Lsb1ips1a0 card configuration, Configuration overview, From internal network to external network – H3C Technologies H3C SecBlade IPS Cards User Manual
Page 34: From external network to internal network
27
Figure 18 Configure the segment
LSB1IPS1A0 Card Configuration
NOTE:
The LSB1IPS1A0 card is only for the Comware V3 S9500 switches.
Configuration Overview
The switch and the SecBlade IPS card are connected through internal 10GE interfaces. The switch uses
VLAN interfaces to perform Layer 3 forwarding. Configure redirection on the internal and external
network interfaces of the switch to redirect incoming IP packets matching the VLAN interface to the
internal 10GE interface connected to the SecBlade IPS card. After processing the IP packets, the card
forwards them back to the switch through its internal 10GE interface, and the switch performs Layer 3
forwarding for the packets. The detailed data forwarding process is as follows.
From internal network to external network
1.
Packets from the internal network enter the switch.
2.
Packets with the destination MAC address being the MAC address of the VLAN interface are
redirected to the SecBlade IPS card.
3.
After processing the packets, the SecBlade IPS card forwards them back to the switch.
4.
The switch forwards the packets out its external network interface.
From external network to internal network
1.
Packets from the external network enter the switch.
2.
Packets with the destination MAC address being the MAC address of the VLAN interface are
redirected to the SecBlade IPS card.
3.
After processing the packets, the SecBlade IPS card forwards them back to the switch.
4.
The switch forwards the packets out its internal network interface.
If the switch has multiple SecBlade IPS cards installed, you can implement load balancing by configuring
redirection policies on the internal and external network interfaces. Request packets received from
different internal network interfaces are redirected to different SecBlade IPS cards, and a response
packet from the external network is processed by the SecBlade IPS card that processed the
corresponding request packet from the internal network.