ASA MultiContext Mode Packet Classification Tidbit

In order to understand how traffic flows through the segregated contexts it is important to understand how the ASA determines the context in which it will send the packets. This process is known as classification. The ASA uses the following criteria for classifying packets:

  • Unique interfaces: with this if only one context is associated with the ingress interface, then the ASA classifies the packet into the context.

  • Unique MAC addresses: Unique MACs are used when multiple contexts share an interface.

  • NAT Configuration: if unique MACs are not enabled, then the ASA will use mapped addresses in NAT config to classify packets.

Important note: If a destination MAC address is a multicast or broadcast MAC, then the packet is duplicated and delivered to each context.


Classification example: The same outside interface is shared so the classifier relies on unique mac address to properly pass the packet to the right context.

See the asa tag for additional ASA related posts, Cheers!

0 comments

Recent Posts

See All

ASA Security Contexts Tidbit

In this tidbit I want to explain what Cisco ASA Security Contexts are in this blog. A very plain & simple way to put it, security contexts are a way to logically divide the ASA into multiple logical

Fundamentals of PKI Tidbit

I want to touch on some of the fundamentals and standards involved with PKI to give us an overview of what things are/mean. To start let's cover what the standards are. So you have probably seen or

BGP Peer Groups Tidbit

I want to touch on BGP peer groups in this tidbit to explain what they are & why they are important. Peer groups in BGP can greatly simplify configuration when BGP neighbors share a lot of the same ou