Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 07-Layer 2 forwarding configuration | 168.41 KB |
Configuring normal Layer 2 forwarding
About normal Layer 2 forwarding
Display and maintenance commands for Layer 2 forwarding
Configuring fast Layer 2 forwarding
Disabling VLAN ID check for fast Layer 2 forwarding
Display and maintenance commands for fast Layer 2 forwarding
Configuring cut-through Layer 2 forwarding
About cut-through Layer 2 forwarding
Restrictions: Hardware compatibility with cut-through Layer 2 forwarding
Restrictions and guidelines for cut-through Layer 2 forwarding configuration
Configuring bridging forwarding
Configuring inter-VLAN bridge forwarding
Configuring security service bypass
Display and maintenance commands for bridge forwarding
Bridge forwarding configuration examples
Example: Configuring inter-VLAN bridge forwarding
Example: Configuring inline forwarding
Configuring fast bridge forwarding
Disabling VLAN ID check for fast bridge forwarding
Display and maintenance commands for fast bridge forwarding
Configuring normal Layer 2 forwarding
About normal Layer 2 forwarding
When an incoming frame's destination MAC address does not match any Layer 3 interface's MAC address, normal Layer 2 forwarding forwards the frame through a Layer 2 interface.
The device uses the destination MAC address of the frame to look for a match in the MAC address table.
· The device forwards the frame out of the outgoing interface in the matching entry if a match is found.
· The device floods the frame to all interfaces in the VLAN of the frame if no match is found.
Normal Layer 2 forwarding is enabled by default.
Display and maintenance commands for Layer 2 forwarding
Execute display commands in any view and reset commands in user view.
?
|
Task |
Command |
|
Display Layer 2 forwarding statistics. |
display mac-forwarding statistics [ interface interface-type interface-number ] |
|
Clear Layer 2 forwarding statistics. |
reset mac-forwarding statistics |
?
Configuring fast Layer 2 forwarding
About fast Layer 2 forwarding
Fast Layer 2 forwarding improves packet forwarding efficiency by using a high-speed cache and flow-based technology. It identifies a flow by using the following items:
· Source IP address.
· Source port number.
· Destination IP address.
· Destination port number.
· Protocol number.
· Input interface.
· Output interface.
· VLAN ID.
Fast Layer 2 forwarding creates an entry in a high-speed cache by obtaining the forwarding information of a flow's first packet. Subsequent packets of the flow are forwarded based on the entry.
Fast Layer 2 forwarding is enabled by default.
Disabling VLAN ID check for fast Layer 2 forwarding
About this task
The VLAN ID of a packet helps the device to determine the TCP session to which the packet belongs. On a hot backup system formed by two firewalls, you must disable VLAN ID check if the traffic incoming interfaces on the primary and secondary devices belong to different VLANs. If you enable VLAN ID check, traffic cannot match session entries correctly when asymmetric-path traffic exists.
Procedure
1. Enter system view.
system-view
2. Disable VLAN ID check for fast Layer 2 forwarding.
undo mac fast-forwarding check-vlan-id
By default, VLAN ID check is enabled for fast Layer 2 forwarding.
Display and maintenance commands for fast Layer 2 forwarding
Execute display commands in any view.
?
|
Task |
Command |
|
Display IPv4 fast forwarding entries. |
display mac-forwarding cache ip [ ip-address ] [ slot slot-number ] |
|
Display IPv4 fast forwarding entries for fragments. |
display mac-forwarding cache ip fragment [ ip-address ] [ slot slot-number ] |
|
Display IPv6 fast forwarding entries. |
display mac-forwarding cache ipv6 [ ipv6-address ] [ slot slot-number ] |
?
Configuring cut-through Layer 2 forwarding
About cut-through Layer 2 forwarding
A cut-through forwarding-enabled device forwards a frame after it receives the first 64 bytes of the frame. This feature reduces the transmission time of a frame and enhances forwarding performance.
Restrictions: Hardware compatibility with cut-through Layer 2 forwarding
|
Hardware |
Cut-through Layer 2 forwarding compatibility |
|
F1000-A-G3, F1000-C-G3, F1000-E-G3, F1000-S-G3 |
Yes |
|
F100-A-G3, F100-E-G3 |
No |
|
F100-C-G3, F100-M-G3, F100-S-G3 |
Yes |
|
F1000-E-VG |
No |
|
F1000-S-VG |
Yes |
|
F1000-A-G2, F1000-C-G2, F1000-E-G2, F1000-S-G2 |
No |
|
F100-A-G2, F100-E-G2 |
No |
|
F100-C-G2, F100-M-G2, F100-S-G2 |
Yes |
|
F1000-C-EI, F100-A-EI, F100-A-SI, F100-E-EI |
No |
|
F100-C-EI |
Yes |
|
F100-A80-WiNet |
No |
|
F100-C80-WiNet, F100-C60-WiNet, F100-C50-WiNet, F100-S80-WiNet |
Yes |
|
F1000-C8180, F1000-C8170, F1000-C8160 |
No |
|
F1000-C8150, F1000-C8130, F1000-C8120, F1000-C8110 |
Yes |
|
F100-C-A6, F100-C-A5, F100-C-A3 |
Yes |
|
F100-C-A6-WL, F100-C-A5-W, F100-C-A3-W |
Yes |
|
F1000-C-HI, F100-A-HI |
No |
|
F100-C-HI, F100-S-HI |
Yes |
|
F1000-990-AI, F1000-980-AI, F1000-970-AI, F1000-960-AI, F1000-950-AI, F1000-930-AI, F1000-920-AI |
No |
|
LSPM6FWD8, LSQM2FWDSC8 |
No |
?
Restrictions and guidelines for cut-through Layer 2 forwarding configuration
With cut-through forwarding, the device forwards CRC-error frames because it starts forwarding frames before their CRC field is received.
Procedure
1. Enter system view.
system-view
2. Enable cut-through forwarding.
cut-through enable
By default, cut-through forwarding is disabled.
Configuring bridge forwarding
About bridge forwarding
Bridge forwarding allows users to customize bridge instances to implement VLAN or port based secure packet forwarding.
Bridge forwarding types
Bridge forwarding has the following types:
· Inter-VLAN bridge forwarding—Forwards a packet between different VLANs.
· Inline forwarding—Inline forwarding has the following types:
? Reflect-type bridge forwarding—Forwards a packet through the receiving port of the packet.
? Forward-type bridge forwarding—Forwards a packet through a port that is different from the receiving port of the packet.
? Blackhole-type bridge forwarding—Drops the received packets.
Inter-VLAN bridge forwarding
Inter-VLAN bridge forwarding enables communication between different VLANs at the data link layer. It is typically used on firewall products. A firewall connected to a switch filters Layer 2 traffic before passing the traffic to the switch for further forwarding.
As shown in Figure 1, bridge forwarding enables communication between VLANs 10 and 20. VLANs 10 and 20 are in bridge instance 1 on the firewall. The interface that connects the switch to the firewall is Port C.
?
The following process uses ARP to describe the MAC address learning and packet forwarding in bridge forwarding. Host A requires the MAC address of Host B and sends out an ARP request. When receiving the request from Host A, bridge forwarding processes the request as follows:
1. The switch performs the following operations:
a. Learns a new entry to the MAC address table of the switch. The entry contains the MAC address of Host A (0033-0033-0033), the output interface Port A, and VLAN 10.
b. Broadcasts the request in VLAN 10. Because VLAN 10 is in bridge instance 1, the request enters the firewall through Port C.
2. The firewall performs the following operations:
a. Learns a new entry to the MAC address table of bridge instance 1. The entry contains the MAC address of Host A (0033-0033-0033), the output interface Port D, and VLAN 10.
b. Replaces the VLAN tag of the request with VLAN 20 and broadcasts the request in VLAN 20. No matching MAC address entry exists in VLAN 20.
c. Sends the request to the switch through Port D.
3. The switch performs the following operations:
a. Learns a new entry to the MAC address table of the switch. The entry contains the MAC address of Host A (0033-0033-0033), interface Port C, and VLAN 20.
b. Broadcasts the request in VLAN 20.
Host B in VLAN 20 receives the request, places its MAC address in the reply, and sends the reply to Host A. Bridge forwarding processes the reply as follows:
1. The switch performs the following operations:
a. Learns a new entry to the MAC address table of the switch. The entry contains the MAC address of Host B (0000-0000-0002), the output interface Port B, and VLAN 20.
b. Uses the destination MAC address 0033-0033-0033 and VLAN ID 20 to search the MAC address table for a match. An entry with interface Port C is found.
c. Sends the reply to the firewall through Port C.
2. The firewall performs the following operations:
a. Learns a new entry to the MAC address table of bridge instance 1. The entry contains the MAC address of Host B (0000-0000-0002), the output interface Port D, and VLAN 20.
b. Uses the destination MAC address 0033-0033-0033 to search the MAC address table of bridge instance 1 for a match. An entry with the output interface Port D and VLAN 10 is found.
c. Replaces the VLAN ID of the reply (VLAN 20) with the VLAN ID in the entry (VLAN 10).
d. Sends the reply to the switch through Port D.
3. The switch performs the following operations:
a. Uses the destination MAC address 0033-0033-0033 and VLAN ID 10 to search the MAC address table for a match. An entry with the output interface Port A exists.
b. Forwards the reply through Port A.
Inline forwarding
Inline forwarding monitors traffic at the data link layer. It is typically used on security devices. When inline forwarding is configured on the device, Layer 2 traffic arriving at the device is forwarded toward the destination after security service processing.
Inline forwarding can be further classified into the following forwarding types:
· Reflect-type bridge forwarding.
· Blackhole-type bridge forwarding.
· Forward-type bridge forwarding.
Reflect-type/blackhole-type bridge forwarding
Reflect-type bridge forwarding and blackhole-type bridge forwarding are applicable to the scenario where a device directly accesses the network and is directly connected to a security device.
As shown in Figure 2, Device A is connected to the security device (Device B) through a physical port.
· In reflect-type bridge forwarding mode, packets arriving at Device A are forwarded to Device B for security service processing and then sent back to Device A for forwarding.
· In blackhole-type bridge forwarding mode, packets arriving at Device A are forwarded to Device B. Device B processes the packets and then drops the packets.
Figure 2 Reflect-type/blackhole-type bridge forwarding network
?
Forward-type bridge forwarding
Forward-type bridge forwarding is applicable to the scenario where a device accesses the network through a security device.
As shown in Figure 3, Device A is connected to Device B through two physical ports. Device B uses one port to receive packets from Device A, and it uses the other port to send packets back to Device A.
Figure 3 Forward-type bridge forwarding network
?
Packet processing example in inline forwarding
As shown in Figure 2 and Figure 3, when VMs 1 and 2 communicate through Device A, inline forwarding processes packets between them as follows:
· Device A forwards the received packets to Device B.
· Device B passes the IP packets to the security modules for processing and sends other types of packets back to Device A.
· Device B creates forwarding entries for IP packets that meet the security requirements and forwards them to Device A. IP packets that do not meet the security requirements are dropped.
Configuring bridging forwarding
Configuring inter-VLAN bridge forwarding
1. Enter system view.
system-view
2. ?(Optional.) Set the aging timer for dynamic MAC address entries.
bridge mac-address timer aging seconds
The default setting is 300 seconds.
3. Create an inter-VLAN bridge instance, and enter bridge view.
bridge bridge-index inter-vlan
4. Add a list of VLANs to the bridge instance.
add vlan vlan-id-list
5. (Optional.) Set the MAC learning limit on the bridge instance.
mac-address max-mac-count count
By default, a maximum of 4096 MAC addresses can be learned on a bridge instance.
Configuring inline forwarding
Restrictions and guidelines
You can manually create reflect-type, forward-type, and blackhole-type bridge instances for inline forwarding and add interfaces to the instances.
The device will automatically create a forward-type bridge instance upon insertion of a hardware bypass subcard. For a forward-type bridge instance to be automatically created, make sure the device does not have an inter-VLAN bridge instance before you insert a hardware bypass subcard.
If you configure inline forwarding on a security device connected to a switch, disable MAC address learning on the switch's interface that is connected to the security device to avoid frequent MAC moves.
Only one interface can be added to a reflect-type or blackhole-type bridge instance.
Only two interfaces can be added to a manually created forward-type bridge instance. The two interfaces must be the same type.
An automatically created forward-type bridge instance uses the pair of interfaces on the bypass subcard by default and you cannot edit the interfaces in the instance.
Procedure
1. Enter system view.
system-view
2. (Optional.) Configure the device to ignore the tunnel encapsulation when forwarding tunneled packets in inline mode.
bridge tunnel-encapsulation skip
In inline forwarding mode, tunneled packets are forwarded based on information in the tunnel encapsulation by default.
3. Create a bridge instance and enter its view.
? Create a reflect-type bridge instance.
bridge bridge-index reflect
? Create a forward-type bridge instance.
bridge bridge-index forward
? Create a blackhole-type bridge instance.
bridge bridge-index blackhole
4. Add an interface to the bridge instance.
add interface interface-type interface-number
By default, no interfaces exist in a manually created bridge instance.
Configuring security service bypass
About this task
By default, packets are processed by the security service first before being forwarded according to the configured bridge forwarding mode.
The security service bypass feature enables user traffic to bypass security service processing of a security device and be forwarded directly according to the configured bridge forwarding mode.
The device supports only the internal bypass mode. In internal bypass mode, user traffic is sent to the security device but is not processed by it. The security device directly forwards or drops the traffic according to the configured bridge forwarding mode.
Restrictions and guidelines for security service bypass
If you configure the bypass enable command for the same bridge instance multiple times, the most recent configuration takes effect.
Enabling internal security service bypass
1. Enter system view.
system-view
2. Enter bridge instance view.
? Enter the view of a reflect-type bridge instance.
bridge bridge-index reflect
? Enter the view of an automatically created forward-type bridge instance.
bridge bridge-index forward
? Enter the view of a manually created forward-type bridge instance.
bridge bridge-index forward
? Enter the view of a blackhole-type bridge instance.
bridge bridge-index blackhole
3. Enable internal security service bypass.
bypass enable
Security service bypass is disabled by default.
Display and maintenance commands for bridge forwarding
Execute display commands in any view.
|
Task |
Command |
|
Display MAC address entries in bridge instances. |
display bridge mac-address [ bridge-index [ vlan vlan-id ] ] [ count ] [ slot slot-number ] |
Bridge forwarding configuration examples
Example: Configuring inter-VLAN bridge forwarding
Network configuration
As shown in Figure 4, configure inter-VLAN bridge forwarding to enable the firewall to filter traffic between GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.
?
Procedure
1. Configure the firewall:
# Create inter-VLAN bridge instance 2.
<Sysname> system-view
[Sysname] bridge 2 inter-vlan
# Add VLANs 10 and 20 to the bridge instance.
[Sysname-bridge2-inter-vlan] add vlan 10 20
[Sysname-bridge2-inter-vlan] quit
2. Configure the switch:
# Assign GigabitEthernet 1/0/1 to VLAN 10.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port access vlan 10
# Assign GigabitEthernet 1/0/2 to VLAN 20.
[Sysname] interface gigabitethernet 1/0/2
[Sysname-GigabitEthernet1/0/2] port access vlan 20
[Sysname-GigabitEthernet1/0/2] quit
Verifying the configuration
# On the firewall, display MAC address entries in bridge instance 2.
[Sysname] display bridge mac-address 2
MAC Address????? BRIDGE ID? State??????? VLAN ID? Port??????????? Aging
0033-0033-0033?? 2??????? ??Learned????? 10?????? GE1/0/1???????? Y
0000-0000-0002?? 2?????? ???Learned????? 20 ??????GE1/0/2???????? Y
Example: Configuring inline forwarding
Network configuration
As shown in Figure 5, configure reflect-type bridge forwarding on Device B to filter traffic between VM 1 and VM 2 of Device A.
?
Procedure
1. Configure QoS policies on Device A to redirect traffic between VM 1 and VM 2 to Device B, and disable MAC address learning on the interface connected to Device B:
# Create advanced ACL 3001, and configure a rule to match packets with source IP address 1.1.1.2 and destination IP address 1.1.1.3.
[DeviceA] acl advanced 3001
[DeviceA-acl-ipv4-adv-3001] rule permit ip source 1.1.1.2 0 destination 1.1.1.3 0
[DeviceA-acl-ipv4-adv-3001] quit
# Create a traffic class named classifier1, and use ACL 3001 as the match criterion in the traffic class.
[DeviceA] traffic classifier classifier1
[DeviceA-classifier-classifier1] if-match acl 3001
[DeviceA-classifier-classifier1] quit
# Create advanced ACL 3002, and configure a rule to match packets with source IP address 1.1.1.3 and destination IP address 1.1.1.2.
[DeviceA] acl advanced 3002
[DeviceA-acl-ipv4-adv-3002] rule permit ip source 1.1.1.3 0 destination 1.1.1.2 0
[DeviceA-acl-ipv4-adv-3002] quit
# Create a traffic class named classifier2, and use ACL 3002 as the match criterion in the traffic class.
[DeviceA] traffic classifier classifier2
[DeviceA-classifier-classifier2] if-match acl 3002
[DeviceA-classifier-classifier2] quit
# Create a traffic behavior named behavior1, and configure the action as redirecting traffic to Device B.
[DeviceA] traffic behavior behavior1
[DeviceA-behavior-behavior1] redirect interface gigabitethernet 1/0/3
[DeviceD-behavior-behavior1] quit
# Create a QoS policy named policy1, and associate traffic class classifier1 with traffic behavior behavior1 in the QoS policy.
[DeviceA] qos policy policy1
[DeviceA-qospolicy-policy1] classifier classifier1 behavior behavior1
[DeviceA-qospolicy-policy1] quit
# Create a QoS policy named policy2, and associate traffic class classifier2 with traffic behavior behavior1 in the QoS policy.
[DeviceA] qos policy policy2
[DeviceA-qospolicy-policy2] classifier classifier2 behavior behavior1
[DeviceA-qospolicy-policy2] quit
# Apply QoS policy policy1 to the incoming traffic of GigabitEthernet 1/0/1.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] qos apply policy policy1 inbound
[DeviceA-GigabitEthernet1/0/1] quit
# Apply QoS policy policy2 to the incoming traffic of GigabitEthernet 1/0/2.
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] qos apply policy policy2 inbound
[DeviceA-GigabitEthernet1/0/2] quit
# Disable MAC address learning on GigabitEthernet 1/0/3 of Device A.
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] undo mac-address mac-learning enable
2. Configure reflect-type bridge forwarding on Device B:
# Create reflect-type bridge instance 2 on Device B.
<DeviceB> system-view
[DeviceB] bridge 2 reflect
# Add GigabitEthernet 1/0/1 to reflect-type bridge instance 2.
[DeviceB-bridge2-reflect] add interface gigabitethernet 1/0/1
[DeviceB-bridge2-reflect] quit
Verifying the configuration
# Display the IP fast bridge forwarding entries on Device B.
[DeviceB] display bridge cache ip inline
Total number of bridge-forwarding entries: 1
SIP???????????? SPort DIP???????????? DPort Pro Output_If
1.1.1.3???????? 470?? 1.1.1.2???????? 0???? 1?? GE1/0/1
1.1.1.2???????? 470?? 1.1.1.3???????? 2048? 1?? GE1/0/1
Configuring fast bridge forwarding
About fast bridge forwarding
Fast bridge forwarding improves packet forwarding efficiency by using a high-speed cache and flow-based technology. It identifies a flow by using the following items:
· Source IP address.
· Source port number.
· Destination IP address.
· Destination port number.
· Protocol number.
· Input interface.
· Output interface.
· VLAN ID.
Fast bridge forwarding creates an entry in a high-speed cache by obtaining the forwarding information of a flow's first packet. Subsequent packets of the flow are forwarded based on the entry.
Fast bridge forwarding is enabled by default.
Disabling VLAN ID check for fast bridge forwarding
About this task
The VLAN ID of a packet helps the device to determine the TCP session to which the packet belongs. On a hot backup system formed by two firewalls, you must disable VLAN ID check if the traffic incoming interfaces on the primary and secondary devices belong to different VLANs. If you enable VLAN ID check, traffic cannot match session entries correctly when asymmetric-path traffic exists.
Procedure
1. Enter system view.
system-view
2. Disable VLAN ID check for fast bridge forwarding.
undo bridge fast-forwarding check-vlan-id
By default, VLAN ID check is enabled for fast bridge forwarding.
Display and maintenance commands for fast bridge forwarding
Execute display commands in any view.
|
Task |
Command |
|
Display IPv4 fast bridge forwarding entries. |
display bridge cache ip { inline | inter-vlan } [ ip-address ] [ slot slot-number ] |
|
Display IPv4 fast bridge forwarding entries for fragments. |
display bridge cache ip fragment { inline | inter-vlan } [ ip-address ] [ slot slot-number ] |
|
Display IPv6 fast bridge forwarding entries. |
display bridge cache ipv6 { inline | inter-vlan } [ ipv6-address ] [ slot slot-number ] |
