Configuring an interface to serve as the gateways of two network segments on the firewall

15

The USG supports configuring a subinterface to enable an interface to serve as the gateways of two network segments:
#
interface GigabitEthernet1/0/3.1
vlan-type dot1q 10
alias GigabitEthernet1/0/3.1
ip address 10.3.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3.2
vlan-type dot1q 20
alias GigabitEthernet1/0/3.2
ip address 10.3.2.1 255.255.255.0
#

Other related questions:
Whether two same network segments can be configured for the USG6000
Yes. This configuration can be achieved by means of NAT. However, this configuration is not recommended.

Method used to configure two network segments on the USG firewall among which one network segment contains IP addresses dynamically allocated by the DHCP server and another network segment contains static IP addresses
You can configure two network segments on the USG firewall among which one network segment contains IP addresses dynamically allocated by the DHCP server and another network segment contains static IP addresses as follows: Two methods are available: 1. If the switch interconnected to the firewall has only one interface, configure two IP addresses for the interface, set the primary IP address as the dynamic IP address and the secondary IP address (sub address) as the static IP address. The key configuration is as follows: [USG] interface GigabitEthernet0/0/1 [USG-GigabitEthernet0/0/1] ip address 192.168.2.1 255.255.255.0 [USG-GigabitEthernet0/0/1] ip address 192.168.1.1 255.255.255.0 sub [USG-GigabitEthernet0/0/1] quit [USG] dhcp server ip-pool 0 [USG-dhcp-0] network 192.168.2.0 mask 255.255.255.0 [USG-dhcp-0] dns-list 192.168.2.3 [USG-dhcp-0] quit IP addresses in network segment 192.168.2.0 can be dynamically allocated. IP addresses in network segment 192.168.1.0 are static IP addresses set on the PC. 2. If the switch is interconnected with the firewall over interfaces in different network segments, the addresses can be configured flexibly. a. Configure the DHCP address pool by configuring the L3 interface. [USG] interface GigabitEthernet0/0/1 [USG-GigabitEthernet0/0/1] ip address 192.168.2.1 255.255.255.0 [USG-GigabitEthernet0/0/1] quit [USG]interface GigabitEthernet0/0/2 [USG-GigabitEthernet0/0/2] ip address 192.168.1.1 255.255.255.0 [USG-GigabitEthernet0/0/2] quit [USG] dhcp server ip-pool 0 Configure an address pool for network segment 192.168.2.0 instead of network segment 192.168.1.0, and configure static IP addresses on the PC. [USG-dhcp-0] network 192.168.2.0 mask 255.255.255.0 [USG-dhcp-0] dns-list 192.168.2.2 [USG-dhcp-0] quit b. Configure the DHCP address pool based on interfaces. [USG] interface GigabitEthernet1/0/1 [USG-GigabitEthernet1/0/1] ip address 192.168.0.1 255.255.255.0 Configure the interface IP address. [USG-GigabitEthernet1/0/1] dhcp select interface //Configure the interface-based DHCP. [USG-GigabitEthernet1/0/1] dhcp server ip-range 192.168.0.1 192.168.0.254 //Configure the range of IP addresses that can be allocated. [USG-GigabitEthernet1/0/1] dhcp server gateway-list 192.168.0.1 [USG-GigabitEthernet1/0/1] dhcp server dns-list 192.168.0.253 [USG-GigabitEthernet1/0/1] quit [USG] interface GigabitEthernet0/0/2 [USG-GigabitEthernet0/0/2] ip address 192.168.1.1 255.255.255.0 Configure the interface IP address and configure static IP addresses in this network segment instead of DHCP.

Can two network segments that cannot communicate with each other be configured for two network ports of the VCN3000?
No. There can be only one VCN3000 service IP address. The two service network ports can be configured to work in active/standby or load balancing mode and show the same service IP address.

Can low-end S series switches serve as gateways
You are not advised to use switches including the S2700 series, S5700LI, and S5700S-LI as gateways. The S2700 series, S5700LI, and S5700S-LI switches are Layer 2 switches. If they are used as gateways, they send all packets that need to be forwarded at Layer 3 to the CPU for software forwarding. This causes a high CPU usage. Because CAR parameters are configured to protect the CPU, a large number of packets are dropped, affecting forwarding of service packets. Therefore, it is recommended that you use high-end Layer 3 switches as gateways.

Whether USG firewalls support IP addresses in the same network segment configured for different interfaces
The USG2000, USG5000, and USG6000 do not support IP addresses in the same network segment configured for different interfaces. However, primary and secondary IP addresses of the same interface can be in the same network segment.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top