When you configure virtual segments, keep in mind the following points:
- The TPS does not provide a system-defined
ANY-ANY virtual segment. However, you can create a “catch all” virtual
segment to distribute your own inspection profile and protect network traffic that
does not
match another inspection profile on the device. When you create a “catch all” virtual
segment,
be sure to assign all physical segments and to order the virtual segment lowest in
priority.
The priority order for virtual segments on the TPS is:
- User-defined virtual segments with a specified VLAN-ID and source/destination IP address (layer 2).
- Physical segments (any VLAN)
- Virtual segments appear only if the user has access to the segment group for the virtual segment.
- Virtual segments can be created that do not initially contain any physical segments.
- IPS devices with virtual segments that were configured locally on an IPS device and then added to the SMS are merged to the global virtual segment listing.
- In a virtual segment definition, you must specify at least one VLAN ID, Source IP, or Destination IP traffic definition besides ANY.