à
When packets arrive at a physical interface, the system needs to classify them,
so they can be delivered to exact or correct virtual firewall or context.
à
An Interface can be allocated to more than one context, that time the interface
is called as shared interface.
à
If the interface is allocated to only one context then the classification is very
easy. It only has one place to go (Unique Interface). This is common for
transparent mode deployments.
à
If the interface is allocated to more than one context then the classification
becomes complex that time MAC address is used to classify packet.
à
This requires each interface in each context requires unique virtual mac
address. This can be done manually or auto generated.
à
If individual virtual mac addresses are not used then the physical interface
mac address is used for each context.
à
If virtual mac addresses are not assigned then NAT
tables are inspected to decide how to classify the packet.