Cisco Systems OL-16647-01 Enabling Same Security Level Communication (Multiple Mode)

8-10

Cisco ASDM User Guide

OL-16647-01

Chapter 8 Configuring Interfaces in Multiple Mode

Configuring Interface Parameters within each Context (Multiple Mode)

The description can be up to 240 characters on a single line, without carriage returns. The system

description is independent of the context description. In the case of a failover or state link, the

description is fixed as “LAN Failover Interface,” “STATE Failover Interface,” or “LAN/STATE Failover

Interface,” for example. You cannot edit this description. The fixed description overwrites any

description you enter here if you make this interface a failover or state link.

Step 9 (Optional) To set the MTU, click the Advanced tab and enter the value in the MTU field, between 300

and 65,535 bytes.

The default is 1500 bytes. For the ASA 5580, if you set the value above 1500 bytes, be sure to enable

jumbo frame support in the system configuration (see the “Enabling Jumbo Frame Support for the ASA

5580 in the System Configuration (Multiple Mode)” section on page 8-7).

Step 10 (Optional) To manually assign a MAC address to this interface, on the Advanced tab enter a MAC

address in the Active Mac Address field in H.H.H format, where H is a 16-bit hexadecimal digit. For

example, the MAC address 00-0C-F1-42-4C-DE would be entered as 000C.F142.4CDE.

If you use failover, enter the standby MAC address in the Standby Mac Address field. If the active unit

fails over and the standby unit becomes active, the new active unit starts using the active MAC addresses

to minimize network disruption, while the old active unit uses the standby address.

By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical

interface use the same burned-in MAC address. A redundant interface uses the MAC address of the first

physical interface that you add. If you change the order of the member interfaces in the configuration,

then the MAC address changes to match the MAC address of the interface that is now listed first. If you

assign a MAC address to the redundant interface using this field, then it is used regardless of the member

interface MAC addresses.

If you share an interface between contexts, you can assign a unique MAC address to the interface in each

context. This feature lets the security appliance easily classify packets into the appropriate context.

Using a shared interface without unique MAC addresses is possible, but has some limitations. See the

“How the Security Appliance Classifies Packets” section on page 10-2 for more information. You can

assign each MAC address manually, or you can automatically generate MAC addresses for shared

interfaces in contexts. See the “Automatically Assigning MAC Addresses” section on page 10-17 to

automatically generate MAC addresses. If you automatically generate MAC addresses, you can use this

option to override the generated address.

For interfaces that are not shared, you might want to assign unique MAC addresses to subinterfaces. For

example, your service provider might perform access control based on the MAC address.

Step 11 Click OK.

Enabling Same Security Level Communication (Multiple Mode)

By default, interfaces on the same security level cannot communicate with each other. Allowing

communication between same-security interfaces lets you configure more than 101 communicating

interfaces. If you use different levels for each interface and do not assign any interfaces to the same

security level, you can configure only one interface per level (0 to 100).

Note If you enable NAT control, you do not need to configure NAT between same security level interfaces.

If you enable same security interface communication, you can still configure interfaces at different

security levels as usual.