Since VLANs cannot be divided on the lower-layer switch, the MAC addresses of the five FE interfaces on the USG2200 are the same. Therefore, when the lower-layer switch learns the MAC address, it can only learn one MAC entry. As a result, when transferring data packets, the lower-layer device cannot identify interfaces, and therefore randomly selects an interface to enter the USG2200.
Once the five FE interfaces are divided into two or more security zones and VLANs cannot be divided on the lower-layer device, the interzone packet filtering does not take effect. Data packets in different security zones enter one zone.
See the figure.
The lower-layer switch learns the MAC address as the arrow shows in the figure. The data packets of PC 1 enter the USG2200 through interface Vlanif 30. As a result, the interzone packet filtering does not take effect.