Configure Forwarding Engine Control Management Options

Create or open an existing Management Option. See Add Management Options for more information.

The forwarding engine controls the type of traffic being forwarded between interfaces, GRE tunnels, and sets logging features. Extreme Networks devices can selectively block or enable broadcast and multicast traffic through GRE tunnels to reduce traffic congestion. This task is part of creating or modifying a Management Option and only applies to APs.

  1. Select Block All to prohibit forwarding multicast and broadcast traffic through tunnels.
  2. Select Allow All to enable forwarding multicast and broadcast traffic through tunnels.
  3. To specify exceptions to the blacklist (Block All) or whitelist (Allow All), select the plus sign. In the dialog box, enter the destination IP address and netmask, and then select Add. You can also enter an IPv6 address.
  4. For Service Control, select the fields as follows:
    • Limit MAC sessions per station: Select and set the maximum number of MAC sessions (Layer 2 sessions) that can be created to or from a station.
    • Limit IP sessions per station: Select and set the maximum number of IP sessions (Layer 3 sessions) that can be created to or from a station.
    • Enable TCP Maximum Segment Size: Select to enable a device to monitor the TCP MSS option in TCP SYN and SYN-ACK messages for traffic that passes through GRE tunnels (for Layer 3 roaming and static identity-based tunnels) and GRE-over-IPsec tunnels (for IPsec VPN tunnels). The device notifies the sender to adjust the TCP MSS value if it exceeds a maximum threshold.
      Note

      Note

      For 0 (auto), the device automatically readjusts the TCP MSS thresholds.
    • Enable ARP Shield: Enable ARP Shield to prevent Man-In-the-Middle attacks by client devices attempting to impersonate critical network resources on the network such as a network gateway or DNS server through an ARP poisoning attack. ARP Shield should not be used if any clients on the network are assigned static IP addresses. ARP Shield is disabled by default and may only be enabled only on access points running IQ Engine 6.8r1 and above. Enabling ARP Shield will not be enforced on access points running IQ Engine 6.5, switches, routers, or Virtual Gateway appliances.
    • Disable DHCP Shield: Disable DHCP Shield to turn off the built-in ability for IQ Engine to prevent attached clients from impersonating a DHCP server. In the default enabled state, connected clients are blocked from responding to DHCP server discovery or IP lease requests. When disabled, connected clients will be able to respond to DHCP discovery or IP lease requests. DHCP Shield is enabled by default on access points running IQ Engine 6.8r1 and above. Disabling DHCP Shield will result in no changes to access points running IQ Engine 6.5, switches, routers, or Virtual Gateway appliances.
    • Disable Proxy-ARP: Clear this box to enable learning MAC addresses and proxy replies to ARP requests. Helpful for troubleshooting.
    • Disable Inter-SSID Flooding: Select to disable multicast and broadcast traffic forwarding between access interfaces bound to different SSIDs. The multicast/broadcast traffic is instead moved to the backhaul interface, which can filter/pass on from there.
      Note

      Note

      Applies only to traffic on one AP, between client devices connected to two different SSIDs on one AP, on the same radio.
    • Disable WebUI Without Disabling CWP: Select to improve system security without disabling the associated captive web portal.
  5. Configure Global Logging Options and Firewall Policies as follows:
    1. Select the Log check boxes to log dropped packets that are denied by MAC or IP firewall policies, and for the first packets of sessions destined for the IP address of the device itself.
    2. Select the Drop check boxes to drop all fragmented IP packets, and all non-management traffic destined for the device.

Continue to Configure System Settings Management Options.