Manualshelf

F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Network Management Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
281282283284285286287288289290
261
20BLayer 3 forwarding configuration
NOTE:
For the configurations on a switch in a network that contains firewall modules and switches, see
"
2483HConfiguring Layer 3 subinterface forwarding."
Layer 3 forwarding involves Layer 3 subinterface forwarding and inter-VLAN Layer 3 forwarding.
580BLayer 3 subinterface forwarding
If the VLAN tag of an incoming packet matches the PVID of a subinterface of the receiving interface on
the firewall, the firewall removes the Layer 2 header and sends the packet to the subinterface.
Figure 174 Layer 3 subinterface forwarding
The following prerequisites are necessary for Layer 3 subinterface forwarding:
The ingress interface and egress interface on the switch belong to different VLANs.
The switch's Ten-GigabitEthernet interface that connects to the firewall module is configured as
trunk.
The operating mode of the firewall module's Ten-GigabitEthernet port that connects to the switch is
configured as Layer 3.
Subinterfaces are configured for the firewall module's Ten-GigabitEthernet port. Associate them
with VLANs created on the switch and set the encapsulation type to dot1q.
Add the subinterfaces of the firewall module that connects to the switch to security zones.
Layer 3 subinterface forwarding operates as follows:
1. After receiving a packet, the switch adds the VLAN tag of the receiving interface to the packet and
if the packet is not destined to the VLAN the switch tagged, sends the packet to the firewall module
through the trunk port in between.
2. If the VLAN tag of the packet matches the PVID of a subinterface, the firewall module removes the
Layer 2 header and sends the packet to the Layer 3 forwarding engine.
3. The Layer 3 forwarding engine looks up a route entry for the packet and sends it out of the
outgoing Layer 3 subinterface.
4. The incoming security zone for the packet is the security zone of the receiving Layer 3 subinterface,
and the outgoing security zone for the packet is that of the outgoing Layer 3 subinterface. The
outgoing and incoming subinterfaces may in the same or different security zones. The firewall
module permits or denies the packet based on the inter-zone policy.
IP network IP network