Layer 3 forwarding configuration, Layer 3 forwarding overview, Layer 3 subinterface forwarding – H3C Technologies H3C SecPath F1000-E User Manual
Page 288
263
Layer 3 forwarding configuration
For the configurations on a switch, see "
Configuring Layer 3 subinterface forwarding
."
Layer 3 forwarding overview
Layer 3 forwarding involves Layer 3 subinterface forwarding and inter-VLAN Layer 3 forwarding.
Layer 3 subinterface forwarding
If the VLAN tag of an incoming packet matches the PVID of a subinterface of the receiving interface on
the firewall, the firewall removes the Layer 2 header and sends the packet to the subinterface.
Figure 168 Layer 3 subinterface forwarding
The following prerequisites are necessary for Layer 3 subinterface forwarding:
•
The ingress interface and egress interface on the switch belong to different VLANs.
•
The switch's ten-GigabitEthernet interface that connects to the firewall card is configured as trunk.
•
The operating mode of the firewall card's ten-GigabitEthernet port that connects to the switch is
configured as Layer 3.
•
Subinterfaces are configured for the firewall card's ten-GigabitEthernet port. Associate them with
VLANs created on the switch and set the encapsulation type to dot1q.
•
Add the subinterfaces of the firewall card that connects to the switch to security zones.
Layer 3 subinterface forwarding operates as follows:
1.
After receiving a packet, the switch adds the VLAN tag of the receiving interface to the packet and
if the packet is not destined to the VLAN the switch tagged, sends the packet to the firewall card
through the trunk port in between.
2.
If the VLAN tag of the packet matches the PVID of a subinterface, the firewall card removes the
Layer 2 header and sends the packet to the Layer 3 forwarding engine.
3.
The Layer 3 forwarding engine looks up a route entry for the packet and sends it out of the
outgoing Layer 3 subinterface.
4.
The incoming security zone for the packet is the security zone of the receiving Layer 3 subinterface,
and the outgoing security zone for the packet is that of the outgoing Layer 3 subinterface. The
outgoing and incoming subinterfaces may in the same or different security zones. The firewall card
permits or denies the packet based on the inter-zone policy.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS H3C SecBlade LB Cards H3C SecPath L1000-A Load Balancer