Configuring a Layer-3 Ethernet Interface

Procedure

1. Choose Network > Interface.
2. Click in the same line as the interface to be configured.

   

3. Set the following Ethernet interface parameters.

   Parameter	Description
   Interface Name	Interface type and number. The parameter cannot be modified.
   Alias	Another interface name specified by an administrator. An alias name appears in parentheses next to an interface name but does not appear in logs.
   Virtual System	Name of a virtual system for an interface. The virtual system must exist on the device. This parameter can only be set when Mode is set to Route.
   Zone	Security zone to which an interface is to be assigned. You can directly add an interface to an existing security zone. If the desired security zone does not exist, create one and add the interface to the created security zone.
   Mode	Working mode of the subinterface which works at Layer-3: Route.
   IPv4
   Connection Type	Method used by the interface to obtain an IPv4 address in routing mode. This parameter can only be set when Mode is set to Route. Perform one of the following steps to set a connection type: Static IP: specifies an IPv4 address for the interface. For information about static IP address parameters, see Table 1. DHCP: allows the interface to run DHCP to automatically obtain an IPv4 address. PPPoE: allows the interface to obtain an IPv4 address through PPP negotiation. For PPPoE parameters, see Table 2. NOTE: When the device functions as a PPPoE client (dual-stack access), the configuration of the PPPoE user will be modified accordingly because dual-stack configuration delivery requires the same user.
   Multi-Egress Options	After you select Multi-Egress Options, the interface will function as an intelligent uplink selection member interface. For details on intelligent uplink selection, see Intelligent Uplink Selection.
   Carrier	Select the name of the ISP directly connected to the interface. Selecting the ISP of the interface equals to binding an interface to an ISP interface group.
   Default Route	After you select this option, the FW will generate a default route in its routing table.A default route is a special static route. When the destination address of a data packet does not match any routing table of the FW, the FW will use the default route to forward the data packet. Both the destination network address and the subnet mask of the default route are 0.0.0.0.If the interface serves as an intranet interface and has the sticky load balancing function enabled, the default route must be canceled. Otherwise, the interface cannot access extranets. By default, this function is enabled.
   Carrier Route	After you enable the ISP route function, the FW will generate static routes in a batch to the ISP network. In the generated static routes, the destination is an IP address in the ISP address file, and the next hop is the gateway address specified on the outbound interface. These static routes are called ISP routes. They have the same priority as common static routes, and the default priority is 60. Choose Network > Router > Routing Table. You can view the generated ISP route entries.
   Sticky load balancing	In the multi-ISP load balancing NAT server scenario, the FW looks up the routing table for an outgoing interface to send the return traffic from a server. As a result, the return traffic from the server may take a path on ISP2, although the request to the server takes a link on ISP1. The inconsistent forward and return paths may slow down or even interrupt services. To resolve this issue, configure the sticky load balancing function on the incoming interface of ISP1.The FW uses the incoming interface of the forward packets as the outgoing interface of return packets instead of looking up the routing table. NOTE: When enabling sticky load balancing on an Ethernet interface and its sub-interfaces, an Eth-Trunk interface and its sub-interfaces, a VLANIF interface, or a VXLAN interface, you must also specify the next hop. You do not need to specify the next hop on the dialer interface and tunnel interface. The priority of direct routes is higher than that of the sticky load balancing function. The device preferentially forwards response packets based on direct routes even if the sticky load balancing function is configured. If equal-cost multipath (ECMP) routes are configured, the sticky load balancing function is enabled by default. In case of non-equal-cost routes, the sticky load balancing function is disabled by default, and you need to enable the function.
   Health Check	Apply the health check to the interface.
   IPv6
   IPv6	Enable the IPv6 capability on the specified interface. Enabling IPv6 is a prerequisite for using IPv6 functions. Choose Dashboard > Device Information and enable IPv6 globally to allow the FW to forward IPv6 packets.
   Connection Type	Method used by the interface to obtain an IPv6 address in routing mode. Static IP: manually specifies an IPv6 address for the VLAN interface. For static IP address parameter descriptions, see Table 3. PPPoE: uses PPP negotiation to obtain an IPv6 address. For PPPoE parameter descriptions, see Table 4. NOTE: When the device functions as a PPPoE client (dual-stack access), the configuration of the PPPoE user will be modified accordingly because dual-stack configuration delivery requires the same user. ND-RA: uses ND-RA to obtain an IPv6 address.
   Static Neighbor	Static neighbor address for a VLAN interface. This setting allows a neighbor relationship to be established and enables a device to resolve the neighbor IPv6 address into a data link layer address.
   Multi-Egress Options	After selecting Multi-Egress Options, you can enable Sticky load balancing.
   Sticky Load Balancing	In the multi-ISP load balancing scenario, the FW looks up the routing table for an outgoing interface to send the return traffic from a server. As a result, the return traffic from the server may take a path on ISP2, although the request to the server takes a link on ISP1. The inconsistent forward and return paths may slow down or even interrupt services. To resolve this issue, configure the sticky load balancing function on the incoming interface of ISP1. The FW uses the incoming interface of the forward packets as the outgoing interface of return packets instead of looking up the routing table. NOTE: When enabling sticky load balancing on an Ethernet interface and its sub-interfaces, an Eth-Trunk interface and its sub-interfaces, a VLANIF interface, or a VXLAN interface, you must also specify the next hop. You do not need to specify the next hop on the dialer interface and tunnel interface. The priority of direct routes is higher than that of the sticky load balancing function. The device preferentially forwards response packets based on direct routes even if the sticky load balancing function is configured. If equal-cost multipath (ECMP) routes are configured, the sticky load balancing function is enabled by default. In case of non-equal-cost routes, the sticky load balancing function is disabled by default, and you need to enable the function.
   Interface Bandwidth
   Ingress Bandwidth	Maximum bandwidth for inbound traffic on the interface.
   Egress Bandwidth	Maximum bandwidth for outbound traffic on the interface.
   Overload Protection Threshold	Bandwidth usage of the link. After you select Multi-Egress Options, you can set overload protection thresholds for the inbound and Egress Bandwidths of the interface. If an interface is overloaded, the interface no longer participates in intelligent uplink selection.
   Access Management
   Access Management	This function allows an administrator to access a FW using HTTP, HTTPS, ping, SSH, SNMP, NETCONF, or Telnet. Interface access control takes precedence over security policies. This means that an administrator can use an access control-enabled interface to access a FW even if no security policy is configured for communication between the zone of the interface and a local zone. By default, the management interface (GigabitEthernet 0/0/0) allows HTTP, HTTPS, ping. access to a FW, and a non-management interface denies HTTP, HTTPS, ping, SSH, SNMP, NETCONF, or Telnet. access to a FW. This parameter can only be set when Mode is set to Route. HTTP: allows an administrator to use the web browser (HTTP) to access a device through a VLAN interface. If HTTP is not selected, the interface discards HTTP packets after receiving them. This parameter takes effect only after the HTTP service is enabled. HTTPS: allows an administrator to use the web browser (HTTPS) to access a device through a VLAN interface. If HTTPS is not selected, the interface discards HTTPS packets after receiving them. This parameter takes effect only after the HTTPS service is enabled. Ping: allows an interface to respond to ping requests. A ping checks interface connectivity. If Ping is not selected, the ping function is disabled. SSH: allows an administrator to use SSH to access a device. If SSH is not selected, the interface discards SSH packets after receiving them. Telnet: allows an administrator to use Telnet to access a device. If Telnet is not selected, the interface discards them after receiving them. SNMP: allows administrators to use an SNMP NMS to access a device. If SNMP is not selected, the interface discards SNMP packets after receiving them. NETCONF: allows an administrator to use NETCONF NMS to access a device. If NETCONF is not selected, the interface discards NETCONF packets after receiving them.
   Advanced
   Negotiation	If you deselect this parameter, the interface is disabled from working in auto-negotiation mode. Disable the interface from working in auto-negotiation mode before you configure the interface rate and duplex mode. This configuration takes effect on the Ethernet electrical interface. Only MEth, GE, and WAN interfaces support this function.
   Speed	Transmission rate of the Ethernet interface: 10M: 10 Mbit/s 100M: 100 Mbit/s 1000M: 1000 Mbit/s The transmission rate of an Ethernet interface must be the same as that on the peer end. Only MEth, GE, and WAN interfaces support this function.
   Duplex	Working mode of the Ethernet interface: Half: enables the interface to work in half-duplex mode. An interface works in half-duplex mode can only send or receive data packets at the same time. Full: enables the interface to work in full-duplex mode. An interface works in full-duplex mode can send and receive data packets at the same time. The working mode of an Ethernet interface must be the same as that on the peer end. This parameter is required only when Speed is set to 10M or 100M. Only MEth, GE, and WAN interfaces support this function.
   IPv4 MTU IPv6 MTU	Maximum transmission unit of the interface. After the MTU of an interface is modified, you need to restart the interface to validate the MTU. This parameter can only be set when Mode is set to Route.
   Strict ARP Learning	Enable the strict Address Resolution Protocol (ARP) learning.

   Table 1 Static IPv4 address parameters

   Parameter	Description
   IP Address	IPv4 address of an interface. The value must be different from IPv4 addresses of other interfaces on the same device or other devices on the same network.
   Default Gateway	IP address of the default gateway of an interface. The default gateway must be on the same network segment as the IPv4 address of the interface. This setting allows the device to generate a default IPv4 route, in which the current interface functions as an outbound interface, and the default gateway functions as a next hop.
   Preferred DNS server	IP address of the preferred DNS server. The configurations completed here will be automatically synchronized to Transparent DNS Proxy in Network > DNS > DNS. NOTE: The DNS server bound to an interface is used only in DNS transparent proxy. You must set a global DNS server for the device to access domain names.
   Alternate DNS server	IP address of the alternate DNS server. The configurations completed here will be automatically synchronized to Transparent DNS Proxy in Network > DNS > DNS. NOTE: The DNS server bound to an interface is used only in DNS transparent proxy. You must set a global DNS server for the device to access domain names.

   Table 2 IPv4 PPPoE parameters

   Parameter	Description
   User Name	User name for PPPoE dial-up. The user name is provided by an ISP.
   Password	Password for PPPoE dial-up. The password is provided by an ISP.
   Online Mode	PPPoE dial-up mode: Always Online: A device automatically attempts to dial up to a peer end once a physical link connected to the peer end is Up. If the dial-up connection attempt fails, the device automatically re-attempts to dial up at specified intervals. Automatic dial-up applies when the traffic volume and online duration are not restricted, such as with the yearly-payment service. Automatic disconnection after an idle period: A device sets up a link only when there is data to be transmitted. If an established PPPoE link has no traffic to transmit and the specific link idle period elapses, the device disconnects the PPPoE link. This dial-up mode applies when the traffic volume and online duration are set, such as with the payment-by-traffic service. The payment-by-traffic service allows a specified amount of traffic to be transmitted within a specified period. If you select Automatic disconnection after an idle period, you must also specify a link idle period.
   Obtain an IP Address Automatically	Obtain an IPv4 address that a PPPoE server assigns after negotiating with a PPPoE client on a PPP link. The IPv4 address to be assigned must be specified on the PPPoE server.
   Use the Following IP Address	Set an IPv4 address statically. This method requires the input of an IPv4 address in IP Address. The IPv4 address must be one that a PPPoE server can assign.

   Table 3 Static IPv6 address parameters

   Parameter	Description
   IPv6 Address	IPv6 address of an interface. The IPv6 address must be unique on a network.
   Advertising RA Messages	Enable a device to periodically advertise RA messages, which contain the prefix option and flag bits, to announce the existence of the device.

   Table 4 IPv6 PPPoE parameters

   Parameter	Description
   User Name	User name for PPPoE dial-up. The user name is provided by an ISP.
   Password	Password for PPPoE dial-up. The password is provided by an ISP.
   Online Mode	PPPoE dial-up mode: Always Online: A device automatically attempts to dial up to a peer end once a physical link connected to the peer end is Up. If the dial-up connection attempt fails, the device automatically re-attempts to dial up at specified intervals. Automatic dial-up applies when the traffic volume and online duration are not restricted, such as with the yearly-payment service. Automatic disconnection after an idle period: A device sets up a link only when there is data to be transmitted. If an established PPPoE link has no traffic to transmit and the specific link idle period elapses, the device disconnects the PPPoE link. This dial-up mode applies when the traffic volume and online duration are set, such as with the payment-by-traffic service. The payment-by-traffic service allows a specified amount of traffic to be transmitted within a specified period. If you select Automatic disconnection after an idle period, you must also specify a link idle period.

4. Click OK.