beautypg.com

Layer 3 forwarding configuration, Layer 3 forwarding overview, Layer 3 subinterface forwarding – H3C Technologies H3C SecBlade FW Cards User Manual

Page 2: Inter-vlan layer 3 forwarding

background image

1

Layer 3 forwarding configuration

Layer 3 forwarding overview

Layer 3 forwarding involves Layer 3 subinterface forwarding and inter-VLAN Layer 3 forwarding.

Layer 3 subinterface forwarding

If the VLAN tag of an incoming packet matches the PVID of a subinterface of the receiving interface on

the firewall, the firewall removes the Layer 2 header and sends the packet to the subinterface.

Figure 1 Layer 3 subinterface forwarding

The following prerequisites are necessary for Layer 3 subinterface forwarding:

The ingress interface and egress interface on the switch belong to different VLANs.

The switch's ten-GigabitEthernet interface that connects to the firewall card is configured as trunk.

The operating mode of the firewall card's ten-GigabitEthernet port that connects to the switch is
configured as Layer 3.

Subinterfaces are configured for the firewall card's ten-GigabitEthernet port. Associate them with
VLANs created on the switch and set the encapsulation type to dot1q.

Add the subinterfaces of the firewall card that connects to the switch to security zones.

Layer 3 subinterface forwarding operates as follows:

1.

After receiving a packet, the switch adds the VLAN tag of the receiving interface to the packet and
if the packet is not destined to the VLAN the switch tagged, sends the packet to the firewall card

through the trunk port in between.

2.

If the VLAN tag of the packet matches the PVID of a subinterface, the firewall card removes the
Layer 2 header and sends the packet to the Layer 3 forwarding engine.

3.

The Layer 3 forwarding engine looks up a route entry for the packet and sends it out of the
outgoing Layer 3 subinterface.

4.

The incoming security zone for the packet is the security zone of the receiving Layer 3 subinterface,
and the outgoing security zone for the packet is that of the outgoing Layer 3 subinterface. The

outgoing and incoming subinterfaces may in the same or different security zones. The firewall card
permits or denies the packet based on the inter-zone policy.

Inter-VLAN Layer 3 forwarding

If the destination MAC address of an incoming packet matches the MAC address of a VLAN interface,

the firewall card removes the Layer 2 header and delivers the packet to the Layer 3 forwarding engine.
The following prerequisites are necessary for inter-VLAN Layer 3 forwarding:

The ingress interface and egress interface on the switch belong to different VLANs.