Configuring a Layer-3 Ethernet Subinterface

This section describes how to configure a Layer-3 Ethernet subinterface.

Context

Subinterfaces are logical or virtual interfaces created on a physical interface. Subinterfaces share the physical parameters of the physical interface on which they are created. However, subinterfaces have their own data link layer and network layer parameters. A subinterface status change does not affect the main interface status, whereas a main interface status change affects the subinterface status. Subinterfaces work properly only when their main interface is in the Up state.

Subinterfaces can be created on Layer-3 Ethernet and Eth-Trunk interfaces. To distinguish VLAN packets on a Layer-3 Ethernet interface or an Eth-Trunk interface, configure subinterfaces with different VLAN IDs. Each subinterface with a specific VLAN ID forwards packets carrying the VLAN ID, which provides configuration flexibility.

Procedure

Display the system view.
system-view
Display the Ethernet subinterface view.
interface interface-type interface-number.subinterface-number

The subinterface-number parameter specifies the number of an Ethernet subinterface.
Specify an encapsulation mode and a VLAN ID for the subinterface.
vlan-type dot1q vlan-id

By default, no encapsulation mode or VLAN ID is configured on a subinterface.

To ensure VLAN connectivity, set the same VLAN ID on two subinterfaces at two ends of a link.
Assign an IPv4 address to the interface.
ip address ip-address { mask | mask-length } [ sub ]

To assign the second and subsequent IPv4 addresses to the interface, configure the sub parameter in the ip address command.
Assign an IPv6 address to the interface.
1. Enable the IPv6 capacity on the interface.
  ipv6 enable
  
  By default, the IPv6 capability is disabled on the interface.
  
  Before performing IPv6 configurations in the interface view, enable the IPv6 capability in the interface view.
  
  To allow the interface to forward IPv6 packets, run the ipv6 command in the system view.
2. Perform either of the following operations to configure an IPv6 link-local address:
  - To enable the system to automatically generate an IPv6 link-local address, run ipv6 address auto link-local.
    Allowing the system to automatically generate a link-local address is recommended. This is because the link-local address is only used for protocol-based communication between link-local nodes, regardless of communication between users.
    
    If no IPv6 link-local address is specified for an interface, the device automatically generates an IPv6 link-local address for the interface after an IPv6 global unicast address of the interface is specified.
  - To specify an IPv6 link-local address, run ipv6 address ipv6-address link-local.
    The prefix of an IPv6 link-local address is FE80::/10.
  Only a single link-local address can be configured on an interface. If you repeatedly configure link-local addresses, the last configuration takes effect.
3. Assign a global unicast IPv6 address to the interface.
  ipv6 address { ipv6-address | ipv6-address/prefix-length } [ eui-64 ]
  An EUI-64 address supports the same function as a global unicast address. The difference between the two addresses is as follows:
  - Only the network bits need to be specified for the EUI-64 address, because the host bits are transformed from the MAC addresses of the interface. The prefix length of the network bits in an EUI-64 address must not be longer than 64 bits.
  - A complete 128-bit address needs to be specified for the global unicast address.
  The EUI-64 address and global unicast address can be configured simultaneously or separately. However, IP addresses configured for the same interface cannot be on the same network segment.
Optional: Set the interface MTU.
- To set an IPv4 MTU for the interface, run:
  
  mtu mtu
- To set an IPv6 MTU for the interface, run:
  
  ipv6 mtu mtu
If a packet is added with a non-fragment flag and the packet length exceeds the interface MTU, the FW drops the packet.
Optional: Enable strict ARP entry learning.
```
arp learning strict { force-enable | force-disable | trust }
```
- If the key word force-enable of the command is selected, the FW learns only reply packets for the ARP request packets sent itself.
- If the key word force-disable of the command is selected, the strict ARP entry learning function on the interface is disabled.
- If the key word trust of the command is selected, the strict ARP entry learning function on the interface is disabled and the global ARP entry learning function is enabled.
Strict ARP entry learning adopts the following longest-match rules:
- If strict ARP entry learning is configured both on the interface and globally, strict ARP entry learning on the interface is preferred.
- If strict ARP entry learning is not configured on the interface, the global strict ARP entry learning is enabled.
Optional: Configure an interface description.
description interface-description
Optional: Specify the alias for an interface.
alias alias
Optional: Set the maximum bandwidth for upstream traffic on the interface.
bandwidth ingress bandwidth-number
Optional: Set the maximum bandwidth for downstream traffic on the interface.
bandwidth egress bandwidth-number
Optional: Enable access control on an interface.
service-manage enable

By default, access control is enabled on interfaces.
Optional: Allow or block HTTP, HTTPS, Ping, SSH, SNMP, NETCONF, or Telnet access to the FW.
```
service-manage { http | https | ping | ssh | snmp | netconf | telnet | all } { permit | deny }
```
The service-manage command allows an administrator to manage a FW through a specified interface even if no security policy is enforced for traffic between the Local zone and the security zone to which the interface belongs.
Optional: Restore the access control management function of an interface to the default setting.
```
reset service-manage
```
Optional: Configure the sticky load balancing function.
```
redirect-reverse next-hop ipv4-address [ per-packet ]
ipv6 redirect-reverse next-hop ipv6-address [ per-packet ]
```
After this command is configured, the FW directly uses the inbound interface as the outbound interface of the response packet when forwarding the response packet, instead of searching the routing table for an outbound interface.
Optional: Configure the automatic interface disabling function based on the session usage.
- In the system view, run the firewall exceeded session enable command to configure the function that the interface is automatically disabled when the session usage reaches the threshold.
- In the system view, run the firewall exceeded session shutdown interface command to configure the list of interfaces that need to be disabled when the session usage reaches the threshold.
- In the system view, run the snmp-agent session trap threshold command to configure the session usage threshold that triggers the interface to be automatically disabled.
Optional: Configure the automatic interface disabling function based on the CPU usage.
- In the system view, run the firewall exceeded cpu-usage enable command to configure the function that the interface is automatically disabled when the CPU usage reaches the threshold.
- In the system view, run the firewall exceeded cpu-usage shutdown interface command to configure the list of interfaces that need to be disabled when the CPU usage reaches the threshold.
- In the system view, run the firewall exceeded cpu-usage threshold command to configure the CPU usage threshold that triggers the interface to be automatically disabled.