Configuring a Tunnel Interface

Procedure

1. Access the system view.

   system-view

2. Access the view of a tunnel interface.

   interface tunnel interface-number

3. Set an encapsulation type for the tunnel.

   tunnel-protocol { gre | ipsec | ipv4-ipv6  | ipv6-ipv4 [ 6to4 | auto-tunnel | isatap ] | none }

   By default, the encapsulation protocol of a tunnel interface is GRE. For details, refer to the related configuration of each specified protocol. For one tunnel, the same encapsulation mode needs to be configured on the interfaces at both ends.

4. (Optional) Configure an MTU. IPsec, GRE, and DSVPN service packets are fragmented based on the MTU of a physical interface and are not affected by the MTU of a tunnel interface.

   mtu mtu

5. Configure an IP address for the interface.

   ip address ip-address { mask | mask-length } [ sub ]

6. Assign an IPv6 address to the interface.
   1. Enable the IPv6 capability on the interface.

      ipv6 enable

      By default, the IPv6 capability is disabled on the interface.

      Before performing IPv6 configurations in the interface view, enable the IPv6 capability in the interface view.

      To allow the interface to forward IPv6 packets, run the ipv6 command in the system view.

   2. Perform either of the following operations to configure an IPv6 link-local address:

      • To enable the system to automatically generate an IPv6 link-local address, run:

        ipv6 address auto link-local

        This is a recommended way to configure an IPv6 link-local address because the link-local address is only used for protocol-based communication between link-local nodes, regardless of communication between users.

        If no IPv6 link-local address is specified for an interface, the device automatically generates an IPv6 link-local address for the interface after an IPv6 global unicast address is specified for the interface.

      • To specify an IPv6 link-local address, run:

        ipv6 address ipv6-address link-local

        The prefix of an IPv6 link-local address is FE80::/10.

      

      Only a single link-local address can be configured on an interface. If you configure multiple link-local addresses on the same interface, only the last configuration takes effect.

   3. Assign a global unicast IPv6 address to the interface.

      ipv6 address { ipv6-address | ipv6-address/prefix-length } [ eui-64 ]

      An EUI-64 address supports the same function as a global unicast address. The difference between the two addresses is as follows:

      • Only the network bits need to be specified for the EUI-64 address, because the host bits are transformed from the MAC addresses of the interface. The prefix length of the network bits in an EUI-64 address must not be longer than 64 bits.
      • A complete 128-bit address needs to be specified for the global unicast address.

      The EUI-64 address and global unicast address can be configured simultaneously or separately. However, IP addresses configured for the same interface cannot be on the same network segment.

7. Configure a source address for the tunnel interface.

   source { interface-type interface-number | source-ip-address }

   You can configure an IP address as the source address of the tunnel interface or borrow the IP address of a interface. The interface type can be GigabitEthernet, XGigabitEthernet, 40GE, 100GE, Eth-Trunk, VLANIF, or loopback.

8. Configure a destination address for the tunnel interface.

   destination [ vpn-instance vpn-instance-name ] dest-ip-address

   The destination address of the tunnel interface must be different from the source address.

9. Optional: Configure the sticky load balancing function.

   redirect-reverse
   ipv6 redirect-reverse

   After this command is configured, the FW directly uses the inbound interface as the outbound interface of the response packet when forwarding the response packet, instead of searching the routing table for an outbound interface.