Knowledge Search


×
 

Traffic does not pass from one shared zone to other shared zone in Root VSYS

  [KB8339] Show Article Properties


Summary:
Traffic does not pass from one shared zone to other shared zone in Root VSYS when using VLAN-based traffic classification
Symptoms:
With VLAN based classification configured & when you want two shared zones to exchange traffic in the ROOT VSYS the following rules apply:

a) In the case when IP classifications are disabled on both ingress & egress, the root cause for the packet drop is that when traffic passes through shared zone in vsys that has IP classification disabled, the IP classification will fail. In this case, both ingress and egress are share zones with IP classification disabled. Packet has to be dropped as it does not know which vsys to pick for policy lookup.

b) In the case when IP classifications are enabled on both zones, if the customer didn't classify the traffic, the IP classification still fails. So the packet has to be dropped as it does not know which vsys to pick for policy lookup
Solution:
Below are the recommended commands to have traffic pass from one shared zone to other shared zone in Root VSYS:
 

set ip-classification default root

set zone "shared_zone_1" ip-classification

set zone "shared_zone_2" ip-classification

 

“set ip-classification default root” will allow traffic to pass in the root vsys for unclassified packets.


-------------------------------------------------------------------------------
SIG-NS-1-> get ip-classification

IP classification mode: default (use both source and destination classification)



IP classification default: drop unclassified packets

-------------------------------------------------------------------------------

SIG-NS-1-> set ip-classification default root
-------------------------------------------------------------------------------

After:

SIG-NS-1-> get ip-classification

IP classification mode: default (use both source and destination classification)



IP classification default: apply root policy for unclassified packets
-------------------------------------------------------------------------------
Related Links: