R3166-R3206-HP High-End Firewalls Network Management Configuration Guide-6PW101
91
Layer 2 forwarding configuration
Layer 2 forwarding overview
Layer 2 forwarding involves general, inline, and inter-VLAN Layer 2 forwarding. The former two are
supported on physical ports on the front panel of the firewall. Do not use these physical ports as service
ports.
General Layer 2 forwarding
If the destination MAC address of an incoming packet matches the MAC address of the receiving Layer
3 interface, the firewall forwards the packet through that interface. If not, the firewall performs general
Layer 2 forwarding through a Layer 2 interface. The firewall looks up the MAC address table according
to the destination MAC address of the incoming packet, obtains the outgoing interface, and then
forwards the packet through the interface.
Inline Layer 2 forwarding
Inline Layer 2 forwarding comprises three types: forward, reflect, and blackhole.
• The forward type allows the firewall to forward packets received on an interface through another
interface, rather than through looking up the MAC address table.
• The reflect type allows the firewall to forward a packet through the interface that received the
packet.
• The blackhole type allows the firewall to discard the received packets after processing.
The inline Layer 2 forwarding feature is supported on the interfaces and subinterfaces of the high-end
firewall series.
Inter-VLAN Layer 2 forwarding
Inter-VLAN Layer 2 forwarding accomplishes communications between VLANs at the data link layer, and
typically used on firewall cards.
Firewall cards are new products launched by HP for various network applications. As shown in Figure 41,
a f
irewall card works with a switch to filter Layer 2 traffic arriving at the switch before performing
inter-VLAN Layer 2 forwarding.
Figure 41 Inter-VLAN Layer 2 forwarding
The following prerequisites are necessary for inter-VLAN Layer 2 forwarding:
• The ingress interface and egress interface on the switch belong to different VLANs.
• The Ethernet ports at both ends of the link between the switch and the firewall card are configured
as trunk ports.