< Home

Configuring a VLAN Interface

This section describes how to configure a VLAN interface for inter-VLAN communication.

Context

A LAN can be divided into several logical LANs. Each logical LAN is a broadcast domain, which is called a VLAN. Devices on a LAN logically belong to different VLANs, regardless of their physical locations. VLANs separate broadcast domains within a LAN from each other.

When hosts on a VLAN need to communicate with a device at the network layer, you can create a VLAN interface on the device. The VLAN interface functions as a Layer-3 interface to provide Layer-3 functions, such as IPv4 or IPv6 address settings.

Procedure

  1. Display the system view.

    system-view

  2. Display the specified interface view.

    interface interface-type interface-number

  3. Switch the Layer-3 Ethernet interface to Layer-2 mode.

    portswitch

  4. Return to the system view.

    quit

  5. Create a VLAN and display the VLAN view.

    vlan vlan-id

    If a VLAN already exists, running this command directly displays the VLAN view.

  6. Assign specified interfaces to the VLAN.

    port interface-type { interface-number1 [ to interface-number2 ] } &<1-10>

    Only access and hybrid interfaces can be added to a VLAN using this command.

  7. Return to the system view.

    quit

  8. Create a Vlanif interface for a specific VLAN and display the Vlanif interface view.

    interface vlanif vlan-id

    If a Vlanif interface already exists, running this command directly displays the Vlanif interface view.

    A VLAN must exist before a Vlanif interface is created for it.

  9. Assign an IPv4 address to the interface.

    ip address ip-address { mask | mask-length } [ sub ]

    To assign the second and subsequent IPv4 addresses to the interface, configure the sub parameter in the ip address command.

  10. Assign an IPv6 address to the interface.
    1. Enable the IPv6 capability on the interface.

      ipv6 enable

      By default, the IPv6 capability is disabled on the interface.

      Enable the IPv6 capability in the interface view before performing IPv6 configurations in the interface view.

      To allow the interface to forward IPv6 packets, run the ipv6 command in the system view.

    2. Perform either of the following operations to configure an IPv6 link-local address:

      • To enable the system to automatically generate an IPv6 link-local address, run:ipv6 address auto link-local

        Allowing the system to automatically generate a link-local address is recommended. This is because the link-local address is only used for protocol-based communication between link-local nodes, regardless of communication between users.

        If no IPv6 link-local address is specified for an interface, the device automatically generates an IPv6 link-local address for the interface after an IPv6 global unicast address of the interface is specified.

      • To specify an IPv6 link-local address, run:ipv6 address ipv6-address link-local

        The prefix of an IPv6 link-local address is FE80::/10.

      Only a single link-local address can be configured on an interface. If you repeatedly configure link-local addresses, the last configuration takes effect.

    3. Assign a global unicast IPv6 address to the interface.

      ipv6 address { ipv6-address | ipv6-address/prefix-length } [ eui-64 ]

      An EUI-64 address supports the same function as a global unicast address. The difference between the two addresses is as follows:
      • Only the network bits need to be specified for the EUI-64 address, because the host bits are transformed from the MAC addresses of the interface. The prefix length of the network bits in an EUI-64 address must not be longer than 64 bits.
      • A complete 128-bit address needs to be specified for the global unicast address.

      The EUI-64 address and global unicast address can be configured simultaneously or separately. However, IP addresses configured for the same interface cannot be on the same network segment.

  11. Optional: Configure an interface description.

    description interface-description

  12. Optional: Specify the alias for an interface.

    alias alias

  13. Optional: Set the maximum bandwidth for upstream traffic on the interface.

    bandwidth ingress bandwidth-number

  14. Optional: Set the maximum bandwidth for downstream traffic on the interface.

    bandwidth egress bandwidth-number

  15. Optional: Enable access control on an interface.

    service-manage enable

    By default, access control is enabled on interfaces.

  16. Optional: Allow or block HTTP, HTTPS, Ping, SSH, SNMP, NETCONF, or Telnet access to the FW.

    service-manage { http | https | ping | ssh | snmp | netconf | telnet | all } { permit | deny }

    The service-manage command allows an administrator to manage a FW through a specified interface even if no security policy is enforced for traffic between the Local zone and the security zone to which the interface belongs.

  17. Optional: Restore the access control management function of an interface to the default setting.

    reset service-manage

  18. Optional: Configure the sticky load balancing function.

    redirect-reverse next-hop ipv4-address
ipv6 redirect-reverse next-hop ipv6-address

    After this command is configured, the FW directly uses the inbound interface as the outbound interface of the response packet when forwarding the response packet, instead of searching the routing table for an outbound interface.

Parent Topic: Interface Configuration Using the CLI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >