Interface Configurations for Root and Vsys Overview

Interfaces can be dedicated, shared, imported, and exported between root and vsys.

Note: When the root system is in L2V, you cannot import or export interfaces. For more information, see Layer 2 Vsys Configuration Overview.

At the root level, shared interfaces that are bound to a shared zone. However, any physical, subinterface, redundant interface, or aggregate interface in the root system that is bound to a nonsharable zone is dedicated to the root system, and cannot be shared. To import an interface to a vsys, the interface must be in the null zone at the root level; to export an interface from a vsys, the interface must be in the null zone at the vsys level.

At the vsys level, you can configure interfaces as described in Table 63.

Table 63: Interface Configuration for Root and Vsys

Interface Configuration

Description

Shared Interface

A shared interface is an interface that can be shared with the root system. To share a root interface, the interface must be shared at the root level and bound to a shared zone in a shared virtual router. By default, the untrust-vr and untrust zone are shared, enabling you to configure a vsys to share any root-level physical interface, subinterface, redundant interface, or aggregate interface that is bound to the untrust zone.

Dedicated Subinterface

A dedicated subinterface uses VLAN tagging, which enables the device to determine the vsys to which inbound or outbound traffic through that interface belongs. When you configure a subinterface in a vsys, the interface is dedicated to that vsys.

Imported Physical/Aggregate

A physical or aggregate interface in the null zone is imported from the root system, and then bound to a shared zone or the Trust-vsys_name zone. When you import a physical or aggregate interface from the root system, the vsys has exclusive use of that interface. You can also export interfaces in the null zone to the root system. When you export a interface to the root system, the root system has exclusive use of that interface.

Using the VLAN Management Interface

To manage a vsys independent of the root system, you can create a management interface bound to the VLAN zone (automatically created when you create a vsys). Using the VLAN management interface, a vsys admin can manage the vsys using a unique IP address and VLAN ID.

You can bind more than one interface to the management zone.

Related Documentation