Can untagged packets be forwarded in L2VPN

9

When the switch connects to L2VPN through a main interface, packets can be forwarded through this interface. If the switch connects to L2VPN through a sub-interface or VLANIF interface, packets can be forwarded only when they carry the correct VLAN ID. If packets are untagged or carry incorrect VLAN IDs, they are dropped at the AC-side interface.

Other related questions:
Can the switch add double VLAN tags to untagged packets
The switch running V200R003 and a later version can add double VLAN tags to untagged packets, but the S5700EI and S5700SI do not support this function.

IPSec packet forwarding flow on the USG5000
In the NGFW processing flow, the IPSec processing is after the NAT, route, and security policy processing, so that the firewall does not process, based on NAT policies, packets protected by the IPSec policies, and these packets can be delivered, by matching routes and security policies, to the interface that adopts the IPSec security policy. The specific requirements are as follows: 1. Packets arriving at the NGFW cannot match the server map table or reversed server map table established by the NAT server. Otherwise, destination addresses in the packets are translated. 2. Packets arriving at the NGFW cannot match the destination NAT policies. Otherwise, destination addresses in the packets are translated. 3. A route (generally the default route) destined for the IKE peer private network must exist in the routing table. The outbound interface of the route must apply the IPSec policies. If no route is matched, the packets are discarded; if the outbound interface matching the route does not apply the IPSec policies, the packets cannot be delivered to the IPSec processing module but are sent in plain text. 4. Generally, the IPSec VPN data flow is transmitted between zones. Therefore, the inter-zone packet filter function between the source zone (where the intranet interface resides) and the destination zone (where the external network interface that applies the IPSec policies resides) must be enabled. Otherwise, the packets are discarded. 5. The source NAT for the packets that pass the inter-zone packet filter policy check is optional. When the packets match the inter-zone NAT policies of the source NAT, the source addresses in the packets are translated. The source IP addresses after the translation are used to match the security ACL rules. The packets that do not match the inter-zone NAT policies are directly delivered to the IPSec processing module. 6. The packets arriving at the IPSec processing module can only be protected when they match the security ACL rules. Otherwise, the packets are discarded.

Which status do MSTP interfaces of an AR router have and how do they process packets
MSTP interface status: - Forwarding: In this state, an interface forwards user traffic. Only the root interface or a specified interface can be in this state. - Learning: This is a transitional state. In this state, a switch will build a MAC address table according to the user traffic it receives (but not forward the user traffic). That is why this state is referred to as a learning state. - Discarding: In this state, an interface blocks packets and does not learn MAC addresses.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top