Use this procedure to configure or modify Bridge VLAN profile parameters under the General tab.
associated with the target Bridge VLAN entry to modify it. Modify the
settings in accordance with the steps in this procedure.| Parameter | Description |
|---|---|
| Basic | |
| Name | Enter a Name, not exceeding 32 characters, for the Bride VLAN. |
| Description | Enter a Description (up to 64 characters) unique to the specific configuration of the VLAN to help differentiate it from other VLANs with similar configurations. |
| Per VLAN Firewall |
Select Per VLAN Firewall to enable an IPv4 firewall on this interface. Firewalls, generally, are configured for all interfaces on a device. When configured, firewalls generate flow tables that store information on the traffic allowed to traverse through the firewall. These flow tables occupy a large portion of the limited memory that could be used for other critical purposes. With the per VLAN firewall feature enabled on an interface, flow tables are only generated for that interface. Flow tables are not generated for those interfaces where this feature is not enabled. This frees up memory which can be used for other purposes. Firewalls can be switched off for those interfaces which are known to carry trusted traffic and only enabled on the interfaces that can provide a vector for an attack on the network. This parameter is disabled by default. |
| URL Filter | |
| URL Filter | Select a URL Filter. URL filters are used to control the access to resources on the Internet. |
| Application Policy | |
| Application Policy |
Select the appropriate Application Policy to use with this Bridge VLAN configuration. An application policy defines the rules or actions executed on recognized HTTP (Facebook), enterprise (Webex) and peer-to-peer (gaming) applications or application-categories. |
| Extended VLAN Tunnel | |
| Bridging Mode | Select a Bridging
Mode for the VLAN. Options are:
|
| IP Outbound Tunnel ACL | Select an appropriate IP Outbound Tunnel ACL for outbound traffic. |
| IPv6 Outbound Tunnel ACL | Select an appropriate IPv6 Outbound Tunnel ACL for outbound traffic. |
| MAC Outbound Tunnel ACL | Select an appropriate MAC Outbound Tunnel ACL for outbound traffic. |
| Tunnel Over Level 2 | Select Tunnel Over Level 2 to allow VLAN traffic to be tunneled over Level 2 links. This parameter is disabled by default. |
| Extended VLAN Tunnel Authentication | |
| MAC Authentication |
Select MAC Authentication to enable source MAC authentication for extended VLAN and tunneled traffic (MiNT and L2TPv3) on this bridge VLAN. When enabled, it provides fast path authentications of clients, whose captive portal session has expired. This parameter is disabled by default. |
| Captive Portal Enforcement |
Select the authentication mode to be used for extended VLAN and tunneled traffic on this Bridge VLAN. Options are:
|
| Tunnel Rate Limit | |
| Add | Select Add to display and configure Tunnel
Rate Limit parameters. Select  to delete and hide the
parameters. |
| Mint Link Level | Select the MINT Link Level. |
| Rate |
Define a transmit Rate limit in the range 50 – 1000000 kbps. This limit constitutes a threshold for the maximum the number of packets transmitted or received over the Bridge VLAN. Traffic that exceeds the defined rate is dropped and a log message is generated. The default setting is 5000 kbps. |
| Max Burst Size |
Set a Max Burst Size in the range 2 – 1024 kbytes. The smaller the burst, the less likely the receive packet transmission will result in congestion. The default burst size is 320 kbytes. |
| Background | Set the random early detection threshold in % for background traffic. Set a value from 0 - 100%. The default is 50%. |
| Best Effort | Set the random early detection threshold in % for best-effort traffic. Set a value in the range 0 - 100%. The default is 50%. |
| Video | Set the random early detection threshold in % for video traffic. Set a value in the range 1 - 100%. The default is 25%. |
| Voice | Set the random early detection threshold in % for voice traffic. Set a value in the range 1 - 100%. The default is 0%. |
| Layer 2 Firewall | |
| Trust ARP Response | Select this option to use trusted ARP packets to update the DHCP Snoop Table to prevent IP spoof and arp-cache poisoning attacks. This feature is disabled by default. |
| Trust DHCP Responses | Select this option to use DHCP packets from a DHCP server as trusted and permissible within the managed network. DHCP packets are used to update the DHCP Snoop Table to prevent IP spoof attacks. This feature is disabled by default. |
| Edge VLAN Mode | Select this option to enable edge VLAN mode. When selected, the edge controller's IP address in the VLAN is not used, and is now designated to isolate devices and prevent connectivity. This feature is enabled by default. |
| IPv6 Settings | |
| IPv6 Firewall | Select this option to enable IPv6 on this Bridge VLAN. This setting is enabled by default. |
| DHCPv6 Trust | Select this option to enable the trust all DHCPv6 responses on this Bridge VLAN. DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network. This setting is enabled by default. |
| RA Guard | Select this option to enable router advertisements or ICMPv6 redirects on this Bridge VLAN. This setting is enabled by default. |
| Registration | |
| Name | Enter the RADIUS group name in which registered users are placed. When left blank, users are not associated with a RADIUS group. |
| Type | Select the self-registration type used for this Bridge
VLAN. Options are as follows:
|
| Expiry Time | Set the amount of time (in the range 1 - 43,800 hours) before registration addresses expire and must be re-entered. |
| Registration External | |
| Enable | Specifies that the wired client registration is handled by an external resource. Registration requests are forwarded to the external registration server by the captive portal gateway controller. |
| Follow AAA | Select to enable the use of an AAA policy to point to the
guest registration, authentication, and accounting server.
When enabled, guest registration is handled by the RADIUS
server specified in the AAA policy. This is the AAA policy
used in the captive-portal applied on the bridge vlan
interface. In case of EGuest deployment, in the AAA policy, the RADIUS authentication and accounting server configuration should point to the EGuest server. The use of option is recommended in EGuest replica-set deployments. |
| Send Mode | Specifies the protocol used to forward registration requests to the external AAA policy server. |
| Captive Portal | |
| Captive Portal Name | Select an existing captive portal configuration to apply
access restrictions to the Bridge VLAN configuration. If an existing captive portal does not suit the Bridge VLAN configuration, see Captive Portals Policy for information on configuring a captive portal policy. |
| Captive Portal Snoop Subnet | For wired captive portal clients with static IP, to learn IPV4 to MAC snooping, select Add and enter the corresponding subnet and excluded IP. |
| Captive Portal Snoop IPv6 Subnet | For wired captive portal clients with static IP, to learn IPV6 to MAC snooping, select Add and enter the corresponding subnet and excluded IP. |