This help contains the following topics:

·     Introduction

¡     IPv4 address

¡     IPv6 address

¡     Link aggregation

¡     VLAN termination

·     Restrictions and guidelines

Introduction

Your device supports the following types of Ethernet interfaces:

·     Layer 2 Ethernet interface—Physical Ethernet interface operating at the data link layer (Layer 2) to switch packets.

·     Layer 3 Ethernet interface—Physical Ethernet interface operating at the network layer (Layer 3) to route packets. You can assign an IP address to a Layer 3 Ethernet interface.

·     Layer-configurable Ethernet interface—Physical Ethernet interface that can be configured to operate in bridge mode as Layer 2 Ethernet interfaces or in route mode as Layer 3 Ethernet interfaces.

·     Layer 3 Ethernet subinterface—Logical interface operating at the network layer. You can assign an IP address to a Layer 3 Ethernet subinterface. To enable a Layer 3 Ethernet interface to transport packets for multiple VLANs, you must create Layer 3 subinterfaces on the Layer 3 Ethernet interface.

·     Layer 2 aggregate interface—Logical interface that uniquely corresponds to a Layer 2 aggregation group. This type of interface is used for implementing Layer 2 link aggregation.

·     Layer 3 aggregate interface—Logical interface that uniquely corresponds to a Layer 3 aggregation group. This type of interface can be assigned IP addresses and is used for implementing Layer 3 link aggregation.

·     Layer 3 aggregate subinterface—Logical interface that can be assigned IP addresses. This type of interface is used to enable a Layer 3 aggregate interface to send and receive VLAN tagged packets.

·     Loopback interface—Logical interface that can be assigned IP addresses. After a loopback interface is created, the physical layer state of the loopback interface is always up unless the loopback interface is manually shut down.

·     VLAN interface—Logical interface. Each VLAN corresponds to one VLAN interface. After an IP address is assigned to a VLAN interface, the IP address can be used as the gateway address for network devices in the VLAN, and the VLAN interface can forward packets destined for another IP subnet at Layer 3. For more information about VLAN interfaces, see "VLAN."

·     SSL VPN interface—Logical interface that can be assigned IP addresses. When a user accesses an SSL VPN gateway through the IP access method, the gateway uses this interface to communicate with the client. For more information about SSL VPN interfaces, see "SSL VPN."

·     Reth interface—Logical interface that can be assigned IP addresses. A Reth interface uses two member interfaces to ensure link availability. For more information about Reth interfaces, see "IRF advanced settings."

·     Reth subinterface—Logical interface that can be assigned IP addresses. This type of interface is used to enable a Reth interface to send and receive Layer 2 VLAN-tagged packets. For more information about Reth subinterfaces, see "IRF advanced settings."

IPv4 address

IP address representation and classes

IP addressing uses a 32-bit address to identify each host on an IPv4 network. To make addresses easier to read, they are written in dotted decimal notation, each address being four octets in length. For example, address 00001010000000010000000100000001 in binary is written as 10.1.1.1.

Each IP address breaks down into the following sections:

·     Net ID—Identifies a network. The first several bits of a net ID, known as the class field or class bits, identify the class of the IP address.

·     Host ID—Identifies a host on a network.

IP addresses are divided into five classes, as shown in Table 1. The first three classes are most commonly used.

Table 1 IP address classes and ranges

Class	Address range	Remarks
A	0.0.0.0 to 127.255.255.255	The IP address 0.0.0.0 is used by a host at startup for temporary communication. This address is never a valid destination address. Addresses starting with 127 are reserved for loopback test. Packets destined to these addresses are processed locally as input packets rather than sent to the link.
B	128.0.0.0 to 191.255.255.255	N/A
C	192.0.0.0 to 223.255.255.255	N/A
D	224.0.0.0 to 239.255.255.255	Multicast addresses.
E	240.0.0.0 to 255.255.255.255	Reserved for future use, except for the broadcast address 255.255.255.255.

 

Subnetting and masking

Subnetting divides a network into smaller networks called subnets by using some bits of the host ID to create a subnet ID.

Masking identifies the boundary between the host ID and the combination of net ID and subnet ID.

Each subnet mask comprises 32 bits that correspond to the bits in an IP address. In a subnet mask, consecutive ones represent the net ID and subnet ID, and consecutive zeros represent the host ID.

Before being subnetted, Class A, B, and C networks use these default masks (also called natural masks): 255.0.0.0, 255.255.0.0, and 255.255.255.0, respectively.

Subnetting increases the number of addresses that cannot be assigned to hosts. Therefore, using subnets means accommodating fewer hosts.

For example, a Class B network without subnetting can accommodate 1022 more hosts than the same network subnetted into 512 subnets.

·     Without subnetting—65534 (216 – 2) hosts. (The two deducted addresses are the broadcast address, which has an all-one host ID, and the network address, which has an all-zero host ID.)

·     With subnetting—Using the first nine bits of the host-id for subnetting provides 512 (29) subnets. However, only seven bits remain available for the host ID. This allows 126 (27 – 2) hosts in each subnet, a total of 64512 (512 × 126) hosts.

IP address assignment

You can manually assign an IP address to an interface or configure the interface to obtain an IP address through DHCP or PPPoE. Support for DHCP and PPPoE depends on the device model.

Interface MTU

When a packet exceeds the MTU of the sending interface, the device processes the packet in one of the following ways:

·     If the packet disallows fragmentation, the device discards it.

·     If the packet allows fragmentation, the device fragments it and forwards the fragments.

Fragmentation and reassembling consume system resources, so set the MTU based on the network environment to avoid fragmentation.

Last hop holding

When an interface with this feature enabled receives the first IP packet of the forward traffic, the interface records the traffic characteristics and last hop in the high-speed cache. When the backward traffic reaches the device for forwarding, the device can guide packet forwarding based on the last hop information recorded. This feature ensures that the forward traffic from the peer end to the local end and the backward traffic from the local end to the peer end are transmitted on the same path. Therefore, traffic of the same session can be processed in the same way.

IPv6 address

IPv6, also called IP next generation (IPng), was designed by the IETF as the successor to IPv4. One significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits.

IPv6 address format

An IPv6 address is represented as a set of 16-bit hexadecimals separated by colons (:). An IPv6 address is divided into eight groups, and each 16-bit group is represented by four hexadecimal numbers, for example, 2001:0000:130F:0000:0000:09C0:876A:130B.

To simplify the representation of IPv6 addresses, you can handle zeros in IPv6 addresses by using the following methods:

·     The leading zeros in each group can be removed. For example, the above address can be represented in a shorter format as 2001:0:130F:0:0:9C0:876A:130B.

·     If an IPv6 address contains one or more consecutive groups of zeros, they can be replaced by a double colon (::). For example, the above address can be represented in the shortest format as 2001:0:130F::9C0:876A:130B.

An IPv6 address consists of an address prefix and an interface ID, which are equivalent to the network ID and the host ID of an IPv4 address.

An IPv6 address prefix is written in IPv6-address/prefix-length notation. The prefix-length is a decimal number indicating how many leftmost bits of the IPv6 address are in the address prefix.

IPv6 address type

IPv6 addresses include the following types:

·     Unicast address—An identifier for a single interface, similar to an IPv4 unicast address. A packet sent to a unicast address is delivered to the interface identified by that address.

·     Multicast address—An identifier for a set of interfaces (typically belonging to different nodes), similar to an IPv4 multicast address. A packet sent to a multicast address is delivered to all interfaces identified by that address. Broadcast addresses are replaced by multicast addresses in IPv6.

·     Anycast address—An identifier for a set of interfaces (typically belonging to different nodes). A packet sent to an anycast address is delivered to the nearest interface among the interfaces identified by that address. The nearest interface is chosen according to the routing protocol's measure of distance.

The type of an IPv6 address is designated by the first several bits, called the format prefix.

Table 2 Mappings between address types and format prefixes

Type		Format prefix (binary)	IPv6 prefix ID	Description
Unicast address	Unspecified address	00...0 (128 bits)	::/128	It cannot be assigned to any node. Before acquiring a valid IPv6 address, a node fills this address in the source address field of IPv6 packets. The unspecified address cannot be used as a destination IPv6 address.
	Loopback address	00...1 (128 bits)	::1/128	It has the same function as the loopback address in IPv4. It cannot be assigned to any physical interface. A node uses this address to send an IPv6 packet to itself.
	Link-local address	1111111010	FE80::/10	Used for communication among link-local nodes for neighbor discovery and stateless autoconfiguration. Packets with link-local source or destination addresses are not forwarded to other links.
	Global unicast address	Other forms	N/A	Equivalent to public IPv4 addresses, global unicast addresses are provided for Internet service providers. This type of address allows for prefix aggregation to restrict the number of global routing entries.
Multicast address		11111111	FF00::/8	N/A
Anycast address		Anycast addresses use the unicast address space and have the identical structure of unicast addresses.		N/A

 

IEEE EUI-64 address-based interface identifiers

An interface identifier is 64 bits long and uniquely identifies an interface on a link.

On an IEEE 802 interface (such as a VLAN interface), the interface identifier is derived from the link-layer address (typically a MAC address) of the interface. The MAC address is 48 bits long.

To obtain an EUI-64 address-based interface identifier, follow these steps:

1.     Insert the 16-bit binary number 1111111111111110 (hexadecimal value of FFFE) behind the 24th high-order bit of the MAC address.

2.     Invert the universal/local (U/L) bit (the seventh high-order bit). This operation makes the interface identifier have the same local or global significance as the MAC address.

On a tunnel interface, the lower 32 bits of the EUI-64 address-based interface identifier are the source IPv4 address of the tunnel interface. The higher 32 bits of the EUI-64 address-based interface identifier of an ISATAP tunnel interface are 0000:5EFE, whereas those of other tunnel interfaces are all zeros.

On an interface of another type (such as a serial interface) the EUI-64 address-based interface identifier is generated randomly by the device.

Configure an IPv6 global unicast address for an interface

Use one of the following methods to configure an IPv6 global unicast address for an interface:

·     EUI-64 IPv6 address—The IPv6 address prefix of the interface is manually configured, and the interface ID is generated automatically by the interface.

·     Manual configuration—The IPv6 global unicast address is manually configured.

·     Stateless address autoconfiguration—The IPv6 global unicast address is generated automatically based on the address prefix information contained in the RA message.

·     Stateful address autoconfiguration—The IPv6 global unicast address is obtained through DHCPv6.

You can configure multiple IPv6 global unicast addresses on an interface.

Configure an IPv6 link-local address for an interface

Configure IPv6 link-local addresses using one of the following methods:

·     Automatic generation—The device automatically generates a link-local address for an interface according to the link-local address prefix (FE80::/10) and the link-layer address of the interface.

·     Manual assignment—Manually configure an IPv6 link-local address for an interface.

An interface can have only one link-local address. As a best practice, use the automatic generation method to avoid link-local address conflicts. If both the automatic generation and manual assignment methods are used, the manual assignment takes precedence.

·     If you first use automatic generation and then manual assignment, the manually assigned link-local address overwrites the automatically generated one.

·     If you first use manual assignment and then automatic generation, both of the following occur:

¡     The link-local address is still the manually assigned one.

¡     The automatically generated link-local address does not take effect. If you delete the manually assigned address, the automatically generated link-local address takes effect.

Link aggregation

Ethernet link aggregation bundles multiple physical Ethernet links into one logical link (called an aggregate link). Link aggregation provides the following benefits:

·     Increased bandwidth beyond the limits of a single individual link. In an aggregate link, traffic is distributed across the member ports.

·     Improved link reliability. The member ports dynamically back up one another. When a member port fails, its traffic is automatically switched to other member ports.

Aggregation groups

Each link aggregation is represented by a logical aggregate interface. Each aggregate interface has an automatically created aggregation group, which contains member ports to be used for aggregation. The type and number of an aggregation group are the same as its aggregate interface.

An aggregate interface can be one of the following types:

·     Layer 2—The member ports in a Layer 2 aggregation group can only be Layer 2 Ethernet interfaces.

·     Layer 3—The member ports in its Layer 3 aggregation group can only be Layer 3 Ethernet interfaces.

The port rate of an aggregate interface equals the total rate of its Selected member ports. Its duplex mode is the same as that of the Selected member ports.

Aggregation states of member ports in an aggregation group

A member port in an aggregation group might be placed in one of the following aggregation states:

·     Selected—A Selected port can forward traffic.

·     Unselected—An Unselected port cannot forward traffic.

Operational key

When aggregating ports, the system automatically assigns each port an operational key based on port information, such as port rate and duplex mode. Any change to this information triggers a recalculation of the operational key.

In an aggregation group, all Selected ports have the same operational key.

Attribute configuration

To become a Selected port, a member port must have the same attribute configuration as the aggregate interface. Table 3 describes the attribute configuration.

Table 3 Attribute configuration

Feature	Attribute configuration
Port isolation	Membership of the port in an isolation group. Isolation group number.
VLAN	VLAN attribute settings: ·     Permitted VLAN IDs. ·     PVID. VLAN tagging mode.

 

Link aggregation modes

An aggregation group operates in one of the following modes:

·     Static—An aggregation group in static mode is called a static aggregation group.

·     Dynamic—An aggregation group in dynamic mode is called a dynamic aggregation group. Dynamic aggregation implements IEEE 802.3ad Link Aggregation Control Protocol (LACP).

How static link aggregation works

1.     Reference port selection process

When setting the aggregation states of the ports in an aggregation group, the system automatically chooses a member port as the reference port. A Selected port must have the same operational key and attribute configurations as the reference port.

All up member ports with the same attribute configuration as the aggregate interface are candidate reference ports. The system chooses a reference port from among the candidate reference ports based on the following tiebreakers in descending order:

a.     Highest port priority.

b.     Full duplex and high speed.

c.     Full duplex and low speed.

d.     Half duplex and high speed.

e.     Half duplex and low speed.

f.     Port that used to be Selected.

g.     Lowest numbered port.

2.     Setting the aggregation state of each member port

After the reference port is chosen, the system sets the aggregation state of each member port in the static aggregation group.

Figure 1 Setting the aggregation state of a member port in a static aggregation group

 

How dynamic link aggregation works

Dynamic aggregation is an implementation of IEEE 802.3ad Link Aggregation Control Protocol (LACP).

LACP uses LACPDUs to exchange aggregation information between LACP systems. Each member port in a dynamic aggregation group exchanges aggregation information with its peer and compares the received information with information received on the other member ports. Based on the exchanged aggregation information, the two systems reach an agreement on which ports are placed in Selected state.

1.     Choosing a reference port

The system chooses a reference port from the member ports in up state. A Selected port must have the same operational key and attribute configurations as the reference port.

The local system (the actor) and the peer system (the partner) negotiate a reference port by using the following workflow:

a.     The two systems determine the system with the smaller system ID.

A system ID contains the LACP system priority and the system MAC address.

-     The two systems compare their LACP priority values.

The lower the LACP priority, the smaller the system ID. If the LACP priority values are the same, the two systems proceed to the next step.

-     The two systems compare their MAC addresses.

The lower the MAC address, the smaller the system ID.

b.     The system with the smaller system ID chooses the port with the smallest port ID as the reference port.

A port ID contains a port priority and a port number. The lower the port priority, the smaller the port ID.

-     The system chooses the port with the lowest priority value as the reference port.

If the ports have the same priority, the system proceeds to the next step.

-     The system compares their port numbers.

The smaller the port number, the smaller the port ID.

The port with the smallest port number and the same attribute configurations as the aggregate interface is chosen as the reference port.

2.     Setting the aggregation state of each member port

a.     After determining the reference port, the system with the smaller system ID sets the state of each member port on its side.

b.     The system with the greater system ID detects the aggregation state changes on the peer system. Then, it sets the aggregation state of local member ports to be the same as their peer ports.

Figure 2 Setting the state of a member port in a dynamic aggregation group

 

A comparison of static link aggregation and dynamic link aggregation

The following are differences between static and dynamic link aggregation modes:

·     Static—A static aggregation is stable. The peer systems do not negotiate the aggregation states of their member ports. The aggregation state of a member port does not change automatically after the aggregation state of its peer port changes.

·     Dynamic—The local system and the peer system automatically negotiate and maintain the aggregation states of the member ports.

VLAN termination

About VLAN termination

VLAN termination typically processes packets that include VLAN tags. A VLAN termination-enabled interface performs the following tasks when receiving a VLAN-tagged packet:

·     Assigns the packet to an interface according to its VLAN tags.

·     Removes the VLAN tags of the packet.

·     Delivers the packet to Layer 3 forwarding or other processing pipelines.

Before sending the packet, the VLAN termination-enabled interface determines whether to add new VLAN tags to the packet, based on the VLAN termination type.

VLAN termination types

VLAN termination types	Types of packets to be terminated on the interface	Tags of outgoing packets on the interface
Dot1q termination	The packets must meet both of the following requirements: ·     The packets include one or more layers of VLAN tags. ·     The outermost VLAN ID matches the configured value.	Single-tagged
Untagged termination	Untagged packets.	Untagged
Default termination	Packets that cannot be processed on any other subinterfaces of the same main interface.	Untagged

 

VLAN termination mechanism

VLAN interfaces and subinterfaces, such as Layer 3 Ethernet subinterfaces and Layer 3 aggregate subinterfaces, can terminate the following packets:

·     Packets whose outermost VLAN IDs match the configured values.

·     Packets whose outermost two layers of VLAN IDs match the configured values.

A VLAN interface terminates only the packets whose outermost VLAN ID is the same as the VLAN interface number. For example, VLAN-interface 10 terminates only the packets with the outermost VLAN tag 10.

A main interface does not terminate VLAN-tagged packets (for example, Layer 3 Ethernet interface or Layer 3 aggregate interface). To terminate VLAN-tagged packets, create subinterfaces for the main interface.

Subinterfaces of the same main interface can use different types of VLAN termination. To process received packets, the system selects a subinterface based on the following VLAN termination types in descending order of priority:

·     Dot1q termination or support for Dot1q termination by default.

·     Untagged termination.

·     Default termination.

If none of these VLAN termination types applies, the main interface processes the packets.

If default termination is enabled on a subinterface of an interface, packets are processed by the subinterface instead of the main interface.

When a main interface is bound to a VLAN interface, the main interface processes VLAN-tagged packets according to the VLAN termination configuration of the VLAN interface.

Restrictions and guidelines

·     When an interface is shut down, all services that need to pass through the device are interrupted on the network connected to the interface.

·     You must set the same aggregation mode at the two ends of an aggregate link.

·     For a successful static aggregation, make sure the ports at both ends of each link are in the same aggregation state.

·     Deleting a Layer 2 aggregate interface also deletes its Layer 2 aggregation group. At the same time, the member ports of the aggregation group, if any, leave the aggregation group.

·     For a link aggregation, attribute configurations are configurable only on the aggregate interface and are automatically synchronized to all member ports. The configuration synchronized from the aggregate interface is retained on the member ports even after the aggregate interface is deleted.

·     You cannot assign an interface to a Layer 3 aggregation group if that interface is the member of a Reth interface or is on a redundancy group node.

·     Make sure the ports at both ends of a dynamic link aggregation are assigned to the correct aggregation group. The two ends can automatically negotiate the aggregation state of each member port.