How The Security Appliance Classifies Packets; Valid Classifier Criteria - Cisco PIX 500 Series Configuration Manual

Chapter 3 Enabling Multiple Context Mode
If your system is already in multiple context mode, or if you convert from single mode, the admin context
is created automatically as a file on the internal Flash memory called admin.cfg. This context is named
"admin." If you do not want to use admin.cfg as the admin context, you can change the admin context.

How the Security Appliance Classifies Packets

Each packet that enters the security appliance must be classified, so that the security appliance can
determine to which context to send a packet. This section includes the following topics:
•
•
•
If the destination MAC address is a multicast or broadcast MAC address, the packet is duplicated and
Note
delivered to each context.

Valid Classifier Criteria

This section describes the criteria used by the classifier, and includes the following topics:
•
•
•
Unique Interfaces
If only one context is associated with the ingress interface, the security appliance classifies the packet
into that context. In transparent firewall mode, unique interfaces for contexts are required, so this method
is used to classify packets at all times.
Unique MAC Addresses
If multiple contexts share an interface, then the classifier uses the interface MAC address. The security
appliance lets you assign a different MAC address in each context to the same shared interface, whether
it is a shared physical interface or a shared subinterface. By default, shared interfaces do not have unique
MAC addresses; the interface uses the physical interface burned-in MAC address in every context. An
upstream router cannot route directly to a context without unique MAC addresses. You can set the MAC
addresses manually when you configure each interface (see the
section on page
Assigning MAC Addresses to Context Interfaces" section on page
NAT Configuration
If you do not have unique MAC addresses, then the classifier intercepts the packet and performs a
destination IP address lookup. All other fields are ignored; only the destination IP address is used. To
use the destination address for classification, the classifier must have knowledge about the subnets
located behind each security context. The classifier relies on the NAT configuration to determine the
subnets in each context. The classifier matches the destination IP address to either a static command or
OL-12172-03
Valid Classifier Criteria, page 3-3
Invalid Classifier Criteria, page 3-4
Classification Examples, page 3-5
Unique Interfaces, page 3-3
Unique MAC Addresses, page 3-3
NAT Configuration, page 3-3
7-2), or you can automatically generate MAC addresses (see the
"Configuring Interface Parameters"
6-11).
Cisco Security Appliance Command Line Configuration Guide
Security Context Overview
"Automatically
3-3