Method used to configure VLAN communications through L3 subinterfaces on USG firewalls

0

To enable different VLANs to communicate with each other, you can connect different VLANs to different interfaces of an L3 device. In this way, a router can exchange data between different VLANs. However, this method wastes limited physical interface resources of the device. The Ethernet subinterfaces can be used to address this issue. Currently, the Ethernet subinterfaces can be configured for the Ethernet interfaces and Eth-Trunk interfaces.
By configuring multiple subinterfaces, corresponding to different VLANs, for a physical interface, a physical interface can enable different VLANs to communicate with each other.
The method for enabling VLANs to communicate with each other through L3 subinterfaces is only applicable to the scenario in which hosts in each VLAN are in different network segments. If hosts in a VLAN are in the same network segment, you can configure L2 subinterfaces to enable VLANs to communicate with each other.
To configure VLAN communications through L3 subinterfaces, perform the following steps: 1. Run the system-view command to enter the system view.
2. Run the interface interface-type interface-number.subinterface-number command to create a subinterface and enter the subinterface view.
3. Run the vlan-type dot1q vlan-id command to configure the encryption type and associated VLAN ID for the subinterface.
4. Run the ip address ip-address { mask | mask-length } [ sub ] command to configure the IP address for the subinterface.
The IP addresses of the subinterface and the main interface can be in the same network segment, but the subnet masks of the subinterface and the main interface must different.

Other related questions:
Whether USG firewalls support VLAN communications through L3 subinterfaces
The USG firewalls support VLAN communications through L3 subinterfaces.

Method used to configure VLAN communications through L2 subinterfaces on USG firewalls
You can configure subinterfaces for L2 Ethernet interface and L2 Eth-Trunk interface. The system can forward traffic between different VLANs by terminating the VLAN at the subinterface. You can configure the VLAN communications through L2 subinterfaces as follows: 1. Run the system-view command to enter the system view. 2. Switch the L3 Ethernet interface mode to the L2 Ethernet interface mode. a. Run the interface interface-type interface-number command to enter the interface view. b. Run the portswitch command to switch the L3 Ethernet interface mode to L2 Ethernet interface mode. c. Run the quit command to return to the system view. 3. Create an L2 subinterface. a. Run the interface interface-type interface-number.subinterface-number command to create a subinterface and enter the subinterface view. b. Run the vlan-type dot1q vlan-id command to configure the encryption type and the homed VLAN ID for the subinterface. Traffic of subinterfaces of a physical port is distinguished based on VLANs. Each subinterface receives or forwards packets of only the homed VLAN. c. Run the portswitch command to set the subinterface to an L2 subinterface. d. Run the quit command to return to the system view. e. Repeat the preceding steps to create multiple L2 subinterfaces. 4. Add all L2 subinterfaces created in step 3 to the same VLAN, so that VLANs connected to these subinterfaces can communicate with each other. a. Run the vlan vlan-id command to create a VLAN and enter the VLAN view. b. Run the port interface-type interface-number.subinterface-number command to add L2 subinterfaces created in step 3 to the same VLAN. By adding these subinterfaces to the same VLAN, these interfaces, belonging to different VLANs, can communicate with each other.

Whether USG firewalls support VLAN communications through L2 subinterfaces
The USG firewalls support VLAN communications through L2 subinterfaces.

Method used to configure the router-on-a-stick on USG firewalls

The router-on-a-stick can address the limited physical interface resources issue. By configuring multiple subinterfaces, corresponding to different VLANs, for a physical interface, a physical interface can enable different VLANs to communicate with each other. For example, you can configure the router-on-a-stick on the USG2000, USG5000, and USG6000 as follows: [USG] interface GigabitEthernet1/0/3.1//Configure subinterface 1. [USG-GigabitEthernet1/0/3.1] vlan-type dot1q 10//Terminate VLAN 10. [USG-GigabitEthernet1/0/3.1] ip address 10.3.1.1 255.255.255.0//Configure the IP address for the subinterface. [USG-GigabitEthernet1/0/3.1] quit [USG] interface GigabitEthernet1/0/3.2//Configure subinterface 2. [USG-GigabitEthernet1/0/3.2] vlan-type dot1q 20//Terminate VLAN 20. [USG-GigabitEthernet1/0/3.2] ip address 10.3.1.1 255.255.255.0//Configure the IP address for the subinterface.


Method used to configure the L2TP-based access to the L3 VPN on the USG2000 and USG5000
The method used to configure the L2TP-based access to the L3 VPN on the USG2000 and USG5000 is as follows: Most carriers adopt the MPLS VPN networking. However, the MPLS VPN cannot satisfy special requirements. For example: a. A user is served by a VPN and needs to access resources in another VPN. b. The carrier provides a shared LNS to enterprise users who use the MPLS VPN. Mobile users of the enterprise access the enterprise intranet over the LNS. The LNS is shared by multiple enterprise users. Therefore, the LNS needs to access different users to the corresponding VPNs. Procedure 1. Configure the LAC. a. Set the user name and password. b. Create two zones. c. Configure the domain name suffix separator. [LAC] l2tp domain suffix-separator @ d. Create the virtual interface template and bind it with the interface. e. Set two L2TP groups and configure the related attributes. 2. Configure the LNS. a. Create two VPN instances vpna and vpnb. b. Configure an interface connected to enterprise network A, and bind the interface with vpna. c. Configure an interface connected to enterprise network B, and bind the interface with vpnb. d. Create the authentication scheme. e. Configure the RADIUS template. f. Configure the domain name suffix separator. [LNS] l2tp domain suffix-separator @ g. Create two Virtual-Template templates bound with vpna and vpnb. h. Create two zones and bind the zones to the corresponding virtual templates and address pools. i. Create two L2TP groups.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top