VLAN tag forwarding by USG firewalls

2

The processing of VLAN tags by different ports on USG firewalls is as follows:
The USG firewalls provide three types of ports: Access, Trunk, and Hybrid.
Access interface:
When receiving a packet without a tag, the Access interface accepts the packet and adds the default VLAN ID to the packet.
When receiving a packet with a tag, the Access interface accepts the packet if the VLAN ID is the same as the default ID; the Access interface discards the packet if the VLAN ID is different from the default ID.
When sending a packet, the Access interface removes the tag from the packet.
Usage: The Access interface belongs to only one VLAN and is used to connect the switch to a PC directly.
Trunk interface:
When receiving a packet with a tag, the Trunk interface adds the default VLAN ID to the packet. If the default VLAN ID is on the permitted VLAN ID list, the Trunk interface forwards the packet; otherwise, the Trunk interface discards the packet.
When receiving a packet with a tag, the Trunk interface checks whether the VLAN ID carried by the packet is on the permitted VLAN ID list. If yes, the Trunk interface accepts the packet; if not, the Trunk interface discards the packet.
When sending a packet, the Trunk interface checks whether the VLAN ID carried in the packet is the same as the default VLAN ID. If yes and the VLAN ID is on the permitted VLAN ID list, the Trunk interface removes the tag and sends the packet; if not but the VLAN ID is on the permitted VLAN ID list, the Trunk interface retains the original tag and sends the packet.
Usage: The Trunk interface can belong to multiple VLANs and connect switches.
Hybrid interface:
When receiving a packet with a tag, the Hybrid interface adds the default VLAN ID to the packet. If the default VLAN ID is on the permitted VLAN ID list, the Hybrid interface forwards the packet; otherwise, the Hybrid interface discards the packet.
When receiving a packet with a tag, the Hybrid interface checks whether the VLAN ID carried by the packet is on the permitted VLAN ID list. If yes, the Hybrid interface accepts the packet; if not, the Hybrid interface discards the packet.
When sending a packet, the Hybrid interface checks whether the VLAN ID carried by the packet is on the permitted VLAN ID list. If yes, the Hybrid interface sends the packet. You can configure whether a packet carries a tag using the corresponding command.
Usage: The Hybrid interface can belong to multiple VLANs. It can connect switches or user devices.

Other related questions:
The USG firewall configures the SSL VPN port for forwarding
The USG firewall configures the SSL VPN port for forwarding The port forwarding service is a secure application that provides TCP-based applications and is a non-Web application. Port forwarding controls user access at the application level to control the availability of services for various applications. Before the configuration to ensure that the license file has been loaded, the USG can access the internal network resources. Configuration step: 1. In the USG to create a virtual gateway, external network users through this virtual gateway to access the enterprise network resources. 2. Configure the DNS server address and domain name of the internal network so that users can access the virtual gateway's service through the domain name. 3. Configure the port forwarding function. 4. Configure the server to add users who need access to the relevant groups. 5. Configure the authentication and authorization function on the firewall. 6. Configure Group Policy to allow group users to access the associated server. 7. Configure the user destination IP policy to restrict users from accessing other intranet resources.

Method used to enable the fast forwarding function of L2 interfaces on USG firewalls
The method used to enable the fast forwarding function of L2 interfaces on USG firewalls is as follows: In the system view, run the l2fwdfast enable command to enable the fast forwarding function of an L2 interface. system-view [USG] l2fwdfast enable

How do I configure hybrid interface of S series switch
Example for configuring a VLAN for a hybrid interface For S series switches (except S1700 switches): A hybrid interface can connect to either a user host or a switch. [HUAWEI]vlan 2 //Create a VLAN. [HUAWEI]interface gigabitethernet0/0/2 [HUAWEI-GigabitEthernet0/0/2]port link-type hybrid //Set the link type of the interface to hybrid. [HUAWEI-GigabitEthernet0/0/2]port hybrid untagged vlan 2 //Configure VLAN 2 to send data in untagged mode. [HUAWEI-GigabitEthernet0/0/2]port hybrid pvid vlan 2 //(Optional) Specify VLAN 2 as the default VLAN (default value: VLAN 1). [HUAWEI-GigabitEthernet0/0/2]port hybrid tagged vlan 3 //Configure VLAN 3 to send data in tagged mode.

Why inner tags are removed when the VLAN-Mapping transparently transmits double-tagged packets after the VLAN-Stacking is configured
In S2752, S3752, S5752EI V100R003, and subsequent versions, after the VLAN-Stacking and VLAN-Mapping are configured on outbound ports, inner tags are removed when cross-chip double-tagged packets are transparently transmitted, interrupting services. During the configuration, set the two ports for forwarding to the same chip.

Whether USG firewalls support VLAN communications through L3 subinterfaces
The USG firewalls support VLAN communications through L3 subinterfaces.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top