information About MAC Addresses

Default MAC Address

Interaction with Manual MAC Addresses

Failover MAC Addresses

MAC Address Format

Licensing Requirements for Multiple Context Mode

Guidelines and Limitations

Default Settings

Configuring Multiple Contexts

Task Flow for Configuring Multiple Context Mode

Enabling or Disabling Multiple Context Mode

Enabling Multiple Context Mode

Restoring Single Context Mode

Configuring a Class for Resource Management

Configuring a Security Context

Automatically Assigning MAC Addresses to Context Interfaces

Monitoring Security Contexts

Monitoring Context Resource Usage       

Viewing Assigned MAC Addresses

Viewing MAC Addresses in the System Configuration

Viewing MAC Addresses Within a Context

Feature History for Multiple Context Mode


Configuring Multiple Context Mode


This chapter describes how to configure multiple security contexts on the adaptive security appliance and includes the following sections:

Information About Security Contexts

Licensing Requirements for Multiple Context Mode

Guidelines and Limitations

Default Settings

Configuring Multiple Contexts

Monitoring Security Contexts

Feature History for Multiple Context Mode

Information About Security Contexts

You can partition a single adaptive security appliance into multiple virtual devices, known as security contexts. Each context is an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols.


Note When the adaptive security appliance is configured for security contexts (for example, for Active/Active Stateful Failover), IPsec or SSL VPN cannot be enabled. Therefore, these features are unavailable.


This section provides an overview of security contexts and includes the following topics:

Common Uses for Security Contexts

Context Configuration Files

How the Security Appliance Classifies Packets

Cascading Security Contexts

Management Access to Security Contexts

Information About Resource Management

Information About MAC Addresses

Common Uses for Security Contexts

You might want to use multiple security contexts in the following situations:

You are a service provider and want to sell security services to many customers. By enabling multiple security contexts on the adaptive security appliance, you can implement a cost-effective, space-saving solution that keeps all customer traffic separate and secure, and also eases configuration.

You are a large enterprise or a college campus and want to keep departments completely separate.

You are an enterprise that wants to provide distinct security policies to different departments.

You have any network that requires more than one adaptive security appliance.

Context Configuration Files

This section describes how the adaptive security appliance implements multiple context mode configurations and includes the following sections:

Context Configurations

System Configuration

Admin Context Configuration

Context Configurations

The adaptive security appliance includes a configuration for each context that identifies the security policy, interfaces, and almost all the options you can configure on a standalone device. You can store context configurations on the internal flash memory or the external flash memory card, or you can download them from a TFTP, FTP, or HTTP(S) server.

System Configuration

The system administrator adds and manages contexts by configuring each context configuration location, allocated interfaces, and other context operating parameters in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the adaptive security appliance. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The system configuration does include a specialized failover interface for failover traffic only.

Admin Context Configuration

The admin context is just like any other context, except that when a user logs in to the admin context, then that user has system administrator rights and can access the system and all other contexts. The admin context is not restricted in any way, and can be used as a regular context. However, because logging into the admin context grants you administrator privileges over all contexts, you might need to restrict access to the admin context to appropriate users. The admin context must reside on flash memory, and not remotely.

If your system is already in multiple context mode, or if you convert from single mode, the admin context is created automatically as a file on the internal flash memory called admin.cfg. This context is named "admin." If you do not want to use admin.cfg as the admin context, you can change the admin context.

How the Security Appliance Classifies Packets

Each packet that enters the adaptive security appliance must be classified, so that the adaptive security appliance can determine to which context to send a packet. This section includes the following topics:

Valid Classifier Criteria

Classification Examples


Note If the destination MAC address is a multicast or broadcast MAC address, the packet is duplicated and delivered to each context.


Valid Classifier Criteria

This section describes the criteria used by the classifier and includes the following topics:

Unique Interfaces

Unique MAC Addresses

NAT Configuration


Note For management traffic destined for an interface, the interface IP address is used for classification.

The routing table is not used for packet classification.


Unique Interfaces

If only one context is associated with the ingress interface, the adaptive security appliance classifies the packet into that context. In transparent firewall mode, unique interfaces for contexts are required, so this method is used to classify packets at all times.

Unique MAC Addresses

If multiple contexts share an interface, then the classifier uses the interface MAC address. The adaptive security appliance lets you assign a different MAC address in each context to the same shared interface, whether it is a shared physical interface or a shared subinterface. By default, shared interfaces do not have unique MAC addresses; the interface uses the physical interface burned-in MAC address in every context. An upstream router cannot route directly to a context without unique MAC addresses. You can set the MAC addresses manually when you configure each interface (see the "Configuring Advanced Interface Parameters" section), or you can automatically generate MAC addresses (see the "Automatically Assigning MAC Addresses to Context Interfaces" section).

NAT Configuration

If you do not use unique MAC addresses, then the mapped addresses in your NAT configuration are used to classify packets. We recommend using MAC addresses instead of NAT, so that traffic classification can occur regardless of the completeness of the NAT configuration.

Classification Examples

Figure 6-1 shows multiple contexts sharing an outside interface. The classifier assigns the packet to Context B because Context B includes the MAC address to which the router sends the packet.

Figure 6-1 Packet Classification with a Shared Interface using MAC Addresses

Note that all new incoming traffic must be classified, even from inside networks. Figure 6-2 shows a host on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B because the ingress interface is Gigabit Ethernet 0/1.3, which is assigned to Context B.

Figure 6-2 Incoming Traffic from Inside Networks

For transparent firewalls, you must use unique interfaces. Figure 6-3 shows a host on the Context B inside network accessing the Internet. The classifier assigns the packet to Context B because the ingress interface is Gigabit Ethernet 1/0.3, which is assigned to Context B.

Figure 6-3 Transparent Firewall Contexts

Cascading Security Contexts

Placing a context directly in front of another context is called cascading contexts; the outside interface of one context is the same interface as the inside interface of another context. You might want to cascade contexts if you want to simplify the configuration of some contexts by configuring shared parameters in the top context.


Note Cascading contexts requires that you configure unique MAC addresses for each context interface. Because of the limitations of classifying packets on shared interfaces without MAC addresses, we do not recommend using cascading contexts without unique MAC addresses.


Figure 6-4 shows a gateway context with two contexts behind the gateway.

Figure 6-4 Cascading Contexts

Management Access to Security Contexts

The adaptive security appliance provides system administrator access in multiple context mode as well as access for individual context administrators. The following sections describe logging in as a system administrator or as a context administrator:

System Administrator Access

Context Administrator Access

System Administrator Access

You can access the adaptive security appliance as a system administrator in two ways:

Access the adaptive security appliance console.

From the console, you access the system execution space, which means that any commands you enter affect only the system configuration or the running of the system (for run-time commands).

Access the admin context using Telnet, SSH, or ASDM.

See Chapter 33 "Configuring Management Access," to enable Telnet, SSH, and SDM access.

As the system administrator, you can access all contexts.

When you change to a context from admin or the system, your username changes to the default "enable_15" username. If you configured command authorization in that context, you need to either configure authorization privileges for the "enable_15" user, or you can log in as a different name for which you provide sufficient privileges in the command authorization configuration for the context. To log in with a username, enter the login command. For example, you log in to the admin context with the username "admin." The admin context does not have any command authorization configuration, but all other contexts include command authorization. For convenience, each context configuration includes a user "admin" with maximum privileges. When you change from the admin context to context A, your username is altered, so you must log in again as "admin" by entering the login command. When you change to context B, you must again enter the login command to log in as "admin."

The system execution space does not support any AAA commands, but you can configure its own enable password, as well as usernames in the local database to provide individual logins.

Context Administrator Access

You can access a context using Telnet, SSH, or ASDM. If you log in to a non-admin context, you can only access the configuration for that context. You can provide individual logins to the context. See Chapter 33 "Configuring Management Access," to enable Telnet, SSH, and SDM access and to configure management authentication.

Information About Resource Management

By default, all security contexts have unlimited access to the resources of the adaptive security appliance, except where maximum limits per context are enforced. However, if you find that one or more contexts use too many resources, and they cause other contexts to be denied connections, for example, then you can configure resource management to limit the use of resources per context.

The adaptive security appliance manages resources by assigning contexts to resource classes. Each context uses the resource limits set by the class.

This section includes the following topics:

Resource Limits

Default Class

Class Members

Resource Limits

When you create a class, the adaptive security appliance does not set aside a portion of the resources for each context assigned to the class; rather, the adaptive security appliance sets the maximum limit for a context. If you oversubscribe resources, or allow some resources to be unlimited, a few contexts can "use up" those resources, potentially affecting service to other contexts.

You can set the limit for individual resources, as a percentage (if there is a hard system limit) or as an absolute value.

You can oversubscribe the adaptive security appliance by assigning more than 100 percent of a resource across all contexts. For example, you can set the Bronze class to limit connections to 20 percent per context, and then assign 10 contexts to the class for a total of 200 percent. If contexts concurrently use more than the system limit, then each context gets less than the 20 percent you intended. (See Figure 6-5.)

Figure 6-5 Resource Oversubscription

If you assign an absolute value to a resource across all contexts that exceeds the practical limit of the adaptive security appliance, then the performance of the adaptive security appliance might be impaired.

The adaptive security appliance lets you assign unlimited access to one or more resources in a class, instead of a percentage or absolute number. When a resource is unlimited, contexts can use as much of the resource as the system has available or that is practically available. For example, Context A, B, and C are in the Silver Class, which limits each class member to 1 percent of the connections, for a total of 3 percent; but the three contexts are currently only using 2 percent combined. Gold Class has unlimited access to connections. The contexts in the Gold Class can use more than the 97 percent of "unassigned" connections; they can also use the 1 percent of connections not currently in use by Context A, B, and C, even if that means that Context A, B, and C are unable to reach their 3 percent combined limit. (See Figure 6-6.) Setting unlimited access is similar to oversubscribing the adaptive security appliance, except that you have less control over how much you oversubscribe the system.

Figure 6-6 Unlimited Resources

Default Class

All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to the default class.

If a context belongs to a class other than the default class, those class settings always override the default class settings. However, if the other class has any settings that are not defined, then the member context uses the default class for those limits. For example, if you create a class with a 2 percent limit for all concurrent connections, but no other limits, then all other limits are inherited from the default class. Conversely, if you create a class with a limit for all resources, the class uses no settings from the default class.

By default, the default class provides unlimited access to resources for all contexts, except for the following limits, which are by default set to the maximum allowed per context:

Telnet sessions—5 sessions.

SSH sessions—5 sessions.

IPsec sessions—5 sessions.

MAC addresses—65,535 entries.

Figure 6-7 shows the relationship between the default class and other classes. Contexts A and C belong to classes with some limits set; other limits are inherited from the default class. Context B inherits no limits from default because all limits are set in its class, the Gold class. Context D was not assigned to a class, and is by default a member of the default class.

Figure 6-7 Resource Classes

Class Members

To use the settings of a class, assign the context to the class when you define the context. All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to default. You can only assign a context to one resource class. The exception to this rule is that limits that are undefined in the member class are inherited from the default class; so in effect, a context could be a member of default plus another class.

Information About MAC Addresses

To allow contexts to share interfaces, we suggest that you assign unique MAC addresses to each shared context interface (see the "Automatically Assigning MAC Addresses to Context Interfaces" section).

The MAC address is used to classify packets within a context. If you share an interface, but do not have unique MAC addresses for the interface in each context, then the destination IP address is used to classify packets. The destination address is matched with the context NAT configuration, and this method has some limitations compared to the MAC address method. See the "How the Security Appliance Classifies Packets" section for information about classifying packets.

In the rare circumstance that the generated MAC address conflicts with another private MAC address in your network, you can manually set the MAC address for the interface within the context. See the "Configuring Advanced Interface Parameters" section to manually set the MAC address.

This section includes the following topics:

Default MAC Address

Interaction with Manual MAC Addresses

Failover MAC Addresses

MAC Address Format

Default MAC Address

By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical interface use the same burned-in MAC address.

All auto-generated MAC addresses start with A2. The auto-generated MAC addresses are persistent across reloads.

Interaction with Manual MAC Addresses

If you manually assign a MAC address and also enable auto-generation, then the manually assigned MAC address is used. If you later remove the manual MAC address, the auto-generated address is used.

Because auto-generated addresses start with A2, you cannot start manual MAC addresses with A2 if you also want to use auto-generation.

Failover MAC Addresses

For use with failover, the adaptive security appliance generates both an active and standby MAC address for each interface. If the active unit fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses to minimize network disruption. See the "MAC Address Format" section for more information.

For upgrading failover units with the legacy version of the mac-address auto command before the prefix keyword was introduced, see the mac-address auto command in the Cisco ASA 5500 Series Command Reference.

MAC Address Format

The adaptive security appliance generates the MAC address using the following format:

A2xx.yyzz.zzzz

Where xx.yy is a user-defined prefix, and zz.zzzz is an internal counter generated by the adaptive security appliance. For the standby MAC address, the address is identical except that the internal counter is increased by 1.

For an example of how the prefix is used, if you set a prefix of 77, then the adaptive security appliance converts 77 into the hexadecimal value 004D (yyxx). When used in the MAC address, the prefix is reversed (xxyy) to match the adaptive security appliance native form:

A24D.00zz.zzzz

For a prefix of 1009 (03F1), the MAC address is:

A2F1.03zz.zzzz

Licensing Requirements for Multiple Context Mode

Model
License Requirement

ASA 5505

No support.

ASA 5510

Security Plus License: 2 contexts.

Optional license: 5 contexts.

ASA 5520

Base License: 2 contexts.

Optional licenses: 5, 10, or 20 contexts.

ASA 5540, 5550, 5580, and 5585-X

Base License: 2 contexts.

Optional licenses: 5, 10, 20, or 50 contexts.


Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Firewall Mode Guidelines

Supported in routed and transparent firewall mode.

Failover Guidelines

Active/Active mode failover is only supported in multiple context mode.

IPv6 Guidelines

Supports IPv6.

Model Guidelines

Does not support the ASA 5505.

Unsupported Features

Multiple context mode does not support the following features:

Dynamic routing protocols

Security contexts support only static routes. You cannot enable OSPF, RIP, or EIGRP in multiple context mode.

VPN

Multicast routing. Multicast bridging is supported.

Threat Detection

Phone Proxy

QoS

Additional Guidelines

The context mode (single or multiple) is not stored in the configuration file, even though it does endure reboots. If you need to copy your configuration to another device, set the mode on the new device to match.

Default Settings

By default, the adaptive security appliance is in single context mode.

Configuring Multiple Contexts

This section describes how to configure multiple context mode, and includes the following topics:

Task Flow for Configuring Multiple Context Mode

Enabling or Disabling Multiple Context Mode

Configuring a Class for Resource Management

Configuring a Security Context

Automatically Assigning MAC Addresses to Context Interfaces

Task Flow for Configuring Multiple Context Mode

To configure multiple context mode, perform the following steps:


Step 1 Enable multiple context mode. See the "Enabling or Disabling Multiple Context Mode" section.

Step 2 (Optional) Configure classes for resource management. See the "Configuring a Class for Resource Management" section.

Step 3 Configure security contexts. See the "Configuring a Security Context" section.

Step 4 (Optional) Automatically assign MAC addresses to context interfaces. See the "Automatically Assigning MAC Addresses to Context Interfaces" section.


Enabling or Disabling Multiple Context Mode

Your adaptive security appliance might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple mode by following the procedures in this section.

ASDM supports changing modes from single to multiple mode if you use the High Availability and Scalability Wizard and you enable Active/Active failover. See Chapter 59 "Using the High Availability and Scalability Wizard," for more information. If you do not want to use Active/Active failover or want to change back to single mode, you must change modes at the CLI. This section describes changing modes at the CLI.

This section includes the following topics:

Enabling Multiple Context Mode

Restoring Single Context Mode

Enabling Multiple Context Mode

When you convert from single mode to multiple mode, the adaptive security appliance converts the running configuration into two files: a new startup configuration that comprises the system configuration, and admin.cfg that comprises the admin context (in the root directory of the internal flash memory). The original running configuration is saved as old_running.cfg (in the root directory of the internal flash memory). The original startup configuration is not saved. The adaptive security appliance automatically adds an entry for the admin context to the system configuration with the name "admin."

Prerequisites

When you convert from single mode to multiple mode, the adaptive security appliance converts the running configuration into two files. The original startup configuration is not saved, so if it differs from the running configuration, you should back it up before proceeding.

The context mode (single or multiple) is not stored in the configuration file, even though it does endure reboots. If you need to copy your configuration to another device, set the mode on the new device to match.

Detailed Steps

Command
Purpose

mode multiple

Example:

hostname(config)# mode multiple

Changes to multiple context mode. You are prompted to reboot the adaptive security appliance.


Restoring Single Context Mode

To copy the old running configuration to the startup configuration and to change the mode to single mode, perform the following steps.

Prerequisites

Perform this procedure in the system execution space.

Detailed Steps

 
Command
Purpose

Step 1 

copy flash:old_running.cfg startup-config

Example:

hostname(config)# copy flash:old_running.cfg startup-config

Copies the backup version of your original running configuration to the current startup configuration.

Step 2 

mode single

Example:

hostname(config)# mode single

Sets the mode to single mode. You are prompted to reboot the adaptive security appliance.

Configuring a Class for Resource Management

To configure a class in the system configuration, perform the following steps. You can change the value of a particular resource limit by reentering the command with a new value.

Prerequisites

Perform this procedure in the system execution space.

Guidelines

Table 6-1 lists the resource types and the limits.

Table 6-1 Resource Names and Limits 

Resource Name
Rate or Concurrent
Minimum and Maximum Number per Context
System Limit 1
Description

mac-addresses

Concurrent

N/A

65,535

For transparent firewall mode, the number of MAC addresses allowed in the MAC address table.

conns

Concurrent or Rate

N/A

Concurrent connections: See the "Supported Feature Licenses Per Model" section for the connection limit for your platform.

Rate: N/A

TCP or UDP connections between any two hosts, including connections between one host and multiple other hosts.

inspects

Rate

N/A

N/A

Application inspections.

hosts

Concurrent

N/A

N/A

Hosts that can connect through the adaptive security appliance.

asdm

Concurrent

1 minimum

5 maximum

32

ASDM management sessions.

Note ASDM sessions use two HTTPS connections: one for monitoring that is always present, and one for making configuration changes that is present only when you make changes. For example, the system limit of 32 ASDM sessions represents a limit of 64 HTTPS sessions.

ssh

Concurrent

1 minimum

5 maximum

100

SSH sessions.

syslogs

Rate

N/A

N/A

System log messages.

telnet

Concurrent

1 minimum

5 maximum

100

Telnet sessions.

xlates

Concurrent

N/A

N/A

Address translations.

1 If this column value is N/A, then you cannot set a percentage of the resource because there is no hard system limit for the resource.


Detailed Steps


Step 1 If you are not already in the System configuration mode, in the Device List pane, double-click System under the active device IP address.

Step 2 On the Context Management > Resource Class pane, click Add.

The Add Resource Class dialog box appears.

Step 3 In the Resource Class field, enter a class name up to 20 characters in length.

Step 4 In the Count Limited Resources area, set the concurrent limits for resources.

For resources that do not have a system limit, you cannot set the percentage; you can only set an absolute value. If you do not set a limit, the limit is inherited from the default class. If the default class does not set a limit, then the resource is unlimited, or the system limit if available.

You can set one or more of the following limits:

Hosts—Sets the limit for concurrent hosts that can connect through the adaptive security appliance. Select the check box to enable this limit. If you set the limit to 0, it is unlimited.

Telnet—Sets the limit for concurrent Telnet sessions. Select the check box to enable this limit. You can set the limit as a percentage by entering any integer greater than 1 and selecting Percent from the list. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 1 and 5 and selecting Absolute from the list. The system has a maximum of 100 sessions divided between all contexts.

ASDM Sessions—Sets the limit for concurrent ASDM sessions. Select the check box to enable this limit. You can set the limit as a percentage by entering any integer greater than 1 and selecting Percent from the list. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 1 and 5 and selecting Absolute from the list. The system has a maximum of 80 sessions divided between all contexts. ASDM sessions use two HTTPS connections: one for monitoring that is always present, and one for making configuration changes that is present only when you make changes. For example, the system limit of 32 ASDM sessions represents a limit of 64 HTTPS sessions, divided between all contexts.

Connections—Sets the limit for concurrent TCP or UDP connections between any two hosts, including connections between one host and multiple other hosts. Select the check box to enable this limit. You can set the limit as a percentage by entering any integer greater than 1 and selecting Percent from the list. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 0 (system limit) and the system limit for your model, and selecting Absolute from the list. See the Release Notes for Cisco ASDM for the connection limit for your model.

Xlates—Sets the limit for address translations. Select the check box to enable this limit. If you set the limit to 0, it is unlimited.

SSH—Sets the limit for SSH sessions. Select the check box to enable this limit. You can set the limit as a percentage by entering any integer greater than 1 and selecting Percent from the list. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 1 and 5 and selecting Absolute from the list. The system has a maximum of 100 sessions divided between all contexts.

MAC Entries—(Transparent mode only) Sets the limit for MAC address entries in the MAC address table. Select the check box to enable this limit. You can set the limit as a percentage by entering any integer greater than 1 and selecting Percent from the list. You can assign more than 100 percent if you want to oversubscribe the device. Or you can set the limit as an absolute value by entering an integer between 0 (system limit) and 65535 and selecting Absolute from the list.

Step 5 In the Rate Limited Resources area, set the rate limit for resources.

If you do not set a limit, the limit is inherited from the default class. If the default class does not set a limit, then it is unlimited by default.

You can set one or more of the following limits:

Conns/sec—Sets the limit for connections per second. Select the check box to enable this limit. If you set the limit to 0, it is unlimited.

Syslogs/sec—Sets the limit for system log messages per second. Select the check box to enable this limit. If you set the limit to 0, it is unlimited.

Inspects/sec—Sets the limit for application inspections per second. Select the check box to enable this limit. If you set the limit to 0, it is unlimited.

Step 6 Click OK.


Configuring a Security Context

The security context definition in the system configuration identifies the context name, configuration file URL, and interfaces that a context can use.

Prerequisites

Perform this procedure in the system execution space.

Configure physical interface parameters, VLAN subinterfaces, and redundant interfaces according to the "Starting Interface Configuration (ASA 5510 and Higher)" section.

Detailed Steps


Step 1 If you are not already in the System configuration mode, in the Device List pane, double-click System under the active device IP address.

Step 2 On the Context Management > Security Contexts pane, click Add.

The Add Context dialog box appears.

Step 3 In the Security Context field, enter the context name as a string up to 32 characters long.

This name is case sensitive, so you can have two contexts named "customerA" and "CustomerA," for example. "System" or "Null" (in upper or lower case letters) are reserved names, and cannot be used.

Step 4 In the Interface Allocation area, click the Add button to assign an interface to the context.

Step 5 From the Interfaces > Physical Interface drop-down list, choose an interface.

You can assign the main interface, in which case you leave the subinterface ID blank, or you can assign a subinterface or a range of subinterfaces associated with this interface. In transparent firewall mode, only interfaces that have not been allocated to other contexts are shown. If the main interface was already assigned to another context, then you must choose a subinterface.

Step 6 (Optional) In the Interfaces > Subinterface Range (optional) drop-down list, choose a subinterface ID.

For a range of subinterface IDs, choose the ending ID in the second drop-down list, if available.

In transparent firewall mode, only subinterfaces that have not been allocated to other contexts are shown.

Step 7 (Optional) In the Aliased Names area, check Use Aliased Name in Context to set an aliased name for this interface to be used in the context configuration instead of the interface ID.

a. In the Name field, sets the aliased name.

An aliased name must start with a letter, end with a letter, and have as interior characters only letters, digits, or an underscore. This field lets you specify a name that ends with a letter or underscore; to add an optional digit after the name, set the digit in the Range field.

b. (Optional) In the Range field, set the numeric suffix for the aliased name.

If you have a range of subinterfaces, you can enter a range of digits to be appended to the name.

Step 8 (Optional) To enable context users to see physical interface properties even if you set an aliased name, check Show Hardware Properties in Context.

Step 9 Click OK to return to the Add Context dialog box.

Step 10 (Optional) If you use IPS virtual sensors, then assign a sensor to the context in the IPS Sensor Allocation area.

For detailed information about IPS and virtual sensors, see Chapter 55 "Configuring the IPS Module."

Step 11 (Optional) To assign this context to a resource class, choose a class name from the Resource Assignment > Resource Class drop-down list.

You can add or edit a resource class directly from this area. See the "Configuring a Class for Resource Management" section for more information.

Step 12 To set the context configuration location, identify the URL by choosing a file system type from the Config URL drop-down list and entering a path in the field.

For example, the combined URL for FTP has the following format:

ftp://server.example.com/configs/admin.cfg

Step 13 (Optional) For external filesystems, set the username and password by clicking Login.

(Optional) To set the failover group for active/active failover, choose the group name in the Failover Group drop-down list.

Step 14 (Optional) Add a description in the Description field.


Automatically Assigning MAC Addresses to Context Interfaces

This section describes how to configure auto-generation of MAC addresses. The MAC address is used to classify packets within a context. See the "Information About MAC Addresses" section for more information. See also the "Viewing Assigned MAC Addresses" section.

Guidelines

When you configure a name for the interface in a context, the new MAC address is generated immediately. If you enable this feature after you configure context interfaces, then MAC addresses are generated for all interfaces immediately after you enable it. If you disable this feature, the MAC address for each interface reverts to the default MAC address. For example, subinterfaces of GigabitEthernet 0/1 revert to using the MAC address of GigabitEthernet 0/1.

For the MAC address generation method when not using a prefix (not recommended), see the mac-address auto command in the Cisco ASA 5500 Series Command Reference.

In the rare circumstance that the generated MAC address conflicts with another private MAC address in your network, you can manually set the MAC address for the interface within the context. See the "Configuring Advanced Interface Parameters" section to manually set the MAC address.

Detailed Steps


Step 1 If you are not already in the System configuration mode, in the Device List pane, double-click System under the active device IP address.

Step 2 Choose the Configuration > Context Management > Security Contexts pane, and check Mac-Address auto.

Step 3 Check the Prefix check box, and in the field, enter a a decimal value between 0 and 65535.

This prefix is converted to a 4-digit hexadecimal number, and used as part of the MAC address. The prefix ensures that each adaptive security appliance uses unique MAC addresses, so you can have multiple adaptive security appliances on a network segment, for example. See the "MAC Address Format" section for more information about how the prefix is used.


Monitoring Security Contexts

This section describes how to view and monitor context information and includes the following topics:

Monitoring Context Resource Usage

Viewing Assigned MAC Addresses

Monitoring Context Resource Usage       

To monitor resource usage of all contexts from the system execution space, perform the following steps:


Step 1 If you are not already in the System mode, in the Device List pane, double-click System under the active device IP address.

Step 2 Click the Monitoring button on the toolbar.

Step 3 Click Context Resource Usage.

Click each resource type to view the resource usage for all contexts:

ASDM—Shows the usage of ASDM connections.

Context—Shows the name of each context.

Existing Connections (#)—Shows the number of existing connections.

Existing Connections (%)—Shows the connections used by this context as a percentage of the total number of connections used by all contexts.

Peak Connections (#)—Shows the peak number of connections since the statistics were last cleared, either using the clear resource usage command or because the device rebooted.

Telnet—Shows the usage of Telnet connections.

Context—Shows the name of each context.

Existing Connections (#)—Shows the number of existing connections.

Existing Connections (%)—Shows the connections used by this context as a percentage of the total number of connections used by all contexts.

Peak Connections (#)—Shows the peak number of connections since the statistics were last cleared, either using the clear resource usage command or because the device rebooted.

SSH—Shows the usage of SSH connections.

Context—Shows the name of each context.

Existing Connections (#)—Shows the number of existing connections.

Existing Connections (%)—Shows the connections used by this context as a percentage of the total number of connections used by all contexts.

Peak Connections (#)—Shows the peak number of connections since the statistics were last cleared, either using the clear resource usage command or because the device rebooted.

Xlates—Shows the usage of netword address translations.

Context—Shows the name of each context.

Xlates (#)—Shows the number of current xlates.

Xlates (%)—Shows the xlates used by this context as a percentage of the total number of xlates used by all contexts.

Peak (#)—Shows the peak number of xlates since the statistics were last cleared, either using the clear resource usage command or because the device rebooted.

NATs—Shows the number of NAT rules.

Context—Shows the name of each context.

NATs (#)—Shows the current number of NAT rules.

NATs (%)—Shows the NAT rules used by this context as a percentage of the total number of NAT rules used by all contexts.

Peak NATs (#)—Shows the peak number of NAT rules since the statistics were last cleared, either using the clear resource usage command or because the device rebooted.

Syslogs—Shows the rate of system log messages.

Context—Shows the name of each context.

Syslog Rate (#/sec)—Shows the current rate of system log messages.

Syslog Rate (%)—Shows the system log messages generated by this context as a percentage of the total number of system log messages generated by all contexts.

Peak Syslog Rate (#/sec)—Shows the peak rate of system log messages since the statistics were last cleared, either using the clear resource usage command or because the device rebooted.

Step 4 Click Refresh to refresh the view.


Viewing Assigned MAC Addresses

You can view auto-generated MAC addresses within the system configuration or within the context. This section includes the following topics:

Viewing MAC Addresses in the System Configuration

Viewing MAC Addresses Within a Context

Viewing MAC Addresses in the System Configuration

This section describes how to view MAC addresses in the system configuration.

Guidelines

If you manually assign a MAC address to an interface, but also have auto-generation enabled, the auto-generated address continues to show in the configuration even though the manual MAC address is the one that is in use. If you later remove the manual MAC address, the auto-generated one shown will be used.

Detailed Steps


Step 1 If you are not already in the System configuration mode, in the Device List pane, double-click System under the active device IP address.

Step 2 Choose the Configuration > Context Management > Security Contexts pane, and view the Primary MAC and Secondary MAC columns.


Viewing MAC Addresses Within a Context

This section describes how to view MAC addresses within a context.

Detailed Steps


Step 1 If you are not already in the System configuration mode, in the Device List pane, double-click System under the active device IP address.

Step 2 Choose the Configuration > Interfaces pane, and view the MAC Address address column.

This table shows the MAC address in use; if you manually assign a MAC address and also have auto-generation enabled, then you can only view the unused auto-generated address from within the system configuration.


Feature History for Multiple Context Mode

Table 6-2 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.

Table 6-2 Feature History for Multiple Context Mode 

Feature Name
Platform Releases
Feature Information

Multiple security conexts

7.0(1)

Multiple context mode was introduced.

The following screens were introduced: Configuration > Context Management.

Automatic MAC address assignment

7.2(1)

Automatic assignment of MAC address to context interfaces was introduced.

The following screen was modified: Configuration > Context Management > Security Contexts.

Resource management

7.2(1)

Resource management was introduced.

The following screen was introduced: Configuration > Context Management > Resource Management.

Virtual sensors for IPS

8.0(2)

The AIP SSM running IPS software Version 6.0 and above can run multiple virtual sensors, which means you can configure multiple security policies on the AIP SSM. You can assign each context or single mode adaptive security appliance to one or more virtual sensors, or you can assign multiple security contexts to the same virtual sensor.

The following screen was modified: Configuration > Context Management > Security Contexts.

Automatic MAC address assignement enhancements

8.0(5)/8.2(2)

The MAC address format was changed to use a prefix, to use a fixed starting value (A2), and to use a different scheme for the primary and secondary unit MAC addresses in a failover pair. The MAC addresess are also now persistent accross reloads. The command parser now checks if auto-generation is enabled; if you want to also manually assign a MAC address, you cannot start the manual MAC address with A2.

The following screen was modified: Configuration > Context Management > Security Contexts.