Technical Support & DocumentsTechnical DocumentsSecurity ProductsH3C SecBlade LB CardsConfigurationUser Manual
Chapters Download(235.2 KB)
1 Layer 3 Forwarding Configuration
Layer 3 Subinterface Forwarding
Configuring Layer 3 Subinterface Forwarding
Configuring Layer 3 Subinterface Forwarding
Displaying and Maintaining Layer 3 Subinterface Forwarding
Configuring Inter-VLAN Layer 3 Forwarding
Configuring Inter-VLAN Layer 3 Forwarding
Displaying and Maintaining Inter-VLAN Layer 3 Forwarding
Layer 3 Subinterface Forwarding Configuration Example
Inter-VLAN Layer 3 Forwarding Configuration Example
l Layer 3 subinterface forwarding configuration of a SecBlade LB card is used in the configuration examples of all the modules in other volumes.
l For the configurations on the switches involved in the configuration examples of the modules in other volumes, refer to the configuration on the switch in the Layer 3 subinterface forwarding configuration example.
When configuring Layer 3 forwarding, go to these sections for information you are interested in.
l Configuring Layer 3 Subinterface Forwarding
l Configuring Inter-VLAN Layer 3 Forwarding
l Layer 3 Subinterface Forwarding Configuration Example
l Inter-VLAN Layer 3 Forwarding Configuration Example
Layer 3 forwarding involves Layer 3 subinterface forwarding and inter-VLAN Layer 3 forwarding.
If the VLAN tag of an incoming packet matches the PVID of a subinterface of the receiving interface on the SecBlade LB card, the SecBlade LB card removes the Layer 2 header and sends the packet to the subinterface.
Figure 1-1 Layer 3 subinterface forwarding
The following prerequisites are necessary for Layer 3 subinterface forwarding:
l The ingress interface and egress interface on the switch belong to different VLANs.
l The switch's ten-GigabitEthernet interface that connects to the SecBlade LB card is configured as trunk.
l The operating mode of the SecBlade LB card's ten-GigabitEthernet port that connects to the switch is configured as Layer 3.
l Subinterfaces are configured for the SecBlade LB card's ten-GigabitEthernet port. Associate them with VLANs created on the switch and set the encapsulation type to dot1q.
Layer 3 subinterface forwarding operates as follows:
1) After receiving a packet, the switch adds the VLAN tag of the receiving interface to the packet and if the packet is not destined to the VLAN the switch tagged, sends the packet to the SecBlade LB card through the trunk port in between.
2) If the VLAN tag of the packet matches the PVID of a subinterface, the SecBlade LB card removes the Layer 2 header and sends the packet to the Layer 3 forwarding engine.
3) The Layer 3 forwarding engine looks up a route entry for the packet and sends it out of the outgoing Layer 3 subinterface.
If the destination MAC address of an incoming packet matches the MAC address of a VLAN interface, the SecBlade LB card removes the Layer 2 header and delivers the packet to the Layer 3 forwarding engine.
The following prerequisites are necessary for inter-VLAN Layer 3 forwarding:
l The ingress interface and egress interface on the switch belong to different VLANs.
l The two ten-GigabitEthernet interfaces at both ends of the link between the switch and the SecBlade LB card are configured as trunk.
l The operating mode of the SecBlade LB card's ten-GigabitEthernet port that connects to the switch is configured as Layer 2.
l Configure VLAN interfaces with the same numbers as VLANs created on the switch for the SecBlade LB card.
Inter-VLAN Layer 3 forwarding operates as follows:
1) After receiving a packet, the switch adds the VLAN tag of the receiving interface to the packet and if the packet is destined to another VLAN, sends the packet to the SecBlade LB card through the trunk port in between.
2) If the destination MAC address of the packet matches the MAC address of a VLAN interface, the SecBlade LB card removes the Layer 2 header and delivers the packet to the Layer 3 forwarding engine.
3) The Layer 3 forwarding engine looks up a route entry for the packet and sends it out of the outgoing VLAN interface.
For information about Layer 3 subinterface forwarding configuration commands, refer to Ethernet Interface Commands in the Access Volume.
Perform the following configurations to achieve Layer 3 subinterface forwarding.
1) Configure the ports of the switch
l Create two VLANs. Assign the ingress port to one VLAN and egress port to the other.
l Configure the switch’s ten-GigabitEthernet port that connects to the SecBlade LB card as a trunk port and configure the trunk port to join these two VLANs.
2) Configure the SecBlade LB card
l Configure the operating mode of the SecBlade LB card's ten-GigabitEthernet port that connects to the switch as routing.
l Create two subinterfaces for the SecBlade LB card's ten-GigabitEthernet port. Associate them with the VLANs created on the switch and set the encapsulation type as dot1q.
l Assign IP addresses for the two subinterfaces.
To achieve Layer 3 forwarding between VLANs, you can create these VLANs on the swtich and configure the same number of subinterfaces for the ten-GigabitEthernet interface on the SecBlade LB card.
Follow these steps to configure the ports of the switch:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Create a VLAN and enter VLAN view |
vlan vlan-id |
Required |
|
Assign the access port(s) to the VLAN |
port interface-list |
Required By default, all ports belong to VLAN 1. |
|
Create another VLAN and enter VLAN view |
vlan vlan-id |
Required |
|
Assign the access port(s) to the VLAN |
port interface-list |
Required By default, all ports belong to VLAN 1. |
|
Enter the view of the ten-GigabitEthernet interface that connects to the SecBlade LB card |
interface Ten-GigabitEthernet interface-number |
Required |
|
Configure the link type of the interface as trunk |
port link-type trunk |
Required |
|
Assign the trunk port to the two VLANs |
port trunk permit vlan { vlan-id-list | all } |
Required |
|
Configure the default VLAN for the trunk port |
port trunk pvid vlan vlan-id |
Optional The default VLAN cannot be one of the previously configured two VLANs. |
Follow these steps to configure the SecBlade LB card:
|
To do… |
Use the command |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter the view of the ten-GigabitEthernet interface that connects to the switch |
interface ten-gigabitEthernet interface-number |
Required |
|
Configure the operating mode of the interface as Layer 3 |
port link-mode route |
Optional The default operating mode is Layer 3. |
|
Create a subinterface of the ten-GigabitEthernet interface and enter subinterface view |
interface ten-gigabitEthernet interface-number.subnumber |
Required |
|
Set the encapsulation type and associate the subinterface with a VLAN |
vlan-type dot1q vid vid |
Required The subinterface receives packets with the vid. |
|
Assign an IP address to the subinterface |
ip address ip-address { mask | mask-length } [ sub ] |
Required By default, no IP address is configured for the subinterface. |
|
Create another subinterface and enter subinterface view |
interface ten-gigabitEthernet interface-number.subnumber |
Required |
|
Set the encapsulation type and associate the subinterface with a VLAN |
vlan-type dot1q vid vid |
Optional The subinterface receives packets with the vid. |
|
Assign an IP address to the subinterface |
ip address ip-address { mask | mask-length } [ sub ] |
Required By default, no IP address is configured for the subinterface. |
|
To do… |
Use the Command |
Remarks |
|
Display brief interface information |
display brief interface [ interface-type [ interface-number | interface-number.subnumber ] ] [ | { begin | include | exclude } text ] |
Available in any view |
|
Display interface/subinterface state and related information |
display interface [ interface-type [interface-number | interface-number.subnumber ] ] |
Available in any view |
|
Clear interface/subinterface statistics |
reset counters interface [ interface-type [ interface-number | interface-number.subnumber ] ] |
Available in user view |
For information about inter-VLAN forwarding configuration commands, refer to Ethernet Interface Commands.
Perform the following configurations to achieve inter-VLAN Layer 3 forwarding.
1) Configure the ports of the switch
l Create two VLANs. Assign the ingress port to one VLAN and the egress port to the other.
l Configure the switch’s ten-GigabitEthernet port that connects to the SecBlade LB card as a trunk port and configure the trunk port to join these two VLANs.
2) Configure the SecBlade LB card
l Create two VLANs, in which packets from the switch are forwarded.
l Configure the operating mode of the ten-GigabitEthernet interface that connects to the switch as Layer 2 mode, and configure the link type as trunk. Assign the interface to the two VLANs created on the switch.
l Create two VLAN interfaces with the same numbers as VLANs created on the switch for the ten-GigabitEthernet interface.
l Assign IP addresses for the two VLAN interfaces.
To achieve Layer 3 forwarding between VLANs, you can create these VLANs on the swtich and configure the same number of VLAN interfaces for the ten-GigabitEthernet interface on the SecBlade LB card.
Follow these steps to configure the ports of the switch:
|
To do… |
Use the command |
Remarks |
|
Enter system view |
system-view |
— |
|
Create a VLAN and enter VLAN view |
vlan vlan-id |
Required |
|
Assign the access port(s) to the VLAN |
port interface-list |
Required By default, all ports belong to VLAN 1. |
|
Create another VLAN and enter VLAN view |
vlan vlan-id |
Required |
|
Assign the access port(s) to the VLAN |
port interface-list |
Required By default, all ports belong to VLAN 1. |
|
Enter the view of the ten-GigabitEthernet interface that connects to the SecBlade LB card |
interface ten-gigabitethernet interface-number |
Required |
|
Configure the link type of the interface as trunk |
port link-type trunk |
Required |
|
Assign the trunk port to the two VLANs |
port trunk permit vlan { vlan-id-list | all } |
Required |
|
Configure the default VLAN for the trunk port |
port trunk pvid vlan vlan-id |
Optional The default VLAN cannot be one of the previously configured two VLANs. |
Follow these steps to configure the SecBlade LB card:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Create two VLANs and enter VLAN view. |
vlan vlan-id |
Required |
|
Exit to system view |
quit |
— |
|
Enter the view of the ten-GigabitEthernet interface that connects to the switch |
interface ten-gigabitethernet interface-number |
Required |
|
Configure the operating mode of the interface as Layer 2 |
port link-mode bridge |
Required The default operating mode is Layer 3. |
|
Configure the link type of the ten-GigabitEthernet interface as trunk |
port link-type trunk |
Required |
|
Assign the trunk port to the specified VLANs |
port trunk permit vlan { vlan-id-list | all } |
Required The VLANs of the SecBlade LB card and the VLANs on the switch must be included. |
|
Create a VLAN interface and enter its view |
interface vlan-interface vlan-interface-id |
Required The vlan-interface-id must be one of the VLAN IDs created on the switch. |
|
Assign an IP address to the VLAN interface |
ip address ip-address { mask | mask-length } [ sub ] |
Required By default, the VLAN interface has no IP address. |
|
Create another VLAN interface and enter its view |
interface vlan-interface vlan-interface-id |
Required The vlan-interface-id must be the ID of the other VLAN created on the switch. |
|
Assign an IP address to the VLAN interface |
ip address ip-address { mask | mask-length } [ sub ] |
Required By default, the VLAN interface has no IP address. |
|
To do… |
Use the command… |
Remarks |
|
Display brief interface information |
display brief interface [ interface-type [ interface-number | interface-number.subnumber ] ] [ | { begin | include | exclude } text ] |
Available in any view |
|
Display interface/subinterface state and related information |
display interface [ interface-type [interface-number | interface-number.subnumber ] ] |
Available in any view |
|
Clear interface/subinterface statistics |
reset counters interface [ interface-type [ interface-number | interface-number.subnumber ] ] |
Available in user view |
|
Display VLAN information |
display vlan [ vlan-id1 [ to vlan-id2 ] | all | dynamic | interface interface-type interface-number.subnumber | reserved | static ] |
Available in any view |
As shown in the following figure, traffic between GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 is filtered by a SecBlade LB card, and Layer 3 subinterface forwarding needs to be configured.
l Configure the operating mode of GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 of the switch as access. Assign them to VLAN 102 and VLAN 103 respectively.
l Ten-GigabitEthernet 2/0/1 of the switch connects to ten-GigabitEthernet 0/0 of the SecBlade LB card. Configure ten-GigabitEthernet 2/0/1 as a trunk port.
l Configure the operating mode of the SecBlade LB card's ten-GigabitEthernet interface as Layer 3. Configure two subinterfaces, ten-GigabitEthernet 0/0.1 and ten-GigabitEthernet 0/0.2, and set their encapsulation type to dot1q. Associate ten-GigabitEthernet 0/0.1 with VLAN 102 and ten-GigabitEthernet 0/0.2 with VLAN 103.
l Assign IP address 102.0.0.3/24 to ten-GigabitEthernet 0/0.1 and 103.0.0.3/24 to ten-GigabitEthernet 0/0.2.
Figure 1-2 Network diagram for Layer 3 subinterface forwarding
1) Configure the ports on the switch.
# Create VLAN 102 and VLAN 103. Assign GigabitEthernet 3/0/1 to VLAN 102 and GigabitEthernet 3/0/2 to VLAN 103.
<Sysname> system-view
[Sysname] vlan 102
[Sysname-vlan102] port GigabitEthernet 3/0/1
[Sysname-vlan102] vlan 103
[Sysname-vlan103] port GigabitEthernet 3/0/2
[Sysname-vlan103] quit
# Configure the link type of ten-GigabitEthernet 2/0/1 as trunk and assign the trunk port to VLAN 102 and VLAN 103.
[Sysname] interface Ten-GigabitEthernet 2/0/1
[Sysname-Ten-GigabitEthernet2/0/1] port link-type trunk
[Sysname-Ten-GigabitEthernet2/0/1] port trunk permit vlan 102 103
2) Configure the SecBlade LB card.
# Configure the operating mode of ten-GigabitEthernet 0/0 as Layer 3.
[Sysname] interface Ten-GigabitEthernet 0/0
[Sysname-Ten-GigabitEthernet0/0] port link-mode route
# Configure two subinterfaces for ten-GigabitEthernet 0/0. Set their encapsulation type to dot1q and associate them to with VLANs created on the switch. Assign IP addresses for the subinterfaces.
[Sysname-Ten-GigabitEthernet0/0] interface Ten-GigabitEthernet0/0.1
[Sysname-Ten-GigabitEthernet0/0.1] vlan-type dot1q vid 102
[Sysname-Ten-GigabitEthernet0/0.1] ip address 102.0.0.3 24
[Sysname-Ten-GigabitEthernet0/0.1] interface Ten-GigabitEthernet0/0.2
[Sysname-Ten-GigabitEthernet0/0.2] vlan-type dot1q vid 103
[Sysname-Ten-GigabitEthernet0/0.2] ip address 103.0.0.3 24
As shown in the following figure, traffic between GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 is filtered by a SecBlade LB card, and inter-VLAN Layer 3 forwarding needs to be configured.
l Configure the operating mode of GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 of the switch as access. Assign them to VLAN 102 and VLAN 103 respectively.
l Ten-GigabitEthernet 2/0/1 of the switch connects to ten-GigabitEthernet 0/0 of the SecBlade LB card. Configure the link type of the two interfaces as trunk.
l Configure the operating mode of ten-GigabitEthernet 0/0 as Layer 2. Create two VLAN interfaces VLAN-interface 102 and VLAN-interface 103.
l Assign IP address 102.0.0.3/24 to VLAN-interface 102 and 103.0.0.3/24 to VLAN-interface 103.
Figure 1-3 Network diagram for inter-VLAN Layer 3 forwarding
1) Configure the ports on the switch.
# Create VLAN 102 and VLAN 103. Assign GigabitEthernet 3/0/1 to VLAN 102 and GigabitEthernet 3/0/2 to VLAN 103.
<Sysname> system-view
[Sysname] vlan 102
[Sysname-vlan102] port GigabitEthernet 3/0/1
[Sysname-vlan102] vlan 103
[Sysname-vlan103] port GigabitEthernet 3/0/2
[Sysname-vlan103] quit
# Configure the link type of ten-GigabitEthernet 2/0/1 as trunk. Assign the port to VLAN 102 and VLAN 103.
[Sysname] interface Ten-GigabitEthernet 2/0/1
[Sysname-Ten-GigabitEthernet2/0/1] port link-type trunk
[Sysname-Ten-GigabitEthernet2/0/1] port trunk permit vlan 102 103
2) Configure the SecBlade LB card.
# Create VLAN 102 and VLAN 103.
<Sysname> system-view
[sysname] vlan 102 to 103
# Configure the operating mode of ten-GigabitEthernet 0/0 as Layer 2.
[Sysname] interface Ten-GigabitEthernet 0/0
[Sysname-Ten-GigabitEthernet0/0] port link-mode bridge
[Sysname-Ten-GigabitEthernet0/0] port link-type trunk
[Sysname-Ten-GigabitEthernet0/0] port trunk permit vlan 102 to 103
# Create two VLAN interfaces for ten-GigabitEthernet 0/0, VLAN-interface 102 and VLAN-interface 103.
[Sysname-Ten-GigabitEthernet0/0] interface vlan-interface 102
[Sysname-Vlan-interface102] ip address 102.0.0.3 24
[Sysname-Vlan-interface102] interface vlan-interface 103
[Sysname-Vlan-interface103] ip address 103.0.0.3 24
