The classifier assigns the packet to Context B because Context B includes the address translation that matches the destination address.Each context is an independent device, with its own security policy, interfaces, and administrators.Multiple contexts are similar to having multiple standalone devices.
Many features are supported in multiple context mode, including routing tables, firewall features, IPS, and management. Some features are not supported, including VPN and dynamic routing protocols. By enabling multiple security contexts on the security appliance, you can implement a cost-effective, space-saving solution that keeps all customer traffic separate and secure, and also eases configuration. The system configuration identifies basic settings for the security appliance. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The system configuration does include a specialized failover interface for failover traffic only. The admin context is not restricted in any way, and can be used as a regular context. The admin context must reside on Flash memory, and not remotely. If you do not want to use admin.cfg as the admin context, you can change the admin context. In transparent firewall mode, unique interfaces for contexts are required, so this method is used to classify packets at all times. The security appliance lets you assign a different MAC address in each context to the same shared interface, whether it is a shared physical interface or a shared subinterface. By default, shared interfaces do not have unique MAC addresses; the interface uses the physical interface burned-in MAC address in every context. An upstream router cannot route directly to a context without unique MAC addresses. You can set the MAC addresses manually when you configure each interface (see the Configuring the Interface section on page 7-2 ), or you can automatically generate MAC addresses (see the Automatically Assigning MAC Addresses to Context Interfaces section on page 6-11 ). All other fields are ignored; only the destination IP address is used. To use the destination address for classification, the classifier must have knowledge about the subnets located behind each security context. The classifier relies on the NAT configuration to determine the subnets in each context. The classifier matches the destination IP address to either a static command or a global command. In the case of the global command, the classifier does not need a matching nat command or an active NAT session to classify the packet. Whether the packet can communicate with the destination IP address after classification depends on how you configure NAT and NAT control. The classifier assigns the packet to Context B because Context B includes the MAC address to which the router sends the packet.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |