< Home

Configuring a Layer-3 Ethernet Interface

This section describes how to configure a Layer-3 Ethernet interface that supports the routing and forwarding functions.

Basic Layer-3 Ethernet Interface Configuration

A Layer-3 Ethernet interface uses an IPv4 address to connect to an IPv4 network or an IPv6 address to connect to an IPv6 network.

  1. Display the system view.

    system-view

  2. Display the specified interface view.

    interface interface-type interface-number

  3. Assign an IPv4 address to the interface.

    ip address ip-address { mask | mask-length } [ sub ]

    To assign the second and subsequent IPv4 addresses to the interface, configure the sub parameter in the ip address command.

  4. Assign an IPv6 address to the interface.
    1. Enable the IPv6 capability on the interface.

      ipv6 enable

      By default, the IPv6 capability is disabled on the interface.

      Before performing IPv6 configurations in the interface view, enable the IPv6 capability in the interface view.

      To allow the interface to forward IPv6 packets, run the ipv6 command in the system view.

    2. Perform either of the following operations to configure an IPv6 link-local address:

      • To enable the system to automatically generate an IPv6 link-local address, run:

        ipv6 address auto link-local

        This is a recommended way to configure an IPv6 link-local address because the link-local address is only used for protocol-based communication between link-local nodes, regardless of communication between users.

        If no IPv6 link-local address is specified for an interface, the device automatically generates an IPv6 link-local address for the interface after an IPv6 global unicast address is specified for the interface.

      • To specify an IPv6 link-local address, run:

        ipv6 address ipv6-address link-local

        The prefix of an IPv6 link-local address is FE80::/10.

      Only a single link-local address can be configured on an interface. If you configure multiple link-local addresses on the same interface, only the last configuration takes effect.

    3. Assign a global unicast IPv6 address to the interface.

      ipv6 address { ipv6-address  | ipv6-address/prefix-length } [ eui-64 ]

      An EUI-64 address supports the same function as a global unicast address. The difference between the two addresses is as follows:

      • Only the network bits need to be specified for the EUI-64 address, because the host bits are transformed from the MAC addresses of the interface. The prefix length of the network bits in an EUI-64 address must not be longer than 64 bits.
      • A complete 128-bit address needs to be specified for the global unicast address.

      The EUI-64 address and global unicast address can be configured simultaneously or separately. However, IP addresses configured for the same interface cannot be on the same network segment.

  5. Optional: Disable an interface from working in auto-negotiation mode.

    undo negotiation auto

    Only MEth, GE, 10GE, and WAN interfaces support this command. A 10GE interface supports this command only when it has a GE optical module installed.

    By default, an interface works in auto-negotiation mode.

    To set parameters duplex and speed to adjust the duplex mode and rate of an interface, run the negotiation auto command to disable the interface from working in auto-negotiation mode.

  6. Optional: Specify a duplex mode.

    duplex { full | half | auto }

    Only Meth, GE, and WAN interfaces support this command.

  7. Optional: Set a working rate.

    speed { 10 | 100 | 1000 }

    Only MEth, GE, and WAN interfaces support this command.

  8. Optional: Set the interface MTU.

    • To set an IPv4 MTU for the interface, run:

      mtu mtu

    • To set an IPv6 MTU for the interface, run:

      ipv6 mtu mtu

    If a packet is added with a non-fragment flag and the packet length exceeds the interface MTU, the FW drops the packet.

  9. Optional: Enable strict ARP entry learning.

    arp learning strict { force-enable | force-disable | trust }
    • If the key word force-enable of the command is selected, the FW learns only reply packets for the ARP request packets sent itself.
    • If the key word force-disable of the command is selected, the strict ARP entry learning function on the interface is disabled.
    • If the key word trust of the command is selected, the strict ARP entry learning function on the interface is disabled and the global ARP entry learning function is enabled.
    Strict ARP entry learning adopts the following longest-match rules:
    • If strict ARP entry learning is configured both on the interface and globally, strict ARP entry learning on the interface is preferred.
    • If strict ARP entry learning is not configured on the interface, the global strict ARP entry learning is enabled.

  10. Optional: Configure an interface description.

    description interface-description

  11. Optional: Specify the alias for an interface.

    alias alias

  12. Optional: Set the maximum bandwidth for upstream traffic on the interface.

    bandwidth ingress bandwidth-number

  13. Optional: Set the maximum bandwidth for downstream traffic on the interface.

    bandwidth egress bandwidth-number

  14. Optional: Enable access control on an interface.

    service-manage enable

    By default, access control is enabled on interfaces.

  15. Optional: Allow or block HTTP, HTTPS, Ping, SSH, SNMP, NETCONF, or Telnet access to the FW.

    service-manage { http | https | ping | ssh | snmp | netconf | telnet | all } { permit | deny }

    The service-manage command allows an administrator to manage a FW through a specified interface even if no security policy is enforced for traffic between the Local zone and the security zone to which the interface belongs.

  16. Optional: Restore the access control management function of an interface to the default setting.

    reset service-manage

  17. Optional: Configure the sticky load balancing function.

    redirect-reverse next-hop ipv4-address [ per-packet ]
ipv6 redirect-reverse next-hop ipv6-address [ per-packet ]

    After this command is configured, the FW directly uses the inbound interface as the outbound interface of the response packet when forwarding the response packet, instead of searching the routing table for an outbound interface.

Advanced Layer-3 Ethernet Interface Configuration

A Layer-3 Ethernet interface supports interface flapping control, traffic suppression, and loopback.

  • Interface traffic suppression

    This function enables an interface to suppress broadcast, multicast, and unknown unicast traffic, which facilitates effective bandwidth use.

    The device suppresses traffic based on either of the following parameters:

    • Suppression ratio (ratio): a percentage of the maximum traffic that an interface can transmit to the transmission capability
    • Packet rate (pps): a maximum number of packets that can be forwarded per second

    When traffic exceeds a specified value, the device discards subsequent packets so that traffic is lowered within a specified range, which secures proper services transmission.

    Perform the following step to configure interface traffic suppression:

    For broadcast traffic suppression and multicast traffic suppression based on packet rates, the granularity of parameter max-pps is 125. For example, if you set max-pps to 5, the actual value is 125. If you set max-pps to 126, the actual value is 250. The rest can be done in the same manner.

    The mode of broadcast traffic suppression and multicast traffic suppression of all interfaces on the same LPU must be the same. For example, if traffic suppression based on packet rates is configured for interface GigabitEthernet 0/0/1, you cannot configure traffic suppression based on suppression ratio for interface GigabitEthernet 0/0/2.

    The following formula applies:

    Packet rate (pps) = Interface bandwidth x Suppression ratio/672

    Where,

    • Interface bandwidth: expressed in bit/s.
    • 672 bytes: average packet length (84 x 8). Each packet consists of a 64-byte packet body and 20-byte frame spacing and check information. Each byte contains 8 bits.

  • Ethernet interface loopback

    Loopback helps you check whether an interface works properly.

    Enable loopback.

    loopback

    When an interface works properly, disable the loopback. By default, the loopback is disabled.

  • Interface mode switching

    • In the system view, run the set device port-config-mode 100g-port enable command to enable the 100GE interface mode.

      Only the USG6712E/6716E supports this command.

      By default, the 100GE interface mode is disabled. If 100GE interfaces are required, run the set device port-config-mode 100g-port enable command to enable 100GE0/0/0 and 100GE0/0/1.100GE0/0/0 and 100GE0/0/1 are valid. In this case, XGE0/0/12 to XGE0/0/19, 40GE0/0/2, and 40GE0/0/3 become invalid.

    • In the system view, run the set device port-config-mode 40g-port enable command to enable the 40GE interface mode.

      Only the USG6680E supports this command.

      By default, the 40GE interface mode is disabled. XGE0/0/20 to XGE0/0/27, 40GE0/0/0, and 40GE0/0/1 are valid. In addition, 40GE0/0/2 and 40GE0/0/3 are mutually exclusive with XGE0/0/20 to XGE0/0/27. If more 40GE interfaces are required, run the set device port-config-mode 40g-port enable command to add 40GE0/0/2 and 40GE0/0/3. In this case, XGE0/0/20 to XGE0/0/27 become invalid.

    • In the system view, run the set device port-config-mode [ 10ge | ge ] command to configure the interface mode.

      Only the USG6525E/6555E/6565E/6585E support this command.

      By default, the interface mode is 10GE.

Follow-up Procedure

  1. Configure the automatic interface disabling function based on the session usage.

  2. Configure the automatic interface disabling function based on the CPU usage.

Parent Topic: Interface Configuration Using the CLI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >