Cisco ASA Series Cli Configuration Manual page 223

Chapter 1 Configuring Multiple Context Mode
How the ASA Classifies Packets
Each packet that enters the ASA must be classified, so that the ASA can determine to which context to
send a packet. This section includes the following topics:
•
•
Note
If the destination MAC address is a multicast or broadcast MAC address, the packet is duplicated and
delivered to each context.
Valid Classifier Criteria
This section describes the criteria used by the classifier and includes the following topics:
•
•
•
Note
For management traffic destined for an interface, the interface IP address is used for classification.
The routing table is not used for packet classification.
Unique Interfaces
If only one context is associated with the ingress interface, the ASA classifies the packet into that
context. In transparent firewall mode, unique interfaces for contexts are required, so this method is used
to classify packets at all times.
Unique MAC Addresses
If multiple contexts share an interface, then the classifier uses unique MAC addresses assigned to the
interface in each context. An upstream router cannot route directly to a context without unique MAC
addresses. By default, auto-generation of MAC addresses is enabled. You can also set the MAC
addresses manually when you configure each interface.
NAT Configuration
If you disable use of unique MAC addresses, then the ASA uses the mapped addresses in your NAT
configuration to classify packets. We recommend using MAC addresses instead of NAT, so that traffic
classification can occur regardless of the completeness of the NAT configuration.
Valid Classifier Criteria, page 1-3
Classification Examples, page 1-4
Unique Interfaces, page 1-3
Unique MAC Addresses, page 1-3
NAT Configuration, page 1-3
Information About Security Contexts
Cisco ASA Series CLI Configuration Guide
1-3