VSX Traffic Flow
Overview
A VSX Gateway
Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. processes traffic according to the following steps:
-
Context determination
-
Security enforcement
-
Forwarding to destination
Context Determination
VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. incorporates VRF (Virtual Routing and Forwarding) technology that allows creation of multiple, independent routing domains on a single VSX Gateway or VSX Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing.. The independence of these routing domains makes possible the use of Virtual Devices with overlapping IP addresses. Each routing domain is known as a context.
When traffic arrives at a VSX Gateway, a process known as Context Determination directs traffic to the appropriate Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS., Virtual Router Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a physical router. Acronym: VR. or Virtual Switch Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a physical switch. Acronym: VSW.. The context determination process depends on the virtual network topology and the connectivity of the Virtual Devices.
The basic Virtual System connection scenarios are:
-
Virtual System directly connected to a physical or VLAN interface
-
Virtual System connected through a Virtual Switch
-
Virtual System connected through a Virtual Router
Direct Connection to a Physical Interface
When traffic arrives at an interface (either physical or VLAN) that directly connects to a Virtual System, the connection itself determines the context and traffic passes directly to the appropriate Virtual System via that interface.
This diagram shows traffic from a physical VLAN switch that is sent to an interface on the VSX Gateway.
|
Item |
Description |
|
Item |
Description |
|---|---|---|---|---|
|
1 |
Internet |
|
8 |
Virtual System 2 |
|
2 |
Router |
|
9 |
VLAN Switch |
|
3 |
VSX Gateway |
|
10 |
VLAN 100 |
|
4 |
Virtual Switch |
|
11 |
VLAN 200 |
|
5 |
Virtual System 1 |
|
|
VLAN Interface |
|
6 |
eth1.100 |
|
|
VLAN Trunk |
|
7 |
eth1.200 |
|
|
VSX automatically directs traffic arriving via VLAN Interface eth1.200 to Virtual System 2 according to the context defined by the VLAN ID.
Connection through a Virtual Switch
Traffic arriving via a Virtual Switch passes to the appropriate Virtual System based on the destination MAC address, as defined in the Virtual Switch forwarding table.
Traffic arrives at the Virtual System via the Warp Link associated with the designated MAC address.
|
Item |
Description |
|
Item |
Description |
|---|---|---|---|---|
|
1 |
Internet |
|
8 |
MAC 00:12:C!:Ce:00:03 |
|
2 |
Router |
|
9 |
VLAN Switch |
|
3 |
VSX Gateway |
|
10 |
VLAN 100 |
|
4 |
Virtual Switch |
|
11 |
VLAN 200 |
|
5 |
MAC 00:12:C!:Ce:00:01 |
|
|
VLAN Interface |
|
6 |
Virtual System 1 |
|
|
VLAN Trunk |
|
7 |
Virtual System 2 |
|
|
Warp Link |
If the destination MAC address does not exist in the Virtual Switch forwarding table, the traffic is broadcast over all defined Warp Links.
The Virtual Switch scenario is common for inbound traffic from external networks or the Internet.
Connection through a Virtual Router
Traffic arriving via a Virtual Router passes to the appropriate Virtual System based on entries in the Virtual Router routing table.
Routing may be destination-based, source-based or both. Traffic arrives to the designated Virtual System via its Warp Link.
|
Item |
Description |
|
Item |
Description |
|---|---|---|---|---|
|
1 |
Internet |
|
8 |
172.69.22.30 |
|
2 |
Router |
|
9 |
VLAN Switch |
|
3 |
VSX Gateway |
|
10 |
VLAN 100 |
|
4 |
Virtual Router |
|
11 |
VLAN 200 |
|
5 |
172.23.10.11 |
|
|
VLAN Interface |
|
6 |
Virtual System 1 |
|
|
VLAN Trunk |
|
7 |
Virtual System 2 |
|
|
Warp Link |
Security Enforcement
Since each Virtual System functions as an independent Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., it maintains its own, unique security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. to protect the network behind it. The designated Virtual System inspects all traffic and allows or blocks it based on the rules contained in the security policy.
Forwarding to Destination
Each Virtual System maintains its own unique configuration and rules for processing and forwarding traffic to its final destination. This configuration also includes definitions and rules for NAT, VPN, and other advanced features.