< Home

Configuring a Management Interface

This section describes how to configure a Management Interface for you to manage the FW.

Basic Management Interface Configuration

Management Interfaces fall into GE0/0/0 and MEth0/0/0 Interfaces and are displayed differently on various models. To be specific, Management Interfaces are GE0/0/0 Interfaces on the desktop device and MEth0/0/0 Interfaces on other models.

A MEth Management Interface is an independent Management Interface and does not support most functions of a service interface. However, the services supported by a GE Management Interface and a service interface are basically the same. It is recommended that Management Interfaces be used only for management. You are not advised to configure services on Management Interfaces.

By default, the IP address of the Management Interface is 192.168.0.1. The interface has been added to the Trust zone, and the HTTP, HTTPS, and Ping permissions are enabled on the Management interface. You can access the device through the Management Interface without configuring any security policy. The HTTP, HTTPS, Telnet, Ping, SSH, NETCONF, and SNMP permissions are disabled on non-Management interfaces.

VPN instance default is bound to the Management Interface by default. If the Management Interface is used to ping, STelnet, Telnet, FTP, or SFTP other PCs or devices, the vpn-instance default parameter must be specified, such as telnet vpn-instance default 10.2.2.1.

Procedure

  1. Display the system view.

    system-view

  2. Display the specified interface view.

    interface interface-type interface-number

  3. Assign an IPv4 address to the interface.

    ip address ip-address { mask | mask-length } [ sub ]

    To assign the second and subsequent IPv4 addresses to the interface, configure the sub parameter in the ip address command.

  4. Assign an IPv6 address to the interface.
    1. Enable the IPv6 capability on the interface.

      ipv6 enable

      By default, the IPv6 capability is disabled on the interface.

      Before performing IPv6 configurations in the interface view, enable the IPv6 capability in the interface view.

      To allow the interface to forward IPv6 packets, run the ipv6 command in the system view.

    2. Perform either of the following operations to configure an IPv6 link-local address:

      • To enable the system to automatically generate an IPv6 link-local address, run:

        ipv6 address auto link-local

        This is a recommended way to configure an IPv6 link-local address because the link-local address is only used for protocol-based communication between link-local nodes, regardless of communication between users.

        If no IPv6 link-local address is specified for an interface, the device automatically generates an IPv6 link-local address for the interface after an IPv6 global unicast address is specified for the interface.

      • To specify an IPv6 link-local address, run:

        ipv6 address ipv6-address link-local

        The prefix of an IPv6 link-local address is FE80::/10.

      Only a single link-local address can be configured on an interface. If you configure multiple link-local addresses on the same interface, only the last configuration takes effect.

    3. Assign a global unicast IPv6 address to the interface.

      ipv6 address { ipv6-address | ipv6-address/prefix-length } [ eui-64 ]

      An EUI-64 address supports the same function as a global unicast address. The difference between the two addresses is as follows:

      • Only the network bits need to be specified for the EUI-64 address, because the host bits are transformed from the MAC addresses of the interface. The prefix length of the network bits in an EUI-64 address must not be longer than 64 bits.
      • A complete 128-bit address needs to be specified for the global unicast address.

      The EUI-64 address and global unicast address can be configured simultaneously or separately. However, IP addresses configured for the same interface cannot be on the same network segment.

  5. Optional: Configure an interface description.

    description interface-description

  6. Optional: Specify the alias for an interface.

    alias alias

  7. Optional: Enable access control on an interface.

    service-manage enable

    By default, access control is enabled on interfaces.

  8. Optional: Allow or block HTTP, HTTPS, Ping, SSH, SNMP, NETCONF, or Telnet access to the FW.

    service-manage { http | https | ping | ssh | snmp | netconf | telnet | all } { permit | deny }

    The service-manage command allows an administrator to manage a FW through a specified interface even if no security policy is enforced for traffic between the Local zone and the security zone to which the interface belongs.

  9. Optional: Restore the access control management function of an interface to the default setting.

    reset service-manage

  10. Optional: Enable the function of forcibly sending traffic from the management port to the device to the master CPU (slot 11) for processing.

    firewall management-port flow force master-cpu enable

    By default, the function of forcibly sending traffic from the management port to the device to the master CPU (slot 11) for processing is disabled.

    This function is supported in V600R007C20SPC600 and later versions.

    This function is supported only by the USG6680E and USG6712E/6716E.

Parent Topic: Interface Configuration Using the CLI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >