This article provides information about the ingress and egress IP classification and inter-VSYS communication in a multi VSYS environment.
Information about the ingress and egress IP classification and inter VSYS communication in a multi VSYS environment.
Ingress Interface/Source IP traffic classification:
The security device checks if the ingress interface is a dedicated interface or a shared interface:
- If the ingress interface is dedicated to a VSYS (for example, v-i), the security device associates the traffic with the system to which the interface is dedicated.
- If the ingress interface is a shared interface, the security device uses IP classification to check if the source IP address is associated with a particular VSYS.
- If the source IP address is not associated with a particular VSYS, ingress IP classification fails.
- If the source IP address is associated with a particular VSYS, ingress IP classification succeeds.
Egress Interface/Destination IP traffic classification:
The security device checks if the egress interface is shared or dedicated:
- If the egress interface is dedicated to a vsys (for example, v-e), the security device associates the traffic with the system to which the interface is dedicated.\
- If the egress interface is a shared interface, the security device uses IP classification to check if the destination IP address is associated with a particular VSYS.
- If the destination IP address is not associated with a particular VSYS, egress IP classification fails.
- If the destination IP address is associated with a particular VSYS, egress IP classification succeeds.
Based on the outcome of the ingress interface/source IP (I/S) and egress interface/destination IP (E/D) traffic classifications, the security device determines the VSYS to which the traffic belongs:
- If I/S traffic classification is successful, but E/D traffic classification fails, the security device uses the set policy and route table for the VSYS that is associated with the ingress interface or source IP address (for example, the v-i VSYS).
- If E/D traffic classification is successful, but I/S traffic classification fails, the security device uses the set policy and route table for the VSYS that is associated with the egress interface or destination IP address (For example, the v-e VSYS).
- If both of the classification attempts are successful and the associated virtual systems are the same, the security device uses the set policy and route table for that VSYS.
- If both of the classification attempts are successful, associated virtual systems are different, and the interfaces are bound to different shared security zones, then the security device drops the packet.
- If both of the classification attempts are successful, associated virtual systems are different, and the interfaces are bound to the same shared security zone, the security device first uses the set policy and route table for the I/S VSYS and then uses the set policy and route table for the E/D VSYS.
- If both of the classification attempts are successful, associated virtual systems are different, and the ingress and egress interfaces are bound to zones that are dedicated to different virtual systems, the security device first applies the set v-i policy and route table.