HP VPN Firewall Appliances Network Management Configuration Guide
263
The following prerequisites are necessary for inter-VLAN Layer 3 forwarding:
• The ingress interface and egress interface on the switch belong to different VLANs.
• The two ten-GigabitEthernet interfaces at both ends of the link between the switch and the firewall
card are configured as trunk.
• The operating mode of the firewall card's ten-GigabitEthernet port that connects to the switch is
configured as Layer 2.
• Configure VLAN interfaces with the same numbers as VLANs created on the switch for the firewall
card.
• Add the firewall card's ten-GigabitEthernet interface and VLAN interfaces to security zones.
Inter-VLAN Layer 3 forwarding operates as follows:
1. After receiving a packet, the switch adds the VLAN tag of the receiving interface to the packet and
if the packet is destined to another VLAN, sends the packet to the firewall card through the trunk
port in between.
2. If the destination MAC address of the packet matches the MAC address of a VLAN interface, the
firewall card removes the Layer 2 header and delivers the packet to the Layer 3 forwarding
engine.
3. The Layer 3 forwarding engine looks up a route entry for the packet and sends it out of the
outgoing VLAN interface.
4. The incoming security zone for the packet is that of the ten-GigabitEthernet interface in the
incoming VLAN, and the outgoing security zone for the packet is that of the ten-GigabitEthernet
interface in the outgoing VLAN. The firewall card permits or denies the packet based on the
inter-zone policy. The security zone for a broadcast or multicast packet sent by the firewall card is
that for the corresponding VLAN interface.
Configuring Layer 3 subinterface forwarding
NOTE:
For the Layer 3 subinterface forwarding configuration commands, see
Network Mana
g
ement Comman
d
Reference
.
Configuring Layer 3 subinterface forwarding
Perform the following configurations to achieve Layer 3 subinterface forwarding.
1. Configure the ports of the switch
• Create two VLANs. Assign the ingress port to one VLAN and egress port to the other.
• Configure the switch's ten-GigabitEthernet port that connects to the firewall card as a trunk port and
configure the trunk port to join these two VLANs.
2. Configure the firewall card
• Configure the operating mode of the firewall card's ten-GigabitEthernet port that connects to the
switch as routing.
• Create two subinterfaces for the firewall card's ten-GigabitEthernet port. Associate them with the
VLANs created on the switch and set the encapsulation type as dot1q.
• Assign IP addresses for the two subinterfaces.