beautypg.com

Configuring layer 3 subinterface forwarding – H3C Technologies H3C SecBlade FW Cards User Manual

Page 3

background image

2

The two ten-GigabitEthernet interfaces at both ends of the link between the switch and the firewall

card are configured as trunk.

The operating mode of the firewall card's ten-GigabitEthernet port that connects to the switch is
configured as Layer 2.

Configure VLAN interfaces with the same numbers as VLANs created on the switch for the firewall
card.

Add the firewall card's ten-GigabitEthernet interface and VLAN interfaces to security zones.

Inter-VLAN Layer 3 forwarding operates as follows:

1.

After receiving a packet, the switch adds the VLAN tag of the receiving interface to the packet and
if the packet is destined to another VLAN, sends the packet to the firewall card through the trunk

port in between.

2.

If the destination MAC address of the packet matches the MAC address of a VLAN interface, the
firewall card removes the Layer 2 header and delivers the packet to the Layer 3 forwarding
engine.

3.

The Layer 3 forwarding engine looks up a route entry for the packet and sends it out of the
outgoing VLAN interface.

4.

The incoming security zone for the packet is that of the ten-GigabitEthernet interface in the
incoming VLAN, and the outgoing security zone for the packet is that of the ten-GigabitEthernet

interface in the outgoing VLAN. The firewall card permits or denies the packet based on the

inter-zone policy. The security zone for a broadcast or multicast packet sent by the firewall card is
that for the corresponding VLAN interface.

Configuring Layer 3 subinterface forwarding

NOTE:

For the Layer 3 subinterface forwarding commands, see the command reference.

Perform the following configurations to achieve Layer 3 subinterface forwarding.

1.

Configure the ports of the switch

Create two VLANs. Assign the ingress port to one VLAN and egress port to the other.

Configure the switch’s ten-GigabitEthernet port that connects to the firewall card as a trunk port and

configure the trunk port to join these two VLANs.

2.

Configure the firewall card

Configure the operating mode of the firewall card's ten-GigabitEthernet port that connects to the

switch as routing.

Create two subinterfaces for the firewall card's ten-GigabitEthernet port. Associate them with the
VLANs created on the switch and set the encapsulation type as dot1q.

Assign IP addresses for the two subinterfaces.

Add these two subinterfaces to security zones.

NOTE:

To achieve Layer 3 forwarding between VLANs, you can create these VLANs on the switch and configure
the same number of subinterfaces for the ten-GigabitEthernet interface on the firewall card. Then add the
subinterfaces to security zones.

See also other documents in the category H3C Technologies Safety: