Modifying a bridge

Double-click on the bridge that you wish to edit; its control panel will open.

“General configuration” tab

General settings

Name User name (see warning in the introduction to the section on Interfaces)
Comments Allows you to enter comments regarding the interface.

Address range

Fixed IP (static) When this option is selected, the bridge will have a static address range. In this case, its IP address and the mask of the sub-network to which the bridge belongs must be indicated.
Dynamic IP (obtained by DHCP) When this option is selected, the IP address of the interface will be defined by DHCP. In this case, you can enter a fully qualified DHCP host name (FQDN) for the DHCP request (DNS name (optional) field).
If a value is entered in this field and the external DHCP server has the option of automatically updating the DNS server, the DHCP server will automatically update the DNS server with the name and the IP address provided by the firewall as well as the allocated time (mandatory).
The duration for which the IP address is kept before renegotiation (Requested lease time (seconds) field) must also be indicated.
When the option Request domain name servers from the DHCP server and create host objects is selected, the firewall will retrieve DNS servers from the DHCP server (access provider, for example) that provided its IP address.

Managing members

Select the interfaces for which you wish to create a bridge.

The list of "Member interfaces" identifies all the Ethernet and VLAN interfaces already in the configuration of the bridge.

At least two interfaces must be selected to make up a bridge:

  • By using arrows,
  • By dragging and dropping from the list of "Available interfaces" to the list of "Member interfaces", or
  • By double-clicking on the interface.

Click on Finish to confirm.

“Advanced properties” tab

Other settings

MTU Maximum length (in bytes) of the payload in an Ethernet frame so that it will be sent at one go (without fragmentation).
Physical (MAC) address This window allows you to specify a MAC address for an interface instead of using the address assigned by the firewall.

Loop detection (Spanning Tree)

This section makes it possible to enable a network loop detection protocol (Spanning Tree) on the bridge. This feature is only available on SN510, SN710, SN910, SN2000, SN2100, SN3000, SN3100, SN6000, SN6100, SNi20 and SNi40 models.

Disable Spanning Tree protocols This option disables the use of Spanning Tree protocols (RSTP and MSTP) in the bridge. It is selected by default.
Enable Rapid Spanning Tree Protocol (RSTP) This option makes it possible to enable the Rapid Spanning Tree protocol on the bridge.
Enable Multiple Spanning Tree Protocol (MSTP) This option makes it possible to enable the Multiple Spanning Tree protocol on the bridge.

When MSTP is enabled, additional fields must be filled in:

Region name (MSTP region) Name of the MSTP region in which the firewall is located. The name of the region must be the same in the MSTP configuration on all network appliances belonging to this region.
Format selector This field specifies the information needed to define a region. Its default value is 0, indicating that a region’s properties are:
  • Its name,
  • Its revision number,
  • A fingerprint derived from MST instance numbers and VLAN identifiers included in these instances.

The format selector must be the same in the MSTP configuration on all network appliances belonging to this region.
Revision number Select a revision number for the region. The revision number must be the same in the MSTP configuration on all network appliances belonging to this region.

To track changes more easily, the revision number may be incremented manually when the configuration of the region changes. In this case, the changed revision number must be applied to all appliances in the affected region.

Common and Internal Spanning Tree (CIST) Priority assigned to the firewall for traffic involving VLANs that were not declared in any MSTP instances (see table of MSTP instances).

On SNS firewalls, an MSTP configuration can only define one region.

Table of MSTP instances

In this table, the various instances declared in the MSTP configuration can be defined:

Instance This unique identifier is incremented automatically whenever an instance is added to the MSTP configuration.
VLAN ID Indicate the various VLAN identifiers (list of identifiers separated by commas) included in the selected instance.
Priority This field set the priority of an MSTP instance in relation to the root bridge, which has the lowest priority.

You are advised against declaring the firewall as the root bridge of an MSTP instance. This may create unnecessarily high network traffic on the firewall’s interfaces.