VM Interface Override Configuration

1. Select VM Interfaces.
   The VM Interfaces screen displays.

   

   Note

   A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click Clear Overrides. This removes all overrides from the device.
2. Refer to the following to review existing configurations and status to determine whether a parameter requires an override:

   Name	The VM interface numerical identifier assigned when the VM interface was created. The numerical name cannot be modified as part of the edit process.
   Type	Whether the type is VM interface.
   Description	A short description (64 characters maximum) describing the VM interface or differentiating it from others with similar configurations.
   Admin Status	A green check mark means the listed VM interface is active and currently enabled with the profile. A red “X” means the VM interface is currently disabled and not available for use. The interface status can be modified with the VM Interface Basic Configuration screen as required.
   Mode	The layer 3 mode of the VM interface: either Access or Trunk (as defined within the VM Interfaces Basic Configuration screen). If Access is selected, the listed VM interface accepts packets only from the native VLAN. Frames are forwarded untagged with no 802.1Q header. All frames received on the port are expected as untagged and mapped to the native VLAN. If set to Trunk, the port allows packets from a list of VLANs added to the trunk. A VM interface configured as Trunk supports multiple 802.1Q tagged VLANs and one native VLAN which can be tagged or untagged.
   Native VLAN	The numerical VLAN ID (1 - 4094) set for the native VLAN. The native VLAN allows a VM interface to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Additionally, the native VLAN is the VLAN untagged traffic is directed over when using a VM interface in trunk mode.
   Tag Native VLAN	A green check mark means the native VLAN is tagged. A red “X” means the native VLAN is untagged. When a frame is tagged, the 12-bit frame VLAN ID is added to the 802.1Q header so upstream VM interface ports know which VLAN ID the frame belongs to. The device reads the 12-bit VLAN ID and forwards the frame to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream VM interface classifies the frame using the default or native VLAN assigned to the Trunk port. A native VLAN allows a VM interface to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame.
   Allowed VLANs	The VLANs allowed to send packets over the listed VM interface. Allowed VLANs are listed only when the mode has been set to Trunk.

3. To edit or override the configuration of an existing VM interface, select it from among those displayed and click Edit.
   The VM Interfaces Basic Configuration screen displays by default.
4. Set or override the following VM interface Properties:

   Description	Enter a description for the controller or service platform VM interface (64 characters maximum).
   Admin Status	Select Enabled to define this VM interface as active to the profile it supports. Select Disabled to disable this VM interface in the profile. It can be activated at any time when needed. This option is disabled by default.
   Mode	Select either Access or Trunk to set the VLAN switching mode over the VM interface. If Access is selected, the VM interface accepts packets only from the native VLAN. Frames are forwarded untagged with no 802.1Q header. All frames received on the VMF port are expected as untagged and mapped to the native VLAN. If set to Trunk, the port allows packets from a list of VLANs you add to the trunk. A VM interface configured as Trunk supports multiple 802.1Q tagged VLANs and one native VLAN which can be tagged or untagged. Access is the default setting.
   Native VLAN	Define the numerical VLAN ID (1 - 4094) for the native VLAN. The native The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Additionally, the native VLAN is the VLAN untagged traffic will be directed over when using trunk mode. The default value is 1.
   Tag Native VLAN	Select this option to tag the native VLAN. Service platforms support the IEEE 802.1Q specification for tagging frames and coordinating VLANs between devices. IEEE 802.1Q adds four bytes to each frame identifying the VLAN ID for upstream VMIF that the frame belongs. If the upstream VMIF does not support IEEE 802.1Q tagging, it does not interpret the tagged frames. When VLAN tagging is required between VM interface ports, both VM interfaces must support tagging and be configured to accept tagged VLANs. When a frame is tagged, a 12-bit frame VLAN ID is added to the 802.1Q header, so upstream VM interfaces know which VLAN ID the frame belongs to. The 12-bit VLAN ID is read and the frame is forwarded to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream VMIF classifies the frame using the default or native VLAN assigned to the Trunk port. The native VLAN allows a VM interface to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. This setting is disabled by default.
   Allowed VLANs	Selecting Trunk as the mode enables the Allowed VLANs parameter. Add VLANs that exclusively send packets over the VM interface. The available range is from 1 - 4094. The maximum number of entries is 256.

5. Click OK to save the changes and overrides made to the VM interface basic configuration.
   Click Reset to revert to the last saved configuration.
6. Select the Security tab.
7. Refer to the Access Control field.
   As part of the VM interface‘s security configuration, IPv4 and IPv6 Inbound and MAC Inbound address firewall rules are required.

   You will use the drop-down menus to select the firewall rules to apply to this profile‘s VM interface configuration. The firewall inspects IP and MAC traffic flows and detects attacks typically not visible to traditional wired firewall appliances.

8. Use the IPv4 Inbound Firewall Rules drop-down menu to select the IPv4 specific firewall rules to apply to this profile‘s VM interface configuration.
   IPv4 is a connectionless protocol for packet switched networking. IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike (TCP). IPv4 hosts can use link local addressing to provide local connectivity.
9. Use the IPv6 Inbound Firewall Rules drop down menu to select the IPv6 specific firewall rules to apply to this profile‘s VM interface configuration.
   IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.
10. If there is no firewall rule that meets the data protection needs of the target VM interface configuration, click the Create icon to define a new rule configuration, or click the Edit icon to modify an existing firewall rule configuration.
11. Refer to the Trust field to define or override the following:

    Trust ARP Responses	Select this option to enable ARP trust on this VM interface. ARP packets received on this port are considered trusted, and the information from these packets is used to identify rogue devices. This option is disabled by default.
    Trust DHCP Responses	Select this option to enable DHCP trust on this VM interface. If enabled, only DHCP responses are trusted and forwarded on this port, and a DHCP server can be connected only to a DHCP trusted port. This option is enabled by default.
    ARP Header Mismatch Validation	Select this option to enable a mismatch check for the source MAC in both the ARP and Ethernet header. This option is enabled by default.
    Trust 802.1p COS values	Select this option to enable 802.1p COS values on this VM interface. This option is enabled by default.
    Trust IP DSCP	Select this option to enable IP DSCP values on this VM interface. This option is disabled by default.

12. Set the following IPv6 Settings:

    Trust ND Requests	Select this option to enable the trust of neighbor discovery requests required on an IPv6 network on this VM interface. This option is disabled by default.
    Trust DHCPv6 Responses	Select this option to trust all DHCPv6 responses on this VM interface. DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes, or other configuration attributes required on an IPv6 network. DHCPv6 relay agents receive messages from clients and forward them a DHCPv6 server. The server sends responses back to the relay agent, and the relay agent sends the responses to the client on the local link. This option is enabled by default.
    ND Header Mismatch Validation	Select this option to enable a mismatch check for the source MAC within the ND header and Link Layer Option. This option is disabled by default.
    RA Guard	Select this option to enable router advertisements or ICMPv6 redirects from this VM interface. Router advertisements are periodically sent to hosts or sent in response to neighbor solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information. This option is disabled by default.

13. Click OK to save the changes and overrides made to the VM interface configuration.
    Click Reset to revert to the last saved configuration.