Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] IP classification and inter-VSYS communication

0

0
Article ID: KB26331 KB Last Updated: 08 Jan 2013Version: 1.0 Summary:
This article provides information about the ingress and egress IP classification and inter-VSYS communication in a multi VSYS environment.
Symptoms:
Information about the ingress and egress IP classification and inter VSYS communication in a multi VSYS environment.
Cause:

Solution:
Ingress Interface/Source IP traffic classification:

The security device checks if the ingress interface is a dedicated interface or a shared interface:

  • If the ingress interface is dedicated to a VSYS (for example, v-i), the security device associates the traffic with the system to which the interface is dedicated.

  • If the ingress interface is a shared interface, the security device uses IP classification to check if the source IP address is associated with a particular VSYS.

  • If the source IP address is not associated with a particular VSYS, ingress IP classification fails.

  • If the source IP address is associated with a particular VSYS, ingress IP classification succeeds.

Egress Interface/Destination IP traffic classification:

The security device checks if the egress interface is shared or dedicated:

  • If the egress interface is dedicated to a vsys (for example, v-e), the security device associates the traffic with the system to which the interface is dedicated.\

  • If the egress interface is a shared interface, the security device uses IP classification to check if the destination IP address is associated with a particular VSYS.

  • If the destination IP address is not associated with a particular VSYS, egress IP classification fails.

  • If the destination IP address is associated with a particular VSYS, egress IP classification succeeds.

Based on the outcome of the ingress interface/source IP (I/S) and egress interface/destination IP (E/D) traffic classifications, the security device determines the VSYS to which the traffic belongs:

  • If I/S traffic classification is successful, but E/D traffic classification fails, the security device uses the set policy and route table for the VSYS that is associated with the ingress interface or source IP address (for example, the v-i VSYS).

  • If E/D traffic classification is successful, but I/S traffic classification fails, the security device uses the set policy and route table for the VSYS that is associated with the egress interface or destination IP address (For example, the v-e VSYS).

  • If both of the classification attempts are successful and the associated virtual systems are the same, the security device uses the set policy and route table for that VSYS.

  • If both of the classification attempts are successful, associated virtual systems are different, and the interfaces are bound to different shared security zones, then the security device drops the packet.

  • If both of the classification attempts are successful, associated virtual systems are different, and the interfaces are bound to the same shared security zone, the security device first uses the set policy and route table for the I/S VSYS and then uses the set policy and route table for the E/D VSYS.

  • If both of the classification attempts are successful, associated virtual systems are different, and the ingress and egress interfaces are bound to zones that are dedicated to different virtual systems, the security device first applies the set v-i policy and route table.

Related Links

 Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search