Technical data
VSX Architecture and Concepts
Check Point VSX Administration Guide NGX R67 | 25
VSX Traffic Flow
Overview
A VSX gateway processes traffic according to the following steps:
Context determination
Security enforcement
Forwarding to destination
Context Determination
VSX incorporates VRF (Virtual Routing and Forwarding) technology that allows creation of multiple,
independent routing domains on a single VSX gateway or cluster. The independence of these routing
domains makes possible the use of virtual devices with overlapping IP addresses. Each routing domain is
known as a context.
When traffic arrives at a VSX gateway, a process known as Context Determination directs traffic to the
appropriate Virtual System, Virtual Router or Virtual Switch. The context determination process depends on
the virtual network topology and the connectivity of the virtual devices.
The three basic Virtual System connection scenarios are:
Virtual System directly connected to a physical or VLAN interface
Virtual System connected via a Virtual Switch
Virtual System connected via a Virtual Router
Direct Connection to a Physical Interface
When traffic arrives at an interface (either physical or VLAN) that directly connects to a Virtual System, the
connection itself determines the context and traffic passes directly to the appropriate Virtual System via that
interface. In the following example, VSX automatically directs traffic arriving via VLAN Interface eth1.200
to Virtual System 2 according to the context defined by the VLAN ID.
Figure 2-9 Directly connected interface example