Adding a New Interface

The procedure and options for defining an interface vary according to the object and the network topology.

Some properties and pages are not available for certain interface definitions.

To add a new interface:

1. Open the Gateway Properties window for the Virtual Device.
2. From the navigation tree, click Topology.

   The Topology page opens.

3. From the Interfaces section, click New and select one of these options:
   • Regular
   • Leads to Virtual Router
   • Leads to Virtual Switch

   The Interface Properties window for the selected option opens.

Configuring Connection Properties - General

The General tab defines the network connections associated with an interface.

One or more of these properties show, depending on the context.

• Interface: Select a physical interface from the list (physical interfaces only).
• VLAN Tag: VLAN tag associated with the defined interface.
• IP Address and Net Mask: IP address and net mask of the device associated with the interface.
• Propagate route to adjacent Virtual Devices: Enable to "advertise" the associated device to neighboring devices, thereby enabling connectivity between them. The Route Propagation section provides additional details.
• MTU: Maximum transmission unit size in bytes (default = 1,500).

Configuring Connections Leading to Virtual Routers and Virtual Switches

The General tab for interface connections leading to Virtual Routers or Virtual Switches contains connection properties specific to those Virtual Devices.

• Leads to: Select a Virtual Router or Virtual Switch.
• Enter the dedicated Virtual System IP address for this interface.
• The Net Mask property is always defined as 255.255.255.255 for IPv4 and /128 for IPv6.
• Propagate route to adjacent Virtual Devices: Enable to "advertise" the associated device to neighboring devices, thereby enabling connectivity between them. The Route Propagation section provides additional details.
• MTU: Maximum transmission unit size in bytes (default = 1,500). The minimum and maximum MTU values are:
  • IPv6 MTU: 1280 – 16000
  • IPv4 MTU: 68 – 16000

Configuring Interface Topology

For some interface types, you can change some or all of these topology properties:

• External: The interface leads to external networks or to the Internet.
• Internal: The interface leads to internal networks or a DMZ, and includes these properties:
  • Not Defined: IP routing is not defined for this device.
  • Network: Routing is defined by the IP and net mask defined in General Properties.
  • Specific: Routing is defined by a specific network or network group.
  • Interface leads to DMZ: Defines an interface as leading to a DMZ, which isolates a vulnerable, externally accessible resource from the rest of a protected, internal network.

Configuring Anti-Spoofing

Attackers can gain access to protected networks by falsifying or "spoofing" a trusted source IP address with high access privileges. It is important to configure Anti-Spoofing protection for VSX Gateways and Virtual Systems, including internal interfaces. You can configure Anti-Spoofing for an interface, provided that the topology for the interface is properly defined.

If you are using dynamic routing, disable the Calculate topology automatically based on routing information option, and manually configure the topology of the Virtual System.

To enable Anti-Spoofing for an interface:

1. From the Topology tab in the Interface Properties window, select Perform Anti-Spoofing based on interface topology.
2. Configure the tracking options.

Configuring Multicast Restrictions

IP multicasting applications send one copy of each datagram (IP packet) and address it to a group of computers that wish to receive it. Multicast restrictions allow you to define rules that block outbound datagrams from specific multicast groups (IP address ranges). You can define multicast access restrictions for physical and Warp interfaces in a VSX environment.

	From	To
IPv4 (defined in RFC 1112)	224.0.0.0	239.255.255.255
IPv6	ff00::	ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

To enable multicast restrictions:

1. From the Multicast Restrictions tab in the Interface Properties window, select Drop multicast packets by the following conditions.
2. Select a restriction type:
   • Drop multicast packets whose destination is in the list
   • Drop all multicast packets except those whose destination is in the list
3. Click Add.

   The Add Object window opens.

4. Click New > Multicast Address Range.

   The Multicast Address Range Properties window opens.

5. Configure these settings:
   • Name
   • Type
   • If you selected IP Address Range, enter the First and Last IP addresses.
6. Click OK.
7. From the Interface Properties window, select a tracking option.
8. Click OK and close the General Properties window.
9. Add a rule to the Rule Base that allows traffic for the specified multicast groups and install the policy.

Changing an Interface Definition

This section presents procedures for modifying existing interface definitions and related features.

Changing an Interface

Interfaces definitions are always associated with a Virtual Gateway or a Virtual System definition.

To work with an existing interface definition:

1. Double-click the interface in the Interfaces section.
2. In the Interface Properties window, define the interface properties.

Deleting an Interface

To delete an interface:

1. From the Topology page, select the interface and click Delete.
2. Click OK.