Hi D.M.Gore With mutliple context, you need an unique parameter to classify the packet and send it to appropriate context. For that we can use either IP address or vlans. The ASA checks for "Source interface vlan" and Destination IP address.
Typically multiple contexts actual use come in place when two or more contexts shares the same interface. Let's say G 0/1 is the inside interface connected to LAN and G0/0 is outside interface connected to internet. Two contexts use G0/1 anf G0/0 with the same topology for dfferent set of users. To differentiate the incoming packets and move it to the appropiate, the ASA sees for parameters. You can use the following two rules: If the vlans is shared across mutliple context, the IP address subnet on each the vlans should be unique. If the IP address subnet is same, then the vlans should be unique for each contexts. For your question given below. You can either use three different inside physical interface for the three contexts or use one single physical interface and use three sub-interface with vlans in different subnets. If you want use the same subnet as source for all the three subnets, then destination routing should be different for the three contexts. "Lets take an example: ASA has three contexts A, B and C. They are sharing outside interface i.e. Giga0/0 with IP address. Internet router is attached to ASA's outside interface. Now in this scenario how ASA will divert a packet coming from internet to correct context from where connection is originated?" With regards Kings On Thu, Sep 10, 2009 at 12:59 PM, Dnyaneshwar Gore <[email protected]>wrote: > Hi All, > > I read in one of the doc that we can share IP address on shared interface > on different contexts. Is it correct? If yes then how packet classifier will > classify the packet? > Lets take an example: ASA has three contexts A, B and C. They are sharing > outside interface i.e. Giga0/0 with IP address. Internet router is attached > to ASA's outside interface. Now in this scenario how ASA will divert a > packet coming from internet to correct context from where connection is > originated? > > One way is separate mac address for outside interface. But in this case, > returned packet will go to all contexts as they are having same outside ip > address. > > Another way is NAT destination IP address. But in this case, destination IP > will be from outside ip address range only. So once again it will go to all > contexts. > > Kindly help me in this case. > > Regards, > D.M.Gore > > > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
