< Home

Configuring BDIF Interfaces (VXLAN Interfaces)

You can configure Virtual eXtensible Local Area Network (VXLAN) interfaces for communication between VXLANs and between a VXLAN and a non-VXLAN.

Context

VXLAN is a network virtualization technology of Network Virtualization over Layer 3 (NVO3) and uses the MAC in UDP encryption mode. VXLAN uses VXLAN network IDs (VNIs) similar to VLAN IDs. A VNI consists of 24 bits. Theoretically, 16 M VXLAN segments are supported.

If hosts in a VXLAN need to communicate with VXLANs in other network segments or non-VXLAN devices, you can create VXLAN-based logical interfaces, namely, VXLAN interfaces. VXLAN interfaces provide almost all functions supported by common Layer-3 physical interfaces and support multiple types of Layer-3 features, such as IPv4 address configuration.

As VXLAN interfaces are in a bridge domain (BD), they are also called BDIF interfaces.

Procedure

  1. Access the system view.

    system-view

  2. Create a BD and access the BD view.

    bridge-domain bd-id

  3. Create a VNI and associate it with the BD.

    vxlan vni vni-id

  4. Return to the system view.

    quit

  5. Create a BDIF interface and access the BDIF interface view.

    interface vbdif bd-id

    The specified BD must already exist.

  6. Assign an IPv4 address to the interface.

    ip address ip-address { mask | mask-length } [ sub ]

    To assign the second and subsequent IPv4 addresses to the interface, configure the sub parameter in the ip address command.

  7. Optional: Assign an IPv6 address to the interface.
    1. Enable the IPv6 capability on the interface.

      ipv6 enable

      By default, the IPv6 capability is disabled on the interface.

      Before performing IPv6 configurations in the interface view, enable the IPv6 capability in the interface view.

      To allow the interface to forward IPv6 packets, run the ipv6 command in the system view.

    2. Perform either of the following operations to configure an IPv6 link-local address:

      • To enable the system to automatically generate an IPv6 link-local address, run:

        ipv6 address auto link-local

        This is a recommended way to configure an IPv6 link-local address because the link-local address is only used for protocol-based communication between link-local nodes, regardless of communication between users.

        If no IPv6 link-local address is specified for an interface, the device automatically generates an IPv6 link-local address for the interface after an IPv6 global unicast address is specified for the interface.

      • To specify an IPv6 link-local address, run:

        ipv6 address ipv6-address link-local

        The prefix of an IPv6 link-local address is FE80::/10.

      Only a single link-local address can be configured on an interface. If you configure multiple link-local addresses on the same interface, only the last configuration takes effect.

    3. Assign a global unicast IPv6 address to the interface.

      ipv6 address { ipv6-address | ipv6-address/prefix-length } [ eui-64 ]

      An EUI-64 address supports the same function as a global unicast address. The difference between the two addresses is as follows:

      • Only the network bits need to be specified for the EUI-64 address, because the host bits are transformed from the MAC addresses of the interface. The prefix length of the network bits in an EUI-64 address must not be longer than 64 bits.
      • A complete 128-bit address needs to be specified for the global unicast address.

      The EUI-64 address and global unicast address can be configured simultaneously or separately. However, IP addresses configured for the same interface cannot be on the same network segment.

  8. Optional: Configure a MAC address for the interface. By default, use the system MAC address.

    mac-address mac-address

  9. Optional: Set the interface MTU.

    • To set an IPv4 MTU for the interface, run:

      mtu mtu

    If a packet is added with a non-fragment flag and the packet length exceeds the interface MTU, the FW drops the packet.

  10. Optional: Enable strict ARP entry learning.

    arp learning strict { force-enable | force-disable | trust }
    • If the key word force-enable of the command is selected, the FW learns only reply packets for the ARP request packets sent itself.
    • If the key word force-disable of the command is selected, the strict ARP entry learning function on the interface is disabled.
    • If the key word trust of the command is selected, the strict ARP entry learning function on the interface is disabled and the global ARP entry learning function is enabled.
    Strict ARP entry learning adopts the following longest-match rules:
    • If strict ARP entry learning is configured both on the interface and globally, strict ARP entry learning on the interface is preferred.
    • If strict ARP entry learning is not configured on the interface, the global strict ARP entry learning is enabled.

  11. Optional: Configure an interface description.

    description interface-description

  12. Optional: Specify the alias for an interface.

    alias alias

  13. Optional: Set the maximum bandwidth for upstream traffic on the interface.

    bandwidth ingress bandwidth-number

  14. Optional: Set the maximum bandwidth for downstream traffic on the interface.

    bandwidth egress bandwidth-number

  15. Optional: Enable access control on an interface.

    service-manage enable

    By default, access control is enabled on interfaces.

  16. Optional: Allow or block HTTP, HTTPS, Ping, SSH, SNMP, NETCONF, or Telnet access to the FW.

    service-manage { http | https | ping | ssh | snmp | netconf | telnet | all } { permit | deny }

    The service-manage command allows an administrator to manage a FW through a specified interface even if no security policy is enforced for traffic between the Local zone and the security zone to which the interface belongs.

  17. Optional: Restore the access control management function of an interface to the default setting.

    reset service-manage

  18. Optional: Configure the sticky load balancing function.

    redirect-reverse next-hop ipv4-address
ipv6 redirect-reverse next-hop ipv6-address

    After this command is configured, the FW directly uses the inbound interface as the outbound interface of the response packet when forwarding the response packet, instead of searching the routing table for an outbound interface.

Parent Topic: Interface Configuration Using the CLI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >