HP VPN Firewall Appliances Network Management Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

161

162

163

164

165

166

167

168

169

170

141

[Sysname] interface gigabitethernet 0/1

[Sysname-GigabitEthernet0/1] port inline-interfaces 1

Configuration guidelines

When you configure inline forwarding, follow these guidelines:

• Inline forwarding is applicable to Layer 2 Ethernet interfaces and subinterfaces.

• An interface can be assigned to only one inline forwarding policy. If you assign an interface to

multiple policies, the last configuration takes effect.

• If you assign a subinterface to an inline forwarding entry, the interface must be assigned to the

VLAN of which the ID is used as the subinterface number. For example, if the subinterface

GigabitEthernet 0/1.2 is assigned to an inline forwarding entry, the interface GigabitEthernet 0/1

must be assigned to VLAN 2 so inline forwarding can be implemented.

• If an interface and its subinterface are assigned to different forward-type inline forwarding entries,

the forwarding entry with the main interface takes precedence. For example, if the interfaces

GigabitEthernet 0/1 and GigabitEthernet 0/2 are assigned to one forward-type inline forwarding

entry, and the subinterfaces GigabitEthernet 0/1.2 and GigabitEthernet 0/2.3 are assigned to

another forward-type inline forwarding entry, the data received from GigabitEthernet 0/1 is

forwarded through the interface GigabitEthernet 0/2, and vice versa.

Configuring inter-VLAN Layer 2 forwarding

How inter-VLAN Layer 2 forwarding works

Inter-VLAN Layer 2 forwarding accomplishes communication between VLANs at the data link layer, and

is typically used on firewall cards. For more information about inter-VLAN Layer 2 forwarding

configuration commands, see Network Management Command Reference.

Firewall cards are new products launched by HP for various network applications. As shown in Figure 77,

a f

irewall card

collaborates with a switch to filter Layer 2 traffic arriving at the switch before forwarding

the traffic.

Figure 77 Inter-VLAN Layer 2 forwarding

Inter-VLAN Layer 2 forwarding operates as follows:

1. After receiving a packet, the switch adds the VLAN tag of the receiving interface to the packet, and

if the packet is not destined to the VLAN that the switch tagged, sends the packet to the firewall

card through the trunk port in between.

2. The firewall card replaces the VLAN tag of the packet with its own VLAN tag and then handles the

packet according to security settings.

3. The firewall card replaces its VLAN tag of the packet with that contained in the interface number

of the egress subinterface, and sends it to the switch (the egress subinterface is found through a

MAC address table lookup).

4. The switch forwards the packet toward the destination.