Manualshelf

HP VPN Firewall Appliances Network Management Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
281282283284285286287288289290
262
Layer 3 forwarding configuration
NOTE:
For the configurations on a switch in a network that contains firewall cards and switches, see "Confi
g
urin
g
Layer 3 subinterface forwarding."
Layer 3 forwarding involves Layer 3 subinterface forwarding and inter-VLAN Layer 3 forwarding.
Layer 3 subinterface forwarding
If the VLAN tag of an incoming packet matches the PVID of a subinterface of the receiving interface on
the firewall, the firewall removes the Layer 2 header and sends the packet to the subinterface.
Figure 175 Layer 3 subinterface forwarding
The following prerequisites are necessary for Layer 3 subinterface forwarding:
The ingress interface and egress interface on the switch belong to different VLANs.
The switch's ten-GigabitEthernet interface that connects to the firewall card is configured as trunk.
The operating mode of the firewall card's ten-GigabitEthernet port that connects to the switch is
configured as Layer 3.
Subinterfaces are configured for the firewall card's ten-GigabitEthernet port. Associate them with
VLANs created on the switch and set the encapsulation type to dot1q.
Add the subinterfaces of the firewall card that connects to the switch to security zones.
Layer 3 subinterface forwarding operates as follows:
1. After receiving a packet, the switch adds the VLAN tag of the receiving interface to the packet and
if the packet is not destined to the VLAN the switch tagged, sends the packet to the firewall card
through the trunk port in between.
2. If the VLAN tag of the packet matches the PVID of a subinterface, the firewall card removes the
Layer 2 header and sends the packet to the Layer 3 forwarding engine.
3. The Layer 3 forwarding engine looks up a route entry for the packet and sends it out of the
outgoing Layer 3 subinterface.
4. The incoming security zone for the packet is the security zone of the receiving Layer 3 subinterface,
and the outgoing security zone for the packet is that of the outgoing Layer 3 subinterface. The
outgoing and incoming subinterfaces might in the same or different security zones. The firewall
card permits or denies the packet based on the inter-zone policy.
Inter-VLAN Layer 3 forwarding
If the destination MAC address of an incoming packet matches the MAC address of a VLAN interface,
the firewall card removes the Layer 2 header and delivers the packet to the Layer 3 forwarding engine.