Bridge VLAN Configuration

1. Select the Configuration > Devices > System Profile tab from the Web UI.
2. Expand the Network menu and select Bridge VLAN.

   VLAN	Lists the numerical identifier defined for the Bridge VLAN when it was initially created. The available range is from 1 - 4095. This value cannot be modified during the edit process.
   Description	Lists a VLAN description assigned when the VLAN was created or modified. The description should be unique to the VLAN's specific configuration and help differentiate it from other VLANs with similar configurations.
   Edge VLAN Mode	Defines whether the VLAN is currently in edge VLAN mode. An edge VLAN is the VLAN where hosts are connected. For example, if VLAN 10 is defined with wireless clients, and VLAN 20 is where the default gateway resides, VLAN 10 should be marked as an edge VLAN and VLAN 20 shouldn't be marked as an edge VLAN. When defining a VLAN as an edge VLAN, the firewall enforces additional checks on hosts in that VLAN. For example, a host cannot move from an edge VLAN to another VLAN and still keep firewall flows active.
   Trust ARP Response	Trusted ARP packets are used to update the IP-MAC Table to prevent IP spoof and arp-cache poisoning attacks. When ARP trust is enabled, a green check mark displays. When disabled, a red "X" displays.
   Trust DHCP Responses	When enabled, DHCP packets from a DHCP server are trusted and permissible. DHCP packets update the DHCP Snoop Table to prevent IP spoof attacks. When DHCP trust is enabled, a green check mark displays. When disabled, a red "X" displays.
   IPv6 Firewall	Lists whether IPv6 is enabled on this Bridge VLAN. A green checkmark defines this setting as enabled. A red X defines this setting as disabled. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters.
   DHCPv6 Trust	Lists whether DHCPv6 responses are trusted on this Bridge VLAN. A green checkmark defines this setting as enabled. A red X defines this setting as disabled. If enabled, only DHCPv6 responses are trusted and forwarded over the Bridge VLAN.
   RA Guard	Lists whether router advertisements (RA) are allowed on this Bridge VLAN. A green checkmark defines this setting as enabled. A red X defines this setting as disabled. RAs are periodically sent to hosts or sent in response to solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information.

3. Select Add to define a new Bridge VLAN configuration, Edit to modify the configuration of an existing Bridge VLAN configuration or Delete to remove a VLAN configuration.
4. If adding a new Bridge VLAN configuration, use the spinner control to define a VLAN ID from 1 - 4095. This value must be defined and saved before the General tab can become enabled and the remainder of the settings defined.
5. If creating a new Bridge VLAN, provide a Description (up to 64 characters) unique to the VLAN‘s specific configuration to help differentiate it from other VLANs with similar configurations.
6. Select the Per VLAN Firewall option to enable firewall on this interface.
   Firewalls, generally, are configured for all interfaces on a device. When configured, firewalls generate flow tables that store information on the traffic allowed to traverse through the firewall. These flow tables occupy a large portion of the limited memory that could be used for other critical purposes. With the per VLAN firewall feature enabled on an interface, flow tables are only generated for that interface. Flow tables are not generated for those interfaces where this feature is not enabled. This frees up memory which can be used for other purposes. Firewalls can be switched off for those interfaces which are known to carry trusted traffic and only enabled on the interfaces that can provide a vector for an attack on the network.
7. Set or override the following Web Filter parameters. Web filters are used to control the access to resources on the Internet.

   URL Filter

   Use the drop-down menu to select a URL filter to use with this Bridge VLAN.

8. Set or override the following Extended VLAN Tunnel parameters:

   Bridging Mode	Specify one of the following bridging modes for the VLAN. Automatic: Select automatic to let the controller, service platform or access point determine the best bridging mode for the VLAN. Local: Select Local to use local bridging mode for bridging traffic on the VLAN. Tunnel: Select Tunnel to use a shared tunnel for bridging traffic on the VLAN. isolated-tunnel: Select isolated-tunnel to use a dedicated tunnel for bridging VLAN traffic.
   IP Outbound Tunnel ACL	Select an IP Outbound Tunnel ACL for outbound traffic from the drop-down menu. If an appropriate outbound IP ACL is not available, select the Create button to make a new one.
   MAC Outbound Tunnel ACL	Select a MAC Outbound Tunnel ACL for outbound traffic from the drop-down menu. If an appropriate outbound MAC ACL is not available click the Create button to make a new one.
   Tunnel Over Level 2	Select this option to allow VLAN traffic to be tunneled over level 2 links. This setting is disabled by default.
   IPv6 Outbound Tunnel ACL	Select an IPv6 Outbound Tunnel ACL for outbound traffic from the drop-down menu. If an appropriate outbound IPv6 ACL is not available, select the Create button.

9. Set the following Tunnel Rate Limit parameters:

   Mint Link Level	Select the MINT link level from the drop-down menu.
   Rate	Define a transmit rate limit between 50 - 1,000,000 kbps. This limit constitutes a threshold for the maximum the number of packets transmitted or received over the Bridge VLAN. Traffic that exceeds the defined rate is dropped and a log message is generated. The default setting is 5,000 kbps.
   Maximum Burst Size	Set a maximum burst size between 0 - 1024 kbytes. The smaller the burst, the less likely the receive packet transmission will result in congestion. The default burst size is 320 kbytes.
   Background	Set the random early detection threshold in % for background traffic. Set a value from 1 - 100%. The default is 50%.
   Best Effort	Set the random early detection threshold in % for best-effort traffic. Set a value from 1 - 100%. The default is 50%.
   Video	Set the random early detection threshold in % for video traffic. Set a value from 1 - 100%. The default is 25%.
   Voice	Set the random early detection threshold in % for voice traffic. Set a value from 1 - 100%. The default is 25%.

10. Define the following Layer 2 Firewall parameters:

    Trust ARP Response	Select this option to use trusted ARP packets to update the DHCP Snoop Table to prevent IP spoof and arp-cache poisoning attacks. This feature is disabled by default.
    Trust DHCP Responses	Select this option to use DHCP packets from a DHCP server as trusted and permissible within the managed network. DHCP packets are used to update the DHCP Snoop Table to prevent IP spoof attacks. This feature is disabled by default.
    Edge VLAN Mode	Select this option to enable edge VLAN mode. When selected, the edge controller's IP address in the VLAN is not used, and is now designated to isolate devices and prevent connectivity. This feature is enabled by default.

11. Set the following IPv6 Settings:

    IPv6 Firewall	Select this option to enable IPv6 on this Bridge VLAN. This setting is enabled by default.
    DHCPv6 Trust	Select this option to enable the trust all DHCPv6 responses on this Bridge VLAN. DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network. This setting is enabled by default.
    RA Guard	Select this option to enable router advertisements or ICMPv6 redirects on this Bridge VLAN. This setting is enabled by default.

12. Refer to the Captive Portal field to select an existing captive portal configuration to apply access restrictions to the Bridge VLAN configuration.
    A captive portal is an access policy for providing temporary and restrictive access using a standard Web browser. Captive portals provides authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access to the network. Once logged into the captive portal, additional Terms and Agreement, Welcome, Fail and No Service pages provide the administrator with a number of options on captive portal screen flow and user appearance.

    If an existing captive portal does not suite the Bridge VLAN configuration, either select the Edit icon to modify an existing configuration or select the Create icon to define a new configuration that can be applied to the Bridge VLAN. For information on configuring a captive portal policy, see Configuring Captive Portal Policies.

13. Select the IGMP Snooping tab.
14. Define the following IGMP General parameters.

    Enable IGMP Snooping	Select this option to enable IGMP snooping. If disabled, snooping on this Bridge VLAN is disabled. This feature is enabled by default. If disabled, the settings under bridge configuration are overridden.
    Forward Unknown Unicast Packets	Select this option to enable forwarding of multicast packets from unregistered multicast groups. If disabled, the unknown multicast forward feature is also disabled for this Bridge VLAN. This setting is enabled by default.
    Enable Fast Leave Processing	Select this option to remove a Layer 2 LAN interface from the IGMP snooping forwarding table entry without initially sending IGMP group-specific queries to the interface. When receiving a group specific IGMPv2 leave message, IGMP snooping removes the interface from the Layer 2 forwarding table entry for that multicast group, unless a multicast router was learned on the port. Fast-leave processing enhances bandwidth management for all hosts on the network. This setting is diabled by default.
    Last Member Query Count	Specify the number (1-7) of group specific queries sent before removing an IGMP snooping entry. The default setting is 2.

15. Define the following Multicast Router settings:

    Interface Names	Select the interface used for IGMP snooping over a multicast router. Multiple interfaces can be selected.
    Multicast Router Learn Mode	Select static or pim-dvmrp as the mode used to determine client multicast traffic levels on specific routes.

16. Set the following IGMP Querier parameters for the Bridge VLAN configuration:

    Enable IGMP Snooping	IGMP snoop querier is used to keep host memberships alive. It‘s primarily used in a network where there‘s a multicast streaming server, hosts subscribed to the server and no IGMP querier present. An IGMP querier sends out periodic IGMP query packets. Interested hosts reply with an IGMP report packet. IGMP snooping is only conducted on wireless radios. IGMP multicast packets are flooded on wired ports. IGMP multicast packet are not flooded on the wired port. IGMP membership is also learnt on it and only if present, then it is forwarded on that port.
    Source IP Address	Define an IP address applied as the source address in the IGMP query packet. This address is used as the default VLAN querier IP address.
    IGMP Version	Use the spinner control to set the IGMP version compatibility to either version 1, 2 or 3. The default setting is 3.
    Maximum Response Time	Specify the maximum time (from 1 - 25 seconds) before sending a responding report. When no reports are received from a radio, radio information is removed from the snooping table. For IGMP reports from wired ports, reports are only forwarded to the multicast router ports. The default setting is 10 seconds.
    Other Querier Timer Expiry	Specify an interval in either Seconds (60 - 300) or Minutes (1 - 5) used as a timeout interval for other querier resources. The default setting is 1 minute.

17. Select the MLD Snooping tab.
18. Define the following General MLD snooping parameters for the Bridge VLAN configuration:

    Enable MLD Snooping	Enable MLD snooping to examine MLD packets and support content forwarding on this Bridge VLAN. Packets delivered are identified by a single multicast group address. Multicast packets are delivered using best-effort reliability, just like IPv6 unicast. MLD snooping is enabled by default.
    Forward Unknown Packets	Use this option to either enable or disable IPv6 unknown multicast forwarding. This setting is enabled by default.

    Multicast Listener Discovery (MLD) snooping enables a controller, service platform or access point to examine MLD packets and make forwarding decisions based on content. MLD is used by IPv6 devices to discover devices wanting to receive multicast packets destined for specific multicast addresses. MLD uses multicast listener queries and multicast listener reports to identify which multicast addresses have listeners and join multicast groups.

    MLD snooping caps the flooding of IPv6 multicast traffic on controller, service platform or access point VLANs. When enabled, MLD messages are examined between hosts and multicast routers and to discern which hosts are receiving multicast group traffic. The controller, service platform or access point then forwards multicast traffic only to those interfaces connected to interested receivers instead of flooding traffic to all interfaces.

19. Define the following Multicast Router settings:

    Interface Names	Select the ge or radio interfaces used for MLD snooping.
    Multicast Router Learn Mode	Set the pim-dvmrp or static multicast routing learn mode. DVMRP builds a parent-child database using a constrained multicast model to build a forwarding tree rooted at the source of the multicast packets. Multicast packets are initially flooded down this source tree. If redundant paths are on the source tree, packets are not forwarded along those paths.

20. Set the following MLD Querier parameters for the profile‘s Bridge VLAN configuration:

    Enable MLD Querier	Select this option to enable MLD querier on the controller, service platform or access point. When enabled, the device sends query messages to discover which network devices are members of a given multicast group. This setting is enabled by default.
    MLD Version	Define whether MLD version 1 or 2 is utilized with the MLD querier. MLD version 1 is based on IGMP version 2 for IPv4. MLD version 2 is based on IGMP version 3 for IPv4 and is fully backward compatible. IPv6 multicast uses MLD version 2. The default MLD version is 2.
    Maximum Response Time	Specify the maximum response time (from 1 - 25,000 milliseconds) before sending a responding report. Queriers use MLD reports to join and leave multicast groups and receive group traffic. The default setting is 1 milliseconds.
    Other Querier Timer Expiry	Specify an interval in either Seconds (60 - 300) or Minutes (1 - 5) used as a timeout interval for other querier resources. The default setting is 60 seconds

21. Select the OK button located at the bottom right of the screen to save the changes. Select Reset to revert to the last saved configuration.