Always Geeky

Why does packet-tracer sometimes work when used within a multi-context environment, but sometimes not work? It can seem rather random as to the success, but it is actually quite predictable, once you know why it does fail when it does.

Packet-tracer simulates a packet arriving on an interface, and the internal path taken to either drop the packet or send it out an interface, without actually sending the packet.

Multi-context firewalls allow you to run discrete virtual firewalls on a single hardware device – much like virtualization.

The problem with packet-tracer is a simulated packet arriving on a shared interface.  Input parameters for the packet-tracer command are limited to layer 3/4, being the source & destination IP address, and the source & destination port. If you have a shared interface on the device, real incoming packets will be sent to the correct context based on the destination MAC address. Packet-tracer does not allow you to specify a destination (nor a source) MAC address, therefore it does not know which context to send the packet to.