Bridge interface

Adding a bridge

Adding a bridge without members

  1. Click on Add.
  2. Scroll over Bridge.
  3. Click on No members.
  4. Give the new bridge a name, then click on Apply.
    The new bridge will be added to the interfaces and its control panel appears.

Adding a bridge that contains selected interfaces

  1. Select the interfaces to include in the new bridge beforehand.
  2. Click on Add.
  3. Scroll over Bridge.
  4. Click on With interface_1, interface_2 ....
  5. Give the new bridge a name, then click on Apply.
    The new bridge will be added to the interfaces and its control panel appears.

Bridge control panel

Double-click on the bridge interface control panel to open it. There are several tabs in the control panel.

General settings

Name Name of the interface. This name can be changed.
Comments Allows you to enter comments regarding the interface.

Address range

NOTE

The same options must be configured in the IPv4 and IPv6 address fields. The IPv6 address field appears only if IPv6 is enabled in the firewall’s configuration.

Dynamic IP (obtained by DHCP)

When this option is selected, the IP address of the interface will be defined by DHCP. An Advanced DHCP properties zone appears with the following parameters:

  • DNS name (optional): a fully qualified DHCP host name (FQDN) can be indicated for the DHCP request.

    If a value is entered in this field and the external DHCP server has the option of automatically updating the DNS server, the DHCP server automatically updates the DNS server with the name of the firewall, its assigned IP address and allocated lease time (field below).

  • Requested lease time (seconds): in addition to the DNS name, enter the duration for which the IP address is kept before renegotiation.

  • Request domain name servers from the DHCP server and create host objects: select this parameter so that the firewall will retrieve DNS servers from the DHCP server (access provider, for example) that provided its IP address. When this option is selected, two objects will be created: Firewall_<interface name>_dns1 and Firewall_<interface name>_dns2. They can then be used in the configuration of the DHCP service. So if the firewall provides the users on its network with a DHCP service, the users will also benefit from the DNS servers given by the access provider.
Fixed IP (static)

When this option is selected, the IP address of the interface will be static. A grid appears, in which you must add the IP address and its subnet mask. Several IP addresses and associated masks can be added if aliases need to be created, for example. These aliases allow you to use the firewall as a central routing point. As such, an interface can be connected to various sub-networks with a different address range.

If you add several IP addresses (aliases) to the same address range, these addresses must all have the same mask. Reloading the network configuration will apply this mask to the first address and a /32 mask to the addresses that follow.

Managing members

At least two interfaces must be selected to make up a bridge. To add or remove members from the bridge, move the interfaces from one section to another by using the arrows, dragging and dropping, or double-clicking on the interface.

NOTE
This tab appears only if IPv6 is enabled in the firewall’s configuration.

On each interface, bridge or aggregated interface, router advertisements (RA) can be sent periodically to all IPv6 nodes (multicast) of the segment via the local link address or as a response to a router solicitation (RS) from a host on the network.

This advertisement allows an IPv6 node to obtain the following information:

  • The address of the default router, in this case, the address of the firewall,
  • The prefix(es) used on the link (in 64 bits),
  • Indication of the use of SLAAC or DHCPv6 (Managed)
  • Indication of the retrieval of other parameters via DHCPv6 (OtherConfig),
  • DNS parameters, if any (RFC4862).

Automatic configuration, which is native in IPv6, is stateless (StateLess Address AutoConfiguration - SLAAC), meaning that the server does not choose IP addresses for its clients and does not need to remember them.

For example, a host has a local link address whose uniqueness has been confirmed via NPD DAD (Neighbor Discovery ProtocolDuplicated Address Detection). The host will then receive the periodic or solicited RA. If SLAAC information has been specified, the host will then create one or several IPv6 addresses based on the prefix(es) advertised and its interface ID (random or based on the MAC address). The router’s IP address (the firewall’s address) will then be used as the default gateway.

By default, the routers advertise their presence by broadcasting the first prefix deduced from the interface. By default, DNS servers are those configured for the firewall in the Configuration module > System > Configuration, Network settings tab.

NOTE
If router advertisements have been enabled on a bridge, they will only be broadcast on protected interfaces.

Automatic configuration settings

Automatic detection If the DHCPv6 service is enabled on the firewall (Configuration module > Network> DHCP), the firewall will automatically send out router advertisements (RA) on the corresponding interfaces, indicating to IPv6 nodes that they must be auto-configured in DHCPv6 (the options “Managed” and “Other config” will then be enabled by default).
If the firewall is acting as a DHCPv6 server, the configured interface must belong to one of the address ranges entered in the DHCPv6 configuration. If the firewall is used as a relay to a DHCPv6 server, the configured interface must belong to the list of the service’s listening interfaces.
If the DHCPv6 service is inactive, the sending of RAs will be disabled.
Send RA

The firewall’s address is sent as the default router. The information relayed by this advertisement will be described further in this manual. This configuration is recommended in order to allow hosts that are directly connected (local link) to use SLAAC.
Disable No router advertisement (RA) has been sent out. This configuration is recommended in bridge mode if an IPv6 router is directly connected (local link).

Router advertisements (RA)

This zone can be accessed only if the Send RA option has been selected.

Announce the prefix extracted from the interface address The prefix advertised is the prefix configured in the interface’s IPv6 address range in the General configuration tab. The size of the IPv6 address mask (prefix length – CIDR) must be 64 bits.

Configuration with DHCPv6 server

The DHCPv6 server assigns addresses (Managed)

The advertisement indicates that the IPv6 addresses contacted will be distributed by the DHCPv6 service enabled on the firewall (Configuration module > Network > DHCP). This service is implemented by the firewall or a relay that is directly connected (local link).
The DHCPv6 server delivers additional options (Other config)

The advertisement indicates that other auto-configuration parameters, such as the addresses of DNS servers or other types of servers, will be issued by the DHCPv6 server (firewall or relay) that is directly connected (local link).

Advanced configuration

DNS settings

This section can be accessed if the option The DHCPv6 server delivers additional options (Other config) is not enabled.

Domain name Default domain name to contact a queried server that does not have a domain.
Primary DNS server IP address of the primary DNS server. If this field is blank, the address sent will be the address used by the firewall (Configuration module > System > Configuration, Network settings tab).
Secondary DNS server IP address of the secondary DNS server. If this field is blank, the address sent will be the address used by the firewall (Configuration module > System > Configuration, Network settings tab).

Announced prefixes

This grid can be accessed if the option The DHCPv6 assigns addresses (Managed) is not enabled.

Prefixes

Prefix to announce to hosts. We recommend using the interface’s prefix as the announced prefix. If the interface specifies several prefixes, this field will indicate the prefix to use.
Autonomous

Instruction to use stateless address auto-configuration (SLAAC): if this option has been selected, the host will then create one or several IPv6 addresses based on the prefix(es) advertised and its interface ID (random and/or based on the MAC address.
On link This option specifies to the host that all hosts with the same prefix may be contacted directly, without going through the router. In IPv4, such information was deduced from the network mask.
Comments Allows adding comments for the announced prefix.

Other settings

MTU

Maximum length of frames (in bytes) sent over the physical medium (Ethernet) so that they are sent at one go without fragmentation. This option is not available for interfaces contained in a bridge.
MAC address Specifies a MAC address for the bridge.
Physical MAC address This field is not available for bridges.

Loop detection (Spanning Tree)

This section makes it possible to enable a network loop detection protocol (Spanning Tree) on the bridge. This feature is available only on SN-S-Series-220, SN-S-Series-320, SN510, SN-M-Series-520, SN710, SN-M-Series-720, SN910, SN-M-Series-920, SN1100, SN2100, SN-L-Series-2200, SN3100, SN-L-Series-3200, SN-XL-Series-5200, SN6100, SN-XL-Series-6200, SNi10, SNi20, SNi40, SNxr1200, EVA1, EVA2, EVA3, EVA4 and EVAU models.

Disable Spanning Tree protocols Disables the use of Spanning Tree protocols (RSTP and MSTP) in the bridge. This option is enabled by default.
Enable Rapid Spanning Tree Protocol (RSTP) Enables Rapid Spanning Tree Protocol (RSTP) on the bridge.
Enable Multiple Spanning Tree Protocol (MSTP) Enables Multiple Spanning Tree Protocol (MSTP) on the bridge. If this option is selected, the MSTP configuration zone appears.

MSTP configuration

This zone appears only if Enable Multiple Spanning Tree Protocol (MSTP) is selected. On SNS firewalls, an MSTP configuration can only define one region.

Region name (MSTP region) Enter the name of the MSTP region in which the firewall is located. It must be the same in the MSTP configuration on all network appliances belonging to this region.
Format selector This field specifies the information needed to define a region. Its default value is 0, indicating that a region’s properties are:
  • Its name,
  • Its revision number,
  • A fingerprint derived from MST instance numbers and VLAN identifiers included in these instances.

The format selector must be the same in the MSTP configuration on all network appliances belonging to this region.
Revision number Select a revision number for the region. The revision number must be the same in the MSTP configuration on all network appliances belonging to this region.

NOTE
To track changes more easily, the revision number may be incremented manually when the configuration of the region changes. In this case, the changed revision number must be applied to all appliances in the affected region.
Common and Internal Spanning Tree (CIST) Priority assigned to the firewall for traffic involving VLANs that were not declared in any MSTP instances (see grid of MSTP instances).

MSTP instances

List of VLAN IDs in the instance Indicate the various VLAN identifiers (list of identifiers separated by commas) included in the selected instance.
Priority Set the priority of an MSTP instance in relation to the root bridge. which has the lowest priority.

NOTE
You are advised against declaring the firewall as the root bridge of an MSTP instance. This may create unnecessarily high network traffic on the firewall’s interfaces.