F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Network Management Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

281

282

283

284

285

286

287

288

289

290

262

581BInter-VLAN Layer 3 forwarding

If the destination MAC address of an incoming packet matches the MAC address of a VLAN interface,

the firewall module removes the Layer 2 header and delivers the packet to the Layer 3 forwarding engine.

The following prerequisites are necessary for inter-VLAN Layer 3 forwarding:

• The ingress interface and egress interface on the switch belong to different VLANs.

• The two Ten-GigabitEthernet interfaces at both ends of the link between the switch and the firewall

module are configured as trunk.

• The operating mode of the firewall module's Ten-GigabitEthernet port that connects to the switch is

configured as Layer 2.

• Configure VLAN interfaces with the same numbers as VLANs created on the switch for the firewall

module.

• Add the firewall module's Ten-GigabitEthernet interface and VLAN interfaces to security zones.

Inter-VLAN Layer 3 forwarding operates as follows:

1. After receiving a packet, the switch adds the VLAN tag of the receiving interface to the packet and

if the packet is destined to another VLAN, sends the packet to the firewall module through the trunk

port in between.

2. If the destination MAC address of the packet matches the MAC address of a VLAN interface, the

firewall module removes the Layer 2 header and delivers the packet to the Layer 3 forwarding

engine.

3. The Layer 3 forwarding engine looks up a route entry for the packet and sends it out of the

outgoing VLAN interface.

4. The incoming security zone for the packet is that of the Ten-GigabitEthernet interface in the

incoming VLAN, and the outgoing security zone for the packet is that of the Ten-GigabitEthernet

interface in the outgoing VLAN. The firewall module permits or denies the packet based on the

inter-zone policy. The security zone for a broadcast or multicast packet sent by the firewall module

is that for the corresponding VLAN interface.

137B

Configuring Layer 3 subinterface forwarding

NOTE:

For the Layer 3 subinteface forwarding configuration commands, see

Netqwork Mana

ement Comman

Reference

582BConfiguring Layer 3 subinterface forwarding

Perform the following configurations to achieve Layer 3 subinterface forwarding.

1. Configure the ports of the switch.

• Create two VLANs. Assign the ingress port to one VLAN and egress port to the other.

• Configure the switch’s Ten-GigabitEthernet port that connects to the firewall module as a trunk port

and configure the trunk port to join these two VLANs.

2. Configure the firewall module.

• Configure the operating mode of the firewall module's Ten-GigabitEthernet port that connects to the

switch as routing.