beautypg.com

Inter-vlan layer 3 forwarding, Configuring layer 3 subinterface forwarding – H3C Technologies H3C SecPath F1000-E User Manual

Page 289

background image

264

Inter-VLAN Layer 3 forwarding

If the destination MAC address of an incoming packet matches the MAC address of a VLAN interface,

the firewall card removes the Layer 2 header and delivers the packet to the Layer 3 forwarding engine.
The following prerequisites are necessary for inter-VLAN Layer 3 forwarding:

The ingress interface and egress interface on the switch belong to different VLANs.

The two ten-GigabitEthernet interfaces at both ends of the link between the switch and the firewall
card are configured as trunk.

The operating mode of the firewall card's ten-GigabitEthernet port that connects to the switch is

configured as Layer 2.

Configure VLAN interfaces with the same numbers as VLANs created on the switch for the firewall
card.

Add the firewall card's ten-GigabitEthernet interface and VLAN interfaces to security zones.

Inter-VLAN Layer 3 forwarding operates as follows:

1.

After receiving a packet, the switch adds the VLAN tag of the receiving interface to the packet and
if the packet is destined to another VLAN, sends the packet to the firewall card through the trunk

port in between.

2.

If the destination MAC address of the packet matches the MAC address of a VLAN interface, the
firewall card removes the Layer 2 header and delivers the packet to the Layer 3 forwarding
engine.

3.

The Layer 3 forwarding engine looks up a route entry for the packet and sends it out of the
outgoing VLAN interface.

4.

The incoming security zone for the packet is that of the ten-GigabitEthernet interface in the
incoming VLAN, and the outgoing security zone for the packet is that of the ten-GigabitEthernet

interface in the outgoing VLAN. The firewall card permits or denies the packet based on the

inter-zone policy. The security zone for a broadcast or multicast packet sent by the firewall card is
that for the corresponding VLAN interface.

Configuring Layer 3 subinterface forwarding

For the Layer 3 subinteface forwarding configuration commands, see the Interface management

commands.

Configuring Layer 3 subinterface forwarding

Perform the following configurations to achieve Layer 3 subinterface forwarding.

1.

Configure the ports of the switch

Create two VLANs. Assign the ingress port to one VLAN and egress port to the other.

Configure the switch’s ten-GigabitEthernet port that connects to the firewall card as a trunk port and
configure the trunk port to join these two VLANs.

2.

Configure the firewall card

Configure the operating mode of the firewall card's ten-GigabitEthernet port that connects to the
switch as routing.