Usage Guidelines

See the following guidelines:

• You should have at least 300 MB of disk space available at the backup location before you start a backup.

• If you make any configuration changes during or after a backup, those changes will not be included in the backup. If you change a configuration after making the backup, then perform a restore, this configuration change will be overwritten. As a result, the ASA might behave differently.

• You can start only one backup at a time.

• You can only restore a configuration to the same ASA version as when you performed the original backup. You cannot use the restore tool to migrate a configuration from one ASA version to another. If a configuration migration is required, the ASA automatically upgrades the resident startup configuration when it loads the new ASA OS.

• If you use clustering, you can only back up the startup-configuration, running-configuration, and identity certificates. You must create and restore a backup separately for each unit.

• If you use failover, you must create and restore a backup separately for the active and standby units.

• If you set a master passphrase for the ASA, then you need that master passphrase to restore the backup configuration that you create with this procedure. If you do not know the master passphrase for the ASA, see the CLI configuration guide to learn how to reset it before continuing with the backup.

• If you import PKCS12 data (with the crypto ca trustpoint command) and the trustpoint uses RSA keys, the imported key pair is assigned the same name as the trustpoint. Because of this limitation, if you specify a different name for the trustpoint and its key pair after you have restored an ASDM configuration, the startup configuration will be the same as the original configuration, but the running configuration will include a different key pair name. This means that if you use different names for the key pair and trustpoint, you cannot restore the original configuration. To work around this issue, make sure that you use the same name for the trustpoint and its key pair.

• If you do not specify the interface, the ASA checks the management-only routing table; if there are no matches, it then checks the data routing table. Note that if you have a default route through a management-only interface, all backup traffic will match that route and never check the data routing table. In this scenario, always specify the interface if you need to back up through a data interface.

• You cannot back up using the CLI and restore using ASDM, or vice versa.

• When backup location command is issued, ensure to use double slash ‘//’ for the directory path. For example,

ciscoasa# backup location disk0://sample-backup

• Each backup file includes the following content:

  • Running-configuration

  • Startup-configuration

  • All security images

Cisco Secure Desktop and Host Scan images

Cisco Secure Desktop and Host Scan settings

AnyConnect (SVC) client images and profiles

AnyConnect (SVC) customizations and transforms

• • Identity certificates (includes RSA key pairs tied to identity certificates; excludes standalone keys)

  • VPN pre-shared keys

  • SSL VPN configurations

  • Application Profile Custom Framework (APCF)

  • Bookmarks

  • Customizations

  • Dynamic Access Policy (DAP)

  • Plug-ins

  • Pre-fill scripts for connection profiles

  • Proxy Auto-config

  • Translation table

  • Web content

  • Version information

Usage Guidelines

This command can be entered in the interface configuration mode for a VLAN interface only. This command blocks all through traffic on the identified backup interface unless the default route through the primary interface goes down.

When you configure Easy VPN with the backup interface command, if the backup interface becomes the primary, then the ASA moves the VPN rules to the new primary interface. See the show interface command to view the state of the backup interface.

Be sure to configure default routes on both the primary and backup interfaces so that the backup interface can be used when the primary fails. For example, you can configure two default routes: one for the primary interface with a lower administrative distance, and one for the backup interface with a higher distance. See the dhcp client route distance command to override the administrative distance for default routes acquired from a DHCP server. To configure dual ISP support, see the sla monitor and track rtr commands for more information.

You cannot configure a backup interface when the management-only command is already configured on the interface.

Usage Guidelines

The backup and restore modes are independent and you can configure them separately.

Use the backup-package location command to specify the backup and restore configuration parameters for automatic backup and restore operations.

Usage Guidelines

The backup and restore operations are independent and can be configured separately.

Generally, configuring backup-package information is a one-time operation to let you subsequently manually back up and restore the device configuration without having to provide additional parameters.

Usage Guidelines

To remove the backup-servers attribute from the running configuration, use the no form of this command without arguments. This enables inheritance of a value for backup servers from another group policy.

IPsec backup servers let a VPN client connect to the central site when the primary ASA is unavailable. When you configure backup servers, the ASA pushes the server list to the client as the IPsec tunnel is established.

Configure backup servers either on the client or on the primary ASA. If you configure backup servers on the ASA, it pushes the backup server policy to the clients in the group, replacing the backup server list on the client if one is configured.

Note

If you are using hostnames, it is wise to have backup DNS and WINS servers on a separate network from that of the primary DNS and WINS servers. Otherwise, if clients behind a hardware client obtain DNS and WINS information from the hardware client via DHCP, the connection to the primary server is lost, and the backup servers have different DNS and WINS information, clients cannot be updated until the DHCP lease expires. In addition, if you use hostnames and the DNS server is unavailable, significant delays can occur.

Usage Guidelines

The banner command configures a banner to display for the keyword specified. The text string consists of all characters following the first white space (space) until the end of the line (carriage return or line feed [LF]). Spaces in the text are preserved. However, you cannot enter tabs through the CLI.

Subsequent text entries are added to the end of an existing banner unless the banner is cleared first.

Note	The tokens $(domain) and $(hostname) are replaced with the hostname and domain name of the ASA. When you enter a $(system) token in a context configuration, the context uses the configured in the system configuration.

Multiple lines in a banner are handled by entering a new banner command for each line that you want to add. Each line is then appended to the end of the existing banner.

Note	The maximum length of the authorization prompt for banners is 235 characters or 31 words, whichever limitation is reached first.

When accessing the ASA through Telnet or SSH, the session closes if there is not enough system memory available to process the banner messages or if a TCP write error occurs. Only the exec and motd s support access to the ASA through SSH. The login banner does not support SSHv1 clients or SSH clients that do not pass the username as part of the initial connection.

To replace a banner, use the no banner command before adding the new lines.

Use the no banner { exec | login | motd } command to remove all the lines for the banner keyword specified.

The no banner command does not selectively delete text strings, so any text that you enter at the end of the no banner command is ignored.

Usage Guidelines

The banner is locally configured on the ASA, and the user must click either Accept or Disconnect to the post-login banner.

Note	The behavior on older architectures, such as IKEv1 and Secure Client version 3.0, is supported without error.

To prevent inheriting a banner, use the banner none command.

The IPsec VPN client supports full HTML for the banner. However, the clientless portal and the Secure Client support partial HTML. To ensure the banner displays correctly to remote users, follow these guidelines:

• For IPsec client users, use the /n tag.

• For Secure Client, use the <BR> tag.

• For clientless users, use the <BR> tag.

Usage Guidelines

• When base-url is configured, it is the base URL of AssertionConsumerService and SingleLogoutService, and is displayed in show saml metadata .

• When base-url is not configured, the base URL is created from the ASA’s hostname and domain-name. For example, https://ssl-vpn.cisco.com is the base URL in show saml metadata when hostname is “ssl-vpn” and domain-name is “cisco.com”.

• When neither base-url or hostname and domain-name are configured, show saml metadata displays an error.

Usage Guidelines

The customer edge (CE) device uses the basic mapping rule to determine its dedicated IPv4 addressing or shared address and port set assignment. The CE device first translates the system’s IPv4 address to an IPv4 address and port within the pool’s prefix and port range (using NAT44), then MAP translates the new IPv4 address to an IPv6 address within the pool defined by the rule’s IPv6 prefix. The packet is then ready to be transmitted over the service provider’s IPv6-only network to a border relay (BR) device.

When you enter the basic-mapping-rule command, you enter MAP domain basic mapping rule configuration mode, where you can configure the IPv4, IPv6, and port properties of the rule.

Usage Guidelines

This command can be configured in an IP Options inspection policy map.

You can configure IP Options inspection to control which IP packets with specific IP options are allowed through the ASA. You can allow a packet to pass without change or clear the specified IP options and then allow the packet to pass.

Usage Guidelines

Echo mode is enabled by default, but not supported in BFD IPv6 sessions. Entering the no bfd echo command without any keywords turns off the sending of echo packets and signifies that the ASA is unwilling to forward echo packets received from BFD neighbor routers.

When echo mode is enabled, the minimum echo transmit interval and required minimum transmit interval values are taken from the bfd interval milliseconds min_rx milliseconds parameters, respectively.

Before using BFD echo mode, you must disable the sending of Internet Control Message Protocol (ICMP) redirect messages by entering the no ip redirects command to avoid high CPU utilization.

Usage Guidelines

Use this command to create a BFD template and enter BFD configuration mode. You can also specify a set of BFD interval values in the template. BFD interval values specified as part of the BFD template are not specific to a single interface.

Usage Guidelines

Use this command to change the default interval at which BGP routes are aggregated.

In very large configurations, even if the aggregate-address summary-only command is configured, more specific routes are advertised and later withdrawn. To avoid this behavior, configure the bgp aggregate-timer to 0 (zero), and the system will immediately check for aggregate routes and suppress specific routes.

Usage Guidelines

The MED, as stated in RFC 1771, is an optional non-transitive attribute that is a four octet non-negative integer. The value of this attribute may be used by the BGP best path selection process to discriminate among multiple exit points to a neighboring autonomous system.

The MED is one of the parameters that is considered when selecting the best path among many alternative paths. The path with a lower MED is preferred over a path with a higher MED. During the best-path selection process, MED comparison is done only among paths from the same autonomous system. The bgp always-compare-med command is used to change this behavior by enforcing MED comparison between all paths, regardless of the autonomous system from which the paths are received.

The bgp deterministic-med command can be configured to enforce deterministic comparison of the MED value between all paths received from within the same autonomous system.

Usage Guidelines

Prior to January 2009, BGP autonomous system numbers that were allocated to companies were 2-octet numbers in the range from 1 to 65535 as described in RFC 4271, A Border Gateway Protocol 4 (BGP-4).

Due to increased demand for autonomous system numbers, the Internet Assigned Number Authority (IANA) will start in January 2009 to allocate four-octet autonomous system numbers in the range from 65536 to 4294967295. RFC 5396, Textual Representation of Autonomous System (AS) Numbers, documents three methods of representing autonomous system numbers. Cisco has implemented the following two methods:

• Asplain—Decimal value notation where both 2-byte and 4-byte autonomous system numbers are represented by their decimal value. For example, 65526 is a 2-byte autonomous system number and 234567 is a 4-byte autonomous system number.

• Asdot—Autonomous system dot notation where 2-byte autonomous system numbers are represented by their decimal value and 4-byte autonomous system numbers are represented by a dot notation. For example, 65526 is a 2-byte autonomous system number and 1.169031 is a 4-byte autonomous system number (this is dot notation for the 234567 decimal numbers).

Cisco implementation of 4-byte autonomous system numbers uses asplain as the default display format for autonomous system numbers, but you can configure 4-byte autonomous system numbers in both the asplain and asdot format. In addition, the default format for matching 4-byte autonomous system numbers in regular expressions is asplain, so you must ensure that any regular expressions to match 4-byte autonomous system numbers are written in the asplain format. If you want to change the default show command output to display 4-byte autonomous system numbers in the asdot format, use the bgp asnotation dot command under router configuration mode. When the asdot format is enabled as the default, any regular expressions to match 4-byte autonomous system numbers must be written using the asdot format, or the regular expression match will fail. Tables below show that although you can configure 4-byte autonomous system numbers in either asplain or asdot format, only one format is used to display show command output and control 4-byte autonomous system number matching for regular expressions, and the default is asplain format.

To display 4-byte autonomous system numbers in show command output and to control matching for regular expressions in the asdot format, you must configure the bgp asnotation dot command. After enabling the bgp asnotation dot command, a hard reset must be initiated for all BGP sessions by entering the clearbgp * command.

Usage Guidelines

The bgp bestpath compare-routerid command is used to configure a BGP routing process to use the router ID as the tie breaker for best path selection when two identical routes are received from two different peers (all the attributes are the same except for the router ID). When this command is enabled, the lowest router ID will be selected as the best path when all other attributes are equal.

Usage Guidelines

The bgp-community new-format command is used to configure the local router to display BGP communities in the AA:NN format to conform with RFC-1997.

This command only affects the format in which BGP communities are displayed; it does not affect the community or community exchange. However, expanded IP community lists that match locally configured regular expressions may need to be updated to match on the AA:NN format instead of the 32-bit number.

RFC 1997, BGP Communities Attribute, specifies that a BGP community is made up of two parts that are each 2 bytes long. The first part is the autonomous system number and the second part is a 2-byte number defined by the network operator.

Usage Guidelines

The local preference attribute is a discretionary attribute that is used to apply the degree of preference to a route during the BGP best path selection process. This attribute is exchanged only between iBGP peers and is used to determine local policy. The route with the highest local preference is preferred.

Usage Guidelines

The bgp always-compare-med command is used to enable the comparison of the Multi Exit Discriminator (MED) for paths from neighbors in different autonomous systems. After the bgp always-compare-med command is configured, all paths for the same prefix that are received from different neighbors, which are in the same autonomous system, will be grouped together and sorted by the ascending MED value (received-only paths are ignored and not grouped or sorted).

The best path selection algorithm will then pick the best paths using the existing rules; the comparison is made on a per neighbor autonomous system basis and then global basis. The grouping and sorting of paths occurs immediately after this command is entered. For correct results, all routers in the local autonomous system must have this command enabled (or disabled).

Usage Guidelines

The bgp enforce-first-as command is used to deny incoming updates received from eBGP peers that do not list their autonomous system number as the first segment in the AS_PATH attribute. Enabling this command prevents a misconfigured or unauthorized peer from misdirecting traffic (spoofing the local router) by advertising a route as if it was sourced from another autonomous system.

Usage Guidelines

The bgp fast-external-fallover command is used to disable or enable fast external fallover for BGP peering sessions with directly connected external peers. The session is immediately reset if link goes down. Only directly connected peering sessions are supported. If BGP fast external fallover is disabled, the BGP routing process will wait until the default hold timer expires (3 keepalives) to reset the peering session. BGP fast external fallover can also be configured on a per-interface basis using the ip bgp fast-external-fallover interface configuration command.

Usage Guidelines

Use this command to enable graceful restart for non-stop forwarding. With graceful restart, the system can advertise the ability to maintain the forwarding state for an address group during restart. Use the neighbor ha-mode graceful-restart command to configure restart capability for each BGP neighbor router.

Usage Guidelines

The bgp inject-map command is used to configure conditional route injection. Conditional route injection allows you to originate a more specific prefix into a BGP routing table without a corresponding match. Two route maps (exist-map and inject-map) are configured in global configuration mode and then specified with the bgp inject-map command in address family configuration mode.

The exist-map argument specifies a route map that defines the prefix that the BGP speaker will track. This route map must contain a match ip address prefix-list command statement to specify the aggregate prefix and a match ip route-source prefix-list command statement to specify the route source.

The inject-map argument defines the prefixes that will be created and installed into the routing table. Injected prefixes are installed in the local BGP RIB. A valid parent route must exist; Only prefixes that are equal to or more specific than the aggregate route (existing prefix) can be injected.

The optional copy-attributes keyword is used to optionally configure the injected prefix to inherit the same attributes as the aggregate route. If this keyword is not entered, the injected prefix will use the default attributes for locally originated routes.

Usage Guidelines

The bgp log-neighbor-changes command enables logging of BGP neighbor status changes (up or down) and resets for troubleshooting network connectivity problems and measuring network stability. Unexpected neighbor resets might indicate high error rates or high packet loss in the network and should be investigated.

Using the bgp log-neighbor-changes command to enable status change message logging does not cause a substantial performance impact, unlike, for example, enabling per BGP update debugging.

The neighbor status change messages are not tracked if the bgp log-neighbor-changes command is not enabled, except for the reset reason, which is always available as output of the show bgp neighbors command.

The eigrp log-neighbor-changes command enables logging of Enhanced Interior Gateway Routing Protocol (EIGRP) neighbor adjacencies, but messages for BGP neighbors are logged only if they are specifically enabled with the bgp log-neighbor-changes command.

Use the show logging command to display the log for the BGP neighbor changes.

Usage Guidelines

The bgp maxas-limit command is used to limit the number of autonomous system numbers in the AS-path attribute that are permitted in inbound routes. If a route is received with an AS-path segment that exceeds the configured limit, the BGP routing process will discard the route.

Usage Guidelines

BGP next-hop address tracking is event driven. BGP prefixes are automatically tracked as peering sessions are established. Next-hop changes are rapidly reported to BGP as they are updated in the routing information base (RIB). This optimization improves overall BGP convergence by reducing the response time to next-hop changes for routes installed in the RIB. When a best-path calculation is run in between BGP scanner cycles, only the changes are processed and tracked.

Note	BGP next-hop address tracking improves BGP response time significantly. However, unstable Interior Gateway Protocol (IGP) peers can introduce instability to BGP. We recommend that you aggressively dampen unstable IGP peering sessions to mitigate the possible impact to BGP.

• BGP next-hop address tracking is not supported under the IPv6 address family.

Use the trigger keyword with the delay keyword and seconds argument to change the delay interval between routing table walks for BGP next-hop address tracking. You can increase the performance of BGP next-hop address tracking by tuning the delay interval between full routing table walks to match the tuning parameters for the IGP. The default delay interval is 5 seconds, which is an optimal value for a fast-tuned IGP. In the case of an IGP that converges more slowly, you can change the delay interval to 20 seconds or more, depending on the IGP convergence time.

Use the trigger keyword with the enable keyword to enable BGP next-hop address tracking. BGP next-hop address tracking is enabled by default.

Use the route-map keyword and map-name argument to allow a route map to be used. The route map is used during the BGP best-path calculation and is applied to the route in the routing table that covers the Next_Hop attribute for BGP prefixes. If the next-hop route fails the route-map evaluation, the next-hop route is marked as unreachable. This command is per address family, so different route maps can be applied for next-hop routes in different address families.

Note	Only the match ip address command is supported in the route map. No set commands or other match commands are supported.

Usage Guidelines

The bgp redistribute-internal command is used to configure iBGP redistribution into an IGP. The clear bgp command must be entered to reset BGP connections after this command is configured.

When redistributing BGP into any IGP, be sure to use IP prefix-list and route-map statements to limit the number of prefixes that are redistributed.

Caution

Exercise caution when redistributing iBGP into an IGP. Use IP prefix-list and route-map statements to limit the number of prefixes that are redistributed. Redistributing an unfiltered BGP routing table into an IGP can have a detrimental effect on normal IGP network operation.

Usage Guidelines

The bgp router-id command is used to configure a fixed router ID for the local BGP routing process. The router ID is entered in IP address format. Any valid IP address can be used, even an address that is not locally configured on the router.Peering sessions are automatically reset when the router ID is changed. Separate router ID per context is possible.

Usage Guidelines

Entering the no form of this command does not disable scanning, but removes it from the output of the show running-config command.

While bgp nexthop address tracking (NHT) is enabled for an address family, the bgp scan-time command will not be accepted in that address family and will remain at the default value of 60 seconds. NHT must be disabled before the bgp scan-time command will be accepted in either router mode or address family mode.

Usage Guidelines

The bgp suppress-inactive command is used to prevent routes that are not installed in the RIB (inactive routes) from being advertised to peers. If this feature is not enabled or if the no form of this command is used, Border Gateway Protocol (BGP) will advertise inactive routes.

Note

BGP marks routes that are not installed into the RIB with a RIB-failure flag. This flag will also appear in the output of the show bgp command; for example, Rib-Failure (17). This flag does not indicate an error or problem with the route or the RIB, and the route may still be advertised depending on the configuration of this command. Enter the show bgp rib-failure command to see more information about the inactive route.

Usage Guidelines

This command is enabled by default because it is used to allow BGP sessions to take advantage of larger MTU links, which can be very important for internal BGP (iBGP) sessions. Use the show bgp neighbors command to ensure that TCP path MTU discovery is enabled.

Usage Guidelines

To view the currently allocated memory, enter the show blocks queue history command.

If you reload the ASA, the memory allocation returns to the default.

The amount of memory allocated will be at most 150 KB, but never more than 50% of free memory. Optionally, you can specify the memory size manually.

Usage Guidelines

If you have more than one ASA or ASDM image, you should specify the image that you want to boot. If you do not set the image, the default boot image is used, and that image may not be the one intended. For the startup configuration, you can optionally specify a configuration file.

See the following model guidelines:

• Firepower 4100/9300 chassis—ASA upgrades are managed by FXOS; you cannot upgrade the ASA within the ASA operating system, so do not use this command for the ASA image. You can upgrade ASA and FXOS separately from each other, and they are listed separately in the FXOS directory listing. The ASA package always includes ASDM.

• Firepower 2100 in Platform mode—The ASA, ASDM, and FXOS images are bundled together into a single package. Package updates are managed by FXOS; you cannot upgrade the ASA within the ASA operating system, so do not use this command for the ASA image. You cannot upgrade ASA and FXOS separately from each other; they are always bundled together.

• Firepower 1000 and 2100 in Appliance mode—The ASA, ASDM, and FXOS images are bundled together into a single package. Package updates are managed by ASA using this command. Although these platforms use the ASA to identify the image to boot, the underlying mechanism is different from legacy ASAs.

• ASA Virtual—The initial deployment ASA virtual package puts the ASA image in the read-only boot:/ partition. When you upgrade the ASA virtual, you specify a different image in flash memory. Note that if you later clear your configuration (clear configure all ), then the ASA virtual will revert to loading the original deployment image. The initial deployment ASA virtual package also includes an ASDM image that it places in flash memory. You can upgrade the ASDM image separately.

When you save the boot config command to the startup configuration using the write memory command, you also save the settings to the CONFIG_FILE environment variable, which the ASA uses to determine the startup configuration to boot when it restarts.

If you want to use a startup configuration file at the new location that is different from the current running configuration, then be sure to copy the startup configuration file to the new location after you save the running configuration. Otherwise, the running configuration will overwrite the new startup configuration when you save it.

Tip	The ASDM image file is specified by the asdm image command.

boot system for the Firepower 1000 and 2100 in Appliance Mode

You can only enter a single boot system command. If you upgrade to a new image, then you must enter no boot system to remove the previous image you set.

Note that you may not have a boot system command present in your configuration; for example, if you installed the image from ROMMON, have a new device, or you removed the command manually.

The boot system command performs an action when you enter it: the system validates and unpacks the image and copies it to the boot location (an internal location on disk0 managed by FXOS). The new image will load when you reload the ASA. If you change your mind prior to reloading, you can enter the no boot system command to delete the new image from the boot location, so the current image continues to run. You can even delete the original image file from the ASA flash memory after you enter this command, and the ASA will boot correctly from the boot location.

Unlike other models, this command in the startup configuration does not affect the booting image, and is essentially cosmetic. The last-loaded boot image will always run upon reload. If you do not save the configuration after you enter this command, then when you reload, the old command will be present in your configuration, even though the new image was booted. Be sure to save the configuration so that the configuration remains in sync.

You can only load images with the original filename from the Cisco download site. If you change the filename, it will not load. You can also reimage to the Secure Firewall Threat Defense (formerly Firepower Threat Defense) by loading an threat defense image. In this case, you are prompted to reload immediately.

boot system for Other Models

You can enter up to four boot system command entries to specify different images to boot from in order; the ASA boots the first image it finds successfully. When you enter the boot system command, it adds an entry at the bottom of the list. To reorder the boot entries, you must remove all entries using the clear configure boot system command, and re-enter them in the order you desire. Only one boot system tftp command can be configured, and it must be the first one configured.

When you save the boot system command to the startup configuration using the write memory command, you also save the settings to the BOOT environment variable, which the ASA uses to determine the startup image to boot when it restarts.

Usage Guidelines

The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.

Here are some tips for making the most common changes to the WebVPN pages—the page colors:

• You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML.

• RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma-separated entry indicates the level of intensity of each color to combine with the others.

• HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.

Note	To easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities.

Usage Guidelines

Breakout ports can be used just like any other physical Ethernet port, including being added to EtherChannels.

If an interface is already in use in your configuration, you will have to manually remove any configuration related to interfaces that will no longer be present.

You must use a supported breakout cable. See the hardware installation guide for more information.

For clustering or failover, make sure the cluster/failover link is not using the parent interface (for breaking out) or the child interface (for rejoining); you cannot make changes to the interface if it is in use for the cluster/failover link.

For clustering or failover, enter this command on the control node/active unit; the module state is replicated to the other nodes.

For rejoining, you must rejoin all child ports for the interface.

Usage Guidelines

For 9.2 and earlier, You can configure up to 8 bridge groups in single mode or per context in multiple mode; for 9.3(1) and later, you can configure up to 250 bridge groups. Each bridge group can include up to 64 interfaces (4 interfaces for 9.6(1) and earlier). You cannot assign the same interface to more than one bridge group. Note that you must use at least 1 bridge group; data interfaces must belong to a bridge group.

Note	Although you can configure multiple bridge groups on the ASA 5505, the restriction of 2 data interfaces in transparent mode on the ASA 5505 means you can only effectively use 1 bridge group.

Assign a management IP address to the bridge group using the interface bvi command and then the ip address command.

Each bridge group connects to a separate network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the ASA, and traffic must exit the ASA before it is routed by an external router back to another bridge group in the ASA.

You might want to use more than one bridge group if you do not want the overhead of security contexts, or want to maximize your use of security contexts. Although the bridging functions are separate for each bridge group, many other functions are shared between all bridge groups. For example, all bridge groups share a syslog server or AAA server configuration. For complete security policy separation, use security contexts with one bridge group in each context.

Usage Guidelines

The style option is expressed as any valid Cascading Style Sheet (CSS) parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium (W3C) website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.

Here are some tips for making the most common changes to the WebVPN pages—the page colors:

• You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML.

• RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma separated entry indicates the level of intensity of each color to combine with the others.

• HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.

Note	To easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities.