This article provides information about the limitations with using the secondary IP address (Trust, DMZ, and Custom).
Problem or Goal:
For example, the root and secondary interfaces share the same Trust/DMZ/Custom zone ethernet port; so, to connect to the Root and Secondary Trust/DMZ/Custom interface, a hub or switch device will be used to connect the multiple network devices to the single Root and Secondary Trust/DMZ/Custom physical ethernet port.
The intent of the Secondary IP address feature was to increase the IP addressing range of the Trusted, DMZ, and Custom zone interfaces,when the root Trust/DMZ/Custom zone Network IP addresses were being used. The Secondary IP address allows for another Network address to reside on the same physical Interface port (Trust/DMZ/Custom zone) and route these packets through the Netscreen outbound.
Incoming traffic is supported for devices on the same subnet as the secondary IP; but traffic that is directed to the secondary IP itself will not generate any replies.
Assume the NetScreen device has the secondary IP address as 10.1.1.1. Any hosts that are on the 10.1.1.0/24 subnet are reachable from the untrust side. However, the actual secondary IP address itself (10.1.1.1) will not participate in any throughput traffic.
In ScreenOS 4.0.0 or later, the secondary IP address can be applied to any interface, including subinterfaces and redundant interfaces, as long as the interface is not binded to the untrust zone.