< Home

Configuring the Tunnel Interface

Tunnel interfaces enable packet encapsulation and forwarding through tunnels.

Context

A tunnel interface is a logical interface for packet encapsulation. By default, tunnel interfaces created through the Web use only IPSec, that is, supporting only IPSec tunnels. GRE is another common encapsulation protocol. When configuring GRE through the Web, tunnel interfaces are automatically created and configured. For details, see Configuring GRE Using the Web UI.

Procedure

  1. Choose Network > Interface.
  2. Click Add.

  3. Set tunnel interface parameters.

    Parameter

    Description

    Interface Name

    Another name specified for the tunnel interface, facilitating memorization and identification.

    Type

    Type of the interface to be created.

    Select Tunnel when you need to create a tunnel interface.

    Virtual System

    Name of a virtual system for an interface.

    The virtual system must exist on the device.

    This parameter can only be set when Mode is set to Route.

    Zone

    Security zone to which the interface is to be assigned.

    You can assign an interface to an existing security zone or create a security zone and assign the interface to it.

    IPv4

    IP Address/Mask

    This parameter is available when Configure an IP address is selected.

    The IP addresses of the tunnel interfaces on the two ends of the IPSec tunnel must be reachable.

    WAN Interface

    This parameter is available when Borrow the IP address of a WAN interface is selected.

    The interface type can be GigabitEthernet, XGigabitEthernet, 40GE, 100GE, Eth-Trunk, VLANIF, or loopback.

    Multi-Egress Options

    After you select Multi-Egress Options, the interface will function as an intelligent uplink selection member interface. For details on intelligent uplink selection, see Intelligent Uplink Selection.

    Sticky load balancing
    The FW uses the incoming interface of the forward packets as the outgoing interface of return packets instead of looking up the routing table.
    NOTE:

    If equal-cost multipath (ECMP) routes are configured, the sticky load balancing function is enabled by default. In case of non-equal-cost routes, the sticky load balancing function is disabled by default, and you need to run this command to enable the function.

    If equal-cost multipath (ECMP) routes are configured, the sticky load balancing function is enabled by default. Otherwise, configure the sticky load balancing function.

    IPv6

    IPv6

    Enable the IPv6 capability on the specified interface.

    Enabling IPv6 is a prerequisite for using IPv6 functions. Choose Dashboard > Device Information and enable IPv6 globally to allow the FW to forward IPv6 packets.

    IPv6 Address

    IPv6 address of an interface.

    The IPv6 address must be unique on a network.

    Multi-Egress Options

    After selecting Multi-Egress Options, you can enable Sticky load balancing.

    Sticky load balancing
    In the multi-ISP load balancing scenario, the FW looks up the routing table for an outgoing interface to send the return traffic from a server. As a result, the return traffic from the server may take a path on ISP2, although the request to the server takes a link on ISP1. The inconsistent forward and return paths may slow down or even interrupt services. To resolve this issue, configure the sticky load balancing function on the incoming interface of ISP1. The FW uses the incoming interface of the forward packets as the outgoing interface of return packets instead of looking up the routing table.
    NOTE:

    When enabling sticky load balancing on an Ethernet interface and its sub-interfaces, an Eth-Trunk interface and its sub-interfaces, a VLANIF interface, or a VXLAN interface, you must also specify the next hop. You do not need to specify the next hop on the dialer interface and tunnel interface.

    The priority of direct routes is higher than that of the sticky load balancing function. The device preferentially forwards response packets based on direct routes even if the sticky load balancing function is configured.

    If equal-cost multipath (ECMP) routes are configured, the sticky load balancing function is enabled by default. In case of non-equal-cost routes, the sticky load balancing function is disabled by default, and you need to enable the function.

    Interface Bandwidth

    Ingress Bandwidth

    Maximum bandwidth for inbound traffic on the interface.

    Egress Bandwidth

    Maximum bandwidth for outbound traffic on the interface.

    Overload Protection Threshold

    Bandwidth usage of the link.

    After you select Multi-Egress Options, you can set overload protection thresholds for the inbound and Egress Bandwidths of the interface. If an interface is overloaded, the interface no longer participates in intelligent uplink selection.

    Access Management

    Access Management

    This function allows an administrator to access a FW using HTTP, HTTPS, ping, SSH, SNMP, NETCONF, or Telnet. Interface access control takes precedence over security policies. This means that an administrator can use an access control-enabled interface to access a FW even if no security policy is configured for communication between the zone of the interface and a local zone.

    This parameter can only be set when Mode is set to Route.

    • HTTP: allows an administrator to use the web browser (HTTP) to access a device through a VLAN interface. If HTTP is not selected, the interface discards HTTP packets after receiving them. This parameter takes effect only after the HTTP service is enabled.

    • HTTPS: allows an administrator to use the web browser (HTTPS) to access a device through a VLAN interface. If HTTPS is not selected, the interface discards HTTPS packets after receiving them. This parameter takes effect only after the HTTPS service is enabled.

    • Ping: allows an interface to respond to ping requests. A ping checks interface connectivity. If Ping is not selected, the ping function is disabled.
    • SSH: allows an administrator to use SSH to access a device. If SSH is not selected, the interface discards SSH packets after receiving them.

    • Telnet: allows an administrator to use Telnet to access a device. If Telnet is not selected, the interface discards them after receiving them.

    • SNMP: allows administrators to use an SNMP NMS to access a device. If SNMP is not selected, the interface discards SNMP packets after receiving them.

    • NETCONF: allows an administrator to use NETCONF NMS to access a device. If NETCONF is not selected, the interface discards NETCONF packets after receiving them.

    By default, the management interface (GigabitEthernet 0/0/0) allows HTTP, HTTPS, ping. access to a FW, and a non-management interface denies HTTP, HTTPS, ping, SSH, SNMP, NETCONF, or Telnet. access to a FW.

  4. Click OK.

    If the operation succeeds, Interface List displays the new tunnel interface.

    Repeat the preceding steps to create other tunnel interfaces.

Follow-up Procedure

  • Check the interface status.

    1. Choose Network > Interface.
    2. Check the physical, IPv4, and IPv6 statuses of the interface.

      When a tunnel interface serves as the GRE interface, IPv4/IPv6 is in the UP state only after you configure a source IP address, destination address, and route for the interface.

  • Disable or enable an interface.

    1. Choose Network > Interface.

    2. Disable or enable an interface.

      • Deselect the Enable check box corresponding to an interface to disable it.
      • Select the Enable check box corresponding to an interface to enable it.
Parent Topic: Interface Configuration Using the Web UI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic