Communication Between Virtual Systems Directly

On the FW, virtual systems are isolated by default. Host in different virtual system cannot communicate. If the hosts in different virtual systems need to communicate, you must configure policies and routes for the communication.

As shown in Figure 1, after communication between virtual systems is configured, users in the network segment 10.3.0.0/24 in the virtual system vsysa can access the server at 10.3.1.3 in the virtual system vsysb.

Figure 1 Communication between virtual systems

The virtual system vsysa initiates an access request to the virtual system vsysb. The request packet enters vsysa. vsysa processes the packet based on the firewall forwarding process. Then, the request packet enters vsysb. vsysb processes the packet based on the firewall forwarding process. The detailed process is as follows:

1. The client initiates a connection to the server.

2. The first packet arrives at the FW and is sent to vsysa based on the interface. vsysa processes the packet based on the firewall forwarding process, including matching the blacklist, looking up the routing table, performing NAT, and matching a security policy. If the packet is denied at any step, vsysa discards the packet, and the process ends. If the packet passes all the steps, vsysa forwards the packet to vsysb. At the same time, vsysa creates the following session for the connection:

   <FW> display firewall session table verbose vsys vsysa destination global 10.3.1.3
    Current Total Sessions : 1
    icmp  VPN: vsysa --> vsysb  ID: a48f344692260c574570cc177
    Zone: trust --> untrust  TTL: 00:00:20  Left: 00:00:20
    Recv Interface: GigabitEthernet 0/0/2
    Interface: Virtual-if1  NextHop: 0.0.0.0 
    <--packets: 5 bytes: 60 --> packets: 5 bytes: 420
    10.3.0.2:43986 --> 10.3.1.3:2048 PolicyName: vsysa_to_vsysb

3. After receiving the packet on the virtual interface Virtual-if2, vsysb processes the packet based on the firewall forwarding process, including matching the blacklist, looking up the routing table, performing NAT, and matching a security policy. If the packet is denied at any step, vsysb discards the packet, and the process ends. If the packet passes all the steps, vsysb forwards the packet to the server. At the same time, vsysb creates the following session for the connection.

   <FW> display firewall session table verbose vsys vsysb destination global 10.3.1.3
    Current Total Sessions : 1
    icmp  VPN: vsysb --> vsysb  ID: a48f3446923486676570cc177
    Zone: untrust --> trust  TTL: 00:00:20  Left: 00:00:20
    Recv Interface: Virtual-if2
    Interface: GigabitEthernet 0/0/1  NextHop: 10.1.2.1  MAC: 00e0-fc00-0014
    <--packets: 5 bytes: 60 --> packets: 5 bytes: 420
    10.3.0.2:43986 --> 10.3.1.3:2048 PolicyName: to_server

4. The packet is forwarded through the router and arrives at the server.

As both virtual systems need to process the packet based on the firewall forwarding process, policies and routes must be configured for the virtual systems.

• The key of policy configuration is to determine the source and destination security zones.

  Item		Description
  vsysa	Source zone	Security zone to which the inbound interface of the packet belongs, that is, security zone to which GE0/0/2 belongs in Figure 1
  	Destination zone	Security zone to which the virtual interface of vsysa belongs, that is, security zone to which Virtual-if1 belongs in Figure 1
  vsysb	Source zone	Security zone to which the virtual interface of vsysb belongs, that is, security zone to which Virtual-if2 belongs in Figure 1
  	Destination zone	Security zone to which the outbound interface of the packet belongs, that is, security zone to which GE0/0/1 belongs in Figure 1

• The following table shows the route configuration for the virtual systems.

  Item		Description
  vsysa	Forward route	Route to the server. As the packet is forwarded to the server through vsysb, you must configure the route from vsysa to vsysb. The route between virtual systems can only be a static route. Different from common static routes, this static route does not need the next hop or outbound interface. Instead, you must specify the virtual system of the server as the destination virtual system for the route. For the network in Figure 1, you can configure the static route as follows: <sysname> system-view [sysname] ip route-static vpn-instance vsysa 10.3.1.3 255.255.255.255 vpn-instance vsysb After the configuration is complete, vsysa generates the following routing table: [sysname] display ip routing-table vpn-instance vsysa Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: vsysa Destinations : 1 Routes : 1 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.3.1.3/32 Static 60 0 D 0.0.0.0 Virtual-if2 NOTE: IPv6 routing configuration does not support virtualization. When IPv6 virtual systems access each other, run the ipv6 route-static vpn-instance vsysa dest-ipv6-address prefix-length vpn-instance vsysb command in the system view of the public system to configure a route from vsysa to vsysb.
  	Return route	Route to the client. It can be a dynamic route (such as OSPF) or a static route. For the network in Figure 1, you can configure a static route to the client as follows (10.1.1.1 is the next hop from the FW to the client): <sysname> system-view [sysname] switch vsys vsysa <sysname-vsysa> system-view [sysname-vsysa] ip route-static 10.3.0.0 255.255.255.0 10.1.1.1 NOTE: IPv6 routing configuration does not support virtualization. When IPv6 virtual systems access each other, run the ipv6 route-static vpn-instance vsysa dest-ipv6-address prefix-length interface-type interface-number [ nexthop-ipv6-address ] command in the system view of the public system to configure a route from vsysa to the client.
  vsysb	Forward route	Route to the server. It can be a dynamic route (such as OSPF) or a static route. For the network in Figure 1, you can configure a static route to the server as follows (10.1.2.1 is the next hop from the FW to the server): <sysname> system-view [sysname] switch vsys vsysb <sysname-vsysb> system-view [sysname-vsysb] ip route-static 10.3.1.0 255.255.255.0 10.1.2.1 NOTE: IPv6 routing configuration does not support virtualization. When IPv6 virtual systems access each other, run the ipv6 route-static vpn-instance vsysb dest-ipv6-address prefix-length interface-type interface-number [ nexthop-ipv6-address ] command in the system view of the public system to configure a route from vsysb to the server.
  	Return route	In vsysb, you do not need to configure return routes for the packets replied by the server. The reply packets from the server will match the session table of vsysb and be directly forwarded to vsysa. This route configuration is different from that for forwarding within one virtual system.

The preceding configuration allows only the unidirectional communication from vsysa to vsysb.

If hosts in vsysb need to access hosts in vsysa, you must configure the route from vsysb to vsysa. As shown in Figure 1, run the ip route-static vpn-instance vsysb 10.3.0.3 255.255.255.255 vpn-instance vsysa command to allow hosts in vsysb to access the host at 10.3.0.3 in vsysa. In addition, you must configure a policy. The source and destination security zones in the policy is reverse as those for the access from vsysa to vsysb.