beautypg.com

Configuration procedure, Configuring the switch – H3C Technologies H3C SecBlade IPS Cards User Manual

Page 35

background image

28

NOTE:

In this solution, packets need to re-enter the switch through the back board, and thus the same MAC
address is learned on different ports, causing confusion. Therefore, you need to disable MAC address

learning on the 10GE ports of the back board.

A packet with a broadcast or unknown MAC address is broadcast in the VLAN. Therefore, it is
forwarded to the SecBlade IPS card through the 10GE interface, and the card sends it back to the switch

after processing. Then, the switch resends it through ports in the VLAN, including the receiving interface.

To avoid this, you need to configure a filtering rule on the 10GE interfaces to allow only packets with the
destination MAC address being the MAC address of the VLAN interface to pass.

Configuration Procedure

Configuring the switch

Perform the following configurations on the switch.

Create two VLANs and corresponding VLAN interfaces, configure IP addresses for the VLAN

interfaces and add the internal and external network interfaces to different VLANs.

Configure the switch’s 10GE interface connected to the SecBlade IPS card as a trunk interface that

allows the packets of the above two VLANs to pass, and disable MAC address learning on the
10GE interface.

Create an advanced ACL to be used by the internal network redirection policy to match all layer 3
IP packets.

Create an advanced ACL to be used by the external network redirection policy to match layer 3 IP
packets destined to the internal network.

Create a Layer 2 ACL to deny ARP and Layer 2 packets forwarding.

Configure a redirection policy on the internal network interface to redirect packets matching the

internal network ACL to the internal interface connected to the SecBlade IPS card.

Configure a redirection policy on the external network interface to redirect packets matching the

external network ACL to the internal interface connected to the SecBlade IPS card.

Configure a filtering policy on the 10GE interface connected to the SecBlade IPS card by

referencing the Layer 2 ACL to deny ARP and Layer 2 packets forwarding.

NOTE:

If the switch has multiple internal network interfaces, you need to create multiple VLANs and VLAN
interfaces and add these internal network interfaces to corresponding VLANs. Other configurations are

similar.

Follow these steps to configure the switch:

To do…

Use the command…

Remarks

Enter system view

system-view

Create the internal network VLAN vlan vlan-id Required

Add the internal network port to
the internal network VLAN

port interface-list

Required
By default, all ports belong to
VLAN 1.

Create the external network VLAN vlan vlan-id

Required

See also other documents in the category H3C Technologies Safety: