When the PIX Security Appliance is changed from single mode to
multiple mode, the PIX converts the running configuration into two files. These
files are a new startup configuration, stored n Flash, that comprises the
system configuration, and admin.cfg, stored in the disk partition, that
comprises the admin context
. The original
running configuration is saved to disk as old_running.cfg. The original startup
configuration is not saved, so if it differs from the running configuration, it
should be backed up before proceeding.
The Admin Context
The system configuration does not include any
network interfaces or network settings for itself. When the system needs to
access network it uses one of the contexts that is designated as the admin
context. If the system is already in multiple context mode, or if it is
converted from single mode, the admin context is created automatically as a
file on the disk partition called admin.cfg.
The admin context has
the following characteristics
:
- The system execution space has no traffic-passing interfaces, and uses the
policies and interfaces of the admin context to communicate with other
devices.
- Used to fetch configurations for other contexts and send system level
syslogs.
- Users logged in to the admin context are able to change to the system
context and create new contexts.
- Since the admin context is special, it does not count against the licensed
context count.
- Aside from the significance to the system, it could be used as a regular
context.
Setting the Security Context Mode
Use the show
mode command in privileged EXEC mode to show the security context
mode for the running software image and for any image in Flash memory
. The mode will
be either:
- Single – Multiple mode disabled.
- Multiple – Multiple mode enabled.
To set the security context mode to single or multiple, use the
mode command in global configuration mode
. In single mode,
the PIX Security Appliance has a single configuration and behaves as a single
device. In multiple mode, multiple contexts, each with its own configuration,
can be created. The number of contexts allowed depends on the license.
When converting from multiple mode to single mode, an administrator might
want to first copy a full startup configuration, if one is available, to the
PIX Security Appliance. The system configuration inherited from multiple mode
is not a complete functioning configuration for a single mode device.