Routing tags as assigned by the firewall and interface tags as defined by the IP networks have a great deal in common, but also some important differences:
- The router interprets both tags in the same way. Packets with the interface tag '2' are valid for routes with the routing tag set to '2' in the routing table (and all routes with the default route tag '0'). The same routes apply for packets which the firewall has assigned with the routing tag '2'. Thus the interface tag is used in the same way as a routing tag.
- Interface tags have the additional ability to delimit the visibility (or
accessibility) between different networks:
- In principle, only networks with the same interface tag are "visible" to one another and thus able to interconnect.
- Networks with the interface tag '0' have a special significance; they are in effect supervisor networks. The networks can see all of the other networks and can connect to them. Networks with an interface tag not equal to '0' cannot make connections to supervisor networks, however.
- Networks of the ’DMZ’ type can be seen by all other networks independentlly of their interface tag - which makes sense, since the DMZ often contains servers which are open to the public, like webservers etc.. The DMZ-networks only see networks with the same interface tag (and of course all other DMZ-networks).
Networks of the ’DMZ’ type with the interface tag '0' have a special significance: As "supervisor networks" they can see all other networks, and they are also visible to all other networks.
Routing table
IP address | Netzmaske | Interface tag | Router |
---|---|---|---|
255.255.255.255 | 0.0.0.0 | 1 | Provider A |
255.255.255.255 | 0.0.0.0 | 2 | Provider B |
Note: For cases which do not allow IP addresses to be uniquely assigned
by interface tag, the Advanced Routing and Forwarding can be supported
by firewall rules. In the above example, this would be the case if each
of the networks were to support a public web or mail server, all of which
use the same IP address.