Chapter 6. Interfaces and Subnets

Table of Contents

6.1. Relationship between Interfaces and Physical Ports
6.1.1. Port groups
6.1.2. Interfaces
6.2. Defining port groups
6.3. Defining an interface
6.3.1. Defining subnets
6.3.1.1. Source filtering
6.3.1.2. Using DHCP to configure a subnet
6.3.1.3. Using SLAAC (IPv6 router announcements) to configure a subnet
6.3.1.4. Providing IPv6 addresses to devices on a network (IPv6 router announcements)
6.3.2. Setting up DHCP server parameters
6.3.2.1. Fixed/Static DHCP allocations
6.3.2.2. Restricted allocations
6.3.2.3. Special DHCP options
6.3.2.4. Logging
6.4. Physical port settings
6.4.1. Disabling auto-negotiation
6.4.2. Setting port speed
6.4.3. Setting duplex mode
6.4.4. Defining port LED functions

This chapter covers how to set up Ethernet interfaces and the definition of subnets that are present on those interfaces.

6.1. Relationship between Interfaces and Physical Ports

The FB9000 features two SFP+ (10Gb/s) ports and eight SFP (1Gb/s) ports.

Each port features 2 RGB LEDs, which indicate any link errors that occur in addition to traffic activity.

The exact function of the ports is flexible, and controlled by the configuration of the FB9000.

6.1.1. Port groups

The FB9000 has two internal switches, one for the two SFP+ ports, one for the eight SFP ports. Each switch can be independently configured to either switch all its ports or leave them all separate.

The port group has a trunk setting which defaults to being false. When only one port is in the group it makes no difference how this is set. With more than one port, when trunk is false, the ports work as a switch, passing traffic directly at gigabit speeds between the physical ports. With more than one port, when trunk is true, the ports work as a link aggregation trunk and not as a switch. There is no option for some ports in a group to be trunked and also switched to other ports.

The FireBrick supports LACP (Link Aggregation Control Portocol) which is used to coordinate and control trunked port groups by exchanging LACP packets over the links. There is a lacp setting in the individual ethernet port settings which can be used to control LACP's behaviour, as follows:

  • lacp="false": It is assumed that the link is not connected to a device supporting LACP. LACP packets are not sent, and any received are ignored. The ports in a trunked port group will be used for aggregation when the physical link is up, after a short delay to ensure the partner is ready.
  • lacp="true": The link must be connected to an LACP-enabled device in order to function. LACP packets are sent, and the link will only be enabled for traffic when LACP negotiation is successful.
  • lacp not set: This is the default (Auto) setting. LACP packets will be sent if the port is part of a trunked port group, or if LACP packets are detected from the linked device. If LACP is not detected, a non-trunked port will always be enabled, while a port which is part of a trunked port group will only be enabled if it is the lowest-numbered (leftmost) port in the group. There will be a short delay after the port is physically up to allow for detection of LACP. When LACP is detected, the LACP negotiation controls the availability of the port.

6.1.2. Interfaces

In the FB9000, an interface is a logical equivalent of a physical Ethernet interface adapter. Each interface normally exists in a distinct broadcast domain, and is associated with at most one port group.

Each port group, which could be a single port, can operate simply as an interface with no VLANs, or can have one or more tagged VLANs which are treated as separate logical interfaces. Using VLAN tags and a VLAN capable switch you can effectively increase the number of physical ports.

Appendix E contains a brief overview of VLANs and the concept of broadcast domains.

By combining the FB9000 with a VLAN capable switch, using only a single physical connection between the switch and the FB9000, you can effectively expand the number of distinct physical interfaces, with the upper limit on number being determined by switch capabilities, or by inherent IEEE 802.1Q VLAN or FB9000 MAC address block size. An example of such a configuration is a multi-tenant serviced-office environment, where the FB9000 acts as an Internet access router for a number of tenants, firewalling between tenant networks, and maybe providing access to shared resources such as printers.