No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Five FE Interfaces Share one MAC Address, Making the Interzone Packet Filtering Invalid

Publication Date:  2012-07-25 Views:  49 Downloads:  0
Issue Description
After five FE cards are inserted in MIC slots of the firewall and the five FE interfaces are added to different security zones for interzone packet filtering, the packet filtering does not take effect and ACL rules cannot be matched. By checking the configuration, we discover that the data packets in different security zones go to the same security zone from the lower-layer device to the USG2200. These data packets do not go through specified interfaces.
Alarm Information
None.
Handling Process
1. Divide VLANs on the lower-layer device as those on the USG2200. The problem is solved.
2. Change the network, avoiding the five interfaces on the five FE interfaces cards are divided into different security zones.
Root Cause
Since VLANs cannot be divided on the lower-layer switch, the MAC addresses of the five FE interfaces on the USG2200 are the same. Therefore, when the lower-layer switch learns the MAC address, it can only learn one MAC entry. As a result, when transferring data packets, the lower-layer device cannot identify interfaces, and therefore randomly selects an interface to enter the USG2200.
Once the five FE interfaces are divided into two or more security zones and VLANs cannot be divided on the lower-layer device, the interzone packet filtering does not take effect. Data packets in different security zones enter one zone.
See the figure.

The lower-layer switch learns the MAC address as the arrow shows in the figure. The data packets of PC 1 enter the USG2200 through interface Vlanif 30. As a result, the interzone packet filtering does not take effect.
Suggestions
Review the plan carefully and be familiar with the product features. Do not divide the five interfaces on the 5 FE interface card into multiple security zones.

END