Before you begin
Create or open an existing Management Option. See Add Management Options for more
information.
About this task
The forwarding engine controls the type of traffic being forwarded between
interfaces, GRE tunnels, and sets logging features. Extreme Networks devices can
selectively block or enable broadcast and multicast traffic through GRE tunnels to
reduce traffic congestion. This task is part of creating or modifying a Management
Option and only applies to APs.
Procedure
-
Select Block
All to prohibit forwarding multicast and broadcast traffic
through tunnels.
-
Select Allow All to enable forwarding multicast and
broadcast traffic through tunnels.
-
To specify exceptions to the blacklist (Block All) or
whitelist (Allow All), select the plus sign. In the
dialog box, enter the destination IP address and netmask, and then select
Add. You can also enter an IPv6 address.
-
For Service Control, select the fields as follows:
- Limit MAC
sessions per station: Select and set the maximum number
of MAC sessions (Layer 2 sessions) that can be created to or from a
station.
- Limit IP
sessions per station: Select and set the maximum number
of IP sessions (Layer 3 sessions) that can be created to or from a
station.
- Enable TCP
Maximum Segment Size: Select to enable a device to
monitor the TCP MSS option in TCP SYN and SYN-ACK messages for traffic
that passes through GRE tunnels (for Layer 3 roaming and static
identity-based tunnels) and GRE-over-IPsec tunnels (for IPsec VPN
tunnels). The device notifies the sender to adjust the TCP MSS value if
it exceeds a maximum threshold.
Note
For 0 (auto), the
device automatically readjusts the TCP MSS thresholds.
- Enable ARP Shield: Enable ARP Shield to prevent
Man-In-the-Middle attacks by client devices attempting to impersonate
critical network resources on the network such as a network gateway or
DNS server through an ARP poisoning attack. ARP Shield should not be
used if any clients on the network are assigned static IP addresses. ARP
Shield is disabled by default and may only be enabled only on access
points running IQ Engine 6.8r1 and above. Enabling ARP Shield will not
be enforced on access points running IQ Engine 6.5, switches, routers,
or Virtual Gateway appliances.
- Disable DHCP Shield: Disable DHCP Shield to turn
off the built-in ability for IQ Engine to prevent attached clients from
impersonating a DHCP server. In the default enabled state, connected
clients are blocked from responding to DHCP server discovery or IP lease
requests. When disabled, connected clients will be able to respond to
DHCP discovery or IP lease requests. DHCP Shield is enabled by default
on access points running IQ Engine 6.8r1 and above. Disabling DHCP
Shield will result in no changes to access points running IQ Engine 6.5,
switches, routers, or Virtual Gateway appliances.
- Disable
Proxy-ARP: Clear this box to enable learning MAC
addresses and proxy replies to ARP requests. Helpful for
troubleshooting.
- Disable
Inter-SSID Flooding: Select to disable multicast and
broadcast traffic forwarding between access interfaces bound to
different SSIDs. The multicast/broadcast traffic is instead moved to the
backhaul interface, which can filter/pass on from there.
Note
Applies only to
traffic on one AP, between client devices connected to two different
SSIDs on one AP, on the same radio.
- Disable WebUI
Without Disabling CWP: Select to improve system security
without disabling the associated captive web portal.
-
Configure Global Logging Options and Firewall Policies
as follows:
-
Select the Log check boxes to log dropped
packets that are denied by MAC or IP firewall policies, and for the
first packets of sessions destined for the IP address of the device
itself.
-
Select the Drop check boxes to drop all
fragmented IP packets, and all non-management traffic destined for the
device.
