Configure LAN Connections

Configure IRB Interfaces

Integrated routing and bridging (IRB) associates a Layer 3 interface with a Layer 2 bridge domain so that packets can be routed to and from the bridge domain. On IRB interfaces, you can configure all standard Layer 3 interface settings, such as a DHCP server, DHCP relay, and static routing. You can also associate an IRB interface with a VLAN configuration.

To decide whether to route or bridge an incoming packet, a virtual switch uses information in the Layer 2 frame's MAC address. If the destination MAC address in the ingress frame matches the MAC address of one of the IRB interfaces, the packet is routed using that IRB as the ingress interface, and the packet is treated as Layer 3 packet. If the destination MAC address of the ingress frame does not match the MAC address of one of the IRB interfaces, the packet is bridged based on the destination MAC address. Other switches obtain the MAC address of an IRB interface by issuing an Address Resolution Protocol (ARP) request for the associated IP address.

An IRB interface is operationally up when any one of the Layer 2 interfaces associated with the corresponding bridge domain is up. When all the Layer 2 interfaces in a bridge domain are down, the IRB interface is considered to be operationally down.

Virtual routing and forwarding (VRF) is a multisegmented network topology that is part of the organization's VPN. A VRF allows you to configure and maintain more than one instance of the routing and forwarding table in the same router. To configure routing, you must associate a VRF with a specific LAN or WLAN port.

An operator, store admin, MSP, or reseller can enable multi-VRF for organization while creating a new customer. Then, a user can use the option to add VRF when configuring the LAN profile and Ethernet. After the VRF option is enabled for an organization, an administrator cannot disable it using the create or edit organization window. By default, one VRF is created with the name of the organization and all the initial LAN ports are associated with this VRF. You cannot delete the default LAN-VRF after it is created.

To enable the VRF option in the LAN profile configuration, you must first lock the device using the enable lock mode option in the honeycomb view in the Titan Portal > Configure page. The lock icon displays only if the device is deployed. A blue lock icon indicates that the device is unlocked, and a red lock icon indicates that the device is locked. After you publish the changes to Titan Portal, you must unlock the device.

To configure an IRB interface:

1. Click Configure in the left menu bar to open the Configure dashboard.
2. Hover over the device in the honeycomb, and then click Configure to open the site information window.
3. Click Next to open the Configuration > Network screen.
4. Click the LAN Profile box to display the IRB tab, and enter information for the following fields.
   
   
   
    

   Field	Description
   IRB Ports (Group of Fields)
   IRB Unit	Enter a unit number for the IRB interface. The IRB interface is added to the interface list using this number, and you can use the number to search for a specific IRB interface. Range: 0 through 127
   MTU	Enter the maximum transmission unit size, in bytes, of the largest protocol data unit that the port can receive or transmit. Range: 72 through 9000 bytes Default: 1500 bytes
   VRF	Select the VRF that was added for the organization and device. For multi-VRF, you can add up to 20 VRFs for an organization. To add a new VRF, click the icon. Then, in the Add VRF popup window, enter a VRF name, click the icon, and then click Continue. When you add a new VRF, do not use the keyword LAN-VR along with the VRF name.
   IP Address/Mask	Enter the IP address and prefix length of the IRB interface.

Configure Virtual LANs (Layer 2 and Layer 3 Switching)

VLANs are used to enhance performance by reducing the need to send broadcast and multicast packets to unnecessary destinations. VLANs also ease network configuration by logically connecting devices without the need to physically relocating those devices. Note that after you add a VLAN configuration, you cannot change it. However, you can change the static IP address at any time.

To configure VLAN:

1. Click Configure in the left menu bar to open the Configure dashboard.
2. Hover over the device in the honeycomb, and click Configure to open the site information window.
3. Click Next to open the Configuration > Network screen.
4. Click the LAN Profile box, and then select the VLAN tab.
   
   
5. Enter information for the following fields.
    

   Field	Description
   Port Type	Select the port type: Routed (Layer 3) Switched (Layer 2)
   Routed (Layer 3)
   VLAN Name (Required)	Enter a name for the virtual LAN.
   VLAN ID (Required)	Enter the virtual LAN ID. Range: 0 through 4094
   MTU	Enter the maximum transmission unit size, in bytes, of the largest protocol data unit that the port can receive or transmit. Range: 72 through 9000 bytes Default: 1500 bytes
   VRF	Click the VRF list, and then select a VRF. To configure routing, the VRF must be associated with a specific LAN or WAN port. To add a new VRF, click the icon. In the Add VRF popup window, enter a VRF name, click the icon, and then click Continue. When you add a new VRF, do not use the keyword LAN-VR along with the VRF name.
   IP Address/Mask (Required)	Enter the IP address and prefix length. The prefix length must be /25.
   DHCP Server	Click to configure DHCP server settings, DHCP lease profiles, and DHCP custom options. For more information, see Configure DHCP Settings, Add a DHCP Lease Profile, and Configure DHCP Custom Options.
   DHCP Relay	Click to configure DHCP relay settings. For more information, see Configure DHCP Relay Settings.
   Switched (Layer 2)
   VLAN ID (Required)	Enter the virtual LAN ID. Range: 0 through 4094
   IRB	Select an IRB interface to associate a Layer 3 interface with a Layer 2 bridge domain. To create an IRB interface, see Configure IRB Interfaces.

6. Click the icon. The VLAN is displayed with the VLAN ID in the VLAN Tags section.

7. Click Save.

Configure 802.1X Device Authentication

IEEE 802.1X is a port-based network access control (PNAC) protocol that authenticates devices before they can connect to the network and gain access to network resources. You can configure 802.1X to prevent unauthorized network devices from accessing the network and to allow known devices to connect to the network without requiring authentication. You configure 802.1X on a VNI interface.

When you configure a VNI interface to be an authenticator, a RADIUS server can authenticate each user or device connected to a port before that user or device can access any network services. RADIUS is a distributed client-server system that secures networks against unauthorized access. A RADIUS server provides an external database that you can use to authenticate users before allowing them to access a network, a device, or related services. To configure a RADIUS server, see Configure a RADIUS Server.

To configure 802.1X device authentication, you do the following:

• If you are using RADIUS as the 802.1X authentication server, you must configure the RADIUS server.
• Configure an 802.1X authentication profile. If you are using external RADIUS authentication, define the information that the authenticator uses to communicate with the RADIUS server. For more information, see Configure an 802.1X Authentication Profile.
• To enable authentication on a specific interface, configure the interfaces for 802.1X authentication to control.

Configure Spanning-Tree Protocol

The Spanning-Tree Protocol (STP) is a network protocol that builds a loop-free logical topology for Ethernet networks. You can configure Rapid Spanning-Tree Protocol (RSTP) or Multiple Spanning-Tree Protocol (MSTP). The STP, RSTP, and MSTP protocols are supported on switching interfaces.

RSTP enables fast spanning-tree reconvergence by simplifying the port states and changing the way ports transition from one state to another. RSTP is backward-compatible with the STP. You can choose to run the RSTP state machine in STP mode.

You configure RSTP in a routing instance, either in a Layer 2 control routing instance or a virtual switch routing instance. When you configure RSTP in a Layer 2 control routing instance, the interface state of a port as determined by the RSTP is associated with all the bridge domain interfaces on the port across all the routing instances. When you configure RSTP in a virtual switch routing instance, all bridge domain interfaces corresponding to that port should be present in the virtual switch only.

MSTP supports one Common Internal Spanning Tree (CIST) and 64 multiple spanning-tree instances (MSTIs). MSTP is an extension of the STP and RSTP that enables the use of alternate spanning trees for different VLANs or groups of VLANs. Using alternate spanning trees can result in alternate paths being utilized more effectively. You can group VLANs into a single MSTI. If a VLAN is not part of any MSTI, it belongs to the CIST. Layer 2 packets follow the MSTI/CIST topology corresponding to the VLAN.

You configure MSTP in a routing instance, either in a Layer 2 control routing instance or a virtual switch routing instance. When you configure MSTP in a Layer 2 control routing instance, the protocol state determined by MSTP is associated with all bridge domain interfaces on a port across all routing instances. When you configure MSTP in a virtual switch routing instance, all bridge domain interfaces corresponding to a port must be present in the virtual switch only.

Configure Link Aggregation Group

You can configure aggregated Ethernet interfaces on a Titan device. An aggregated Ethernet interface comprises two or more Ethernet interfaces that act as one virtual interface. An aggregated Ethernet interface can increase overall throughput and provide redundancy in case one of the links fails. Aggregate interface names start with ae.

You can control the bundling of several physical links to form a single logical link using the Link Aggregation Control Protocol (LACP). LACP allows a network device to negotiate an automatic bundling of links by sending LACP packets to its peer, a directly connected device that also implements LACP. LACP operates in one of two modes:

• Active—Enable LACP unconditionally.
• Passive—Enable LACP only when an LACP device is detected.

An aggregated Ethernet interface can be configured as a Layer 2 or Layer 3 interface. For more information, see Configure Virtual LANs (Layer 2 and Layer 3 Switching).

You must configure the device with minimum one LAN interface in all topologies to create, deploy, or activate the device, especially in LAG deployment. For LAG deployment, ensure that the LAN and LAG interfaces are in the same VRF, for direct internet access to work properly.

To configure an aggregated Ethernet interface:

1. Hover over the device in the honeycomb, and click Configure to open the site information window.
2. Click Next to open the Configuration > Network screen.
3. Click the LAN box to open the Network > LAN screen.
4. Click the LAN Profile box to open the Network > LAN > LAN Profiles screen.
5. Select the LAG tab and enter information for the following fields.
   
   
    

   Field	Description
   Aggregate Ethernet (Group of Fields)
   Aggregate Ethernet Port Number	Enter a port number for the aggregate Ethernet interface.
   Select LAN Port	Select the LAN port. If a LAN port is not available in the list, go to Network > LAN > Ethernet Ports, and delete LAN ports so that a LAN port is available for LAG.
   LACP (Group of Fields)	Click the toggle to select LACP.
   LACP Mode	Select the LACP mode: Active Passive

6. Click Save.

Configure Ethernet Ports

When you select an Ethernet port, the first part of the interface name indicates whether it is a LAN or a WAN interface. The second part of the interface name, with Port followed by a number, refers to the port number printed on the CSG appliance. For example, the interface name LAN1-Port2 indicates the LAN interface 2 that you must connect to the port 2 on the CSG appliance.

Titan devices support routed (Layer 3) and switched (Layer 2) interfaces. For routed interfaces, you must select the VRF that is associated with one or more interfaces on the Titan device. You enable VLAN tagging to bind VLAN subinterface and existing free Layer 3 VLAN profiles to the LAN port. You can configure DHCP server mode or DHCP relay mode on the Layer 3 port.

For switched (Layer 2) interfaces, you can configure the interface to operate in trunk or access mode:

• Access mode—An access interface has an explicit VLAN ID. Any untagged packet that arrives on an access interface is associated with that interface and is treated as a tagged packet with the VLAN ID of the access interface. You associate an IRB profile or a dot1x-encapsulated VLAN with a specific VLAN ID.
• Trunk mode—With trunk-mode Layer 2 ports, you can configure multiple VLANs on an interface. You can define a VLAN interface for each Ethernet port that is configured as a Layer 2 interface to allow VLAN traffic to be routed to Layer 3 destinations outside the VLAN. A trunk Layer 2 port uses native VLAN IDs are to allow an untagged packet to be treated as a tagged packet.

You can also configure authentication for LAN devices in Layer 2 mode so that the Layer 2 LAN port acts as an authenticator for all LAN devices connected in Layer 2. To enable 802.1X authentication, you must configure 802.1X and a RADIUS server in a LAN profile. Titan Portal supports dynamic VLANs and assigns the VLAN to Layer 2 LAN devices after authentication.

To configure an Ethernet port on a LAN:

1. Hover over the device in the honeycomb, and click Configure to open the site information window.
2. Click Next to open the Configuration > Network screen.
3. Click the LAN box to open the Network > LAN screen.
4. Click the Ethernet and WiFi Ports box to open the Network > LAN > Ethernet Ports screen.
   
   
    
5. In the Ethernet Ports screen, select LAN, click the menu to view a list of available ports and corresponding LAN numbers, and then select a LAN port.
6. For port type Routed (Layer 3), enter information for the following fields.
   
   
    

   Field	Description
   Port	Click the Port toggle to enable or disable the LAN port.
   Port Type	Select Routed (Layer 3)
   VRF	Click the VRF list, and then select VRF. To configure routing, the VRF must be associated with a specific LAN or WAN port. To add a new VRF, click the icon. In the Add VRF popup window, enter a VRF name, click the icon, and then click Continue. When you add a new VRF, do not use the keyword LAN-VR along with the VRF name.
   VLAN Tagging	Click the VLAN Tagging toggle to turn on VLAN configuration. See Configure VLAN Tagging.
   Address Pool
   IP Address/Mask	Enter the IP address and prefix length. The prefix length must be /25.
   DHCP Server	Click to configure DHCP server settings, DHCP lease profiles, and DHCP custom options. See Configure DHCP Settings, Add a DHCP Lease Profile, and Configure DHCP Custom Options.
   DHCP Relay	Click to configure DHCP relay settings. See Configure DHCP Relay Settings.

7. For port type Switched (Layer 2), enter information for the following fields.
   
    
    

   Field	Description
   Port	Click the Port toggle to enable or disable the LAN port.
   Port Type	Select Switched (Layer 2).
   Interface Mode	Select the interface mode: Access Mode Trunk Mode
   Access Mode	Enter information for the following fields. VLAN—Click the Select VLAN ID list, select the VLAN ID, and then click Continue. To add a new VLAN ID, click the icon. See Configure Virtual LANs (Layer 2 and Layer 3 Switching). Click the Configure Authentication Control 8021.x checkbox to configure the Layer 2 LAN port as an authenticator. Role—Select the interface role: Authenticator—Interface acts as the authenticator. Supplicant—Interface acts as a supplicant. Supplicant—Select the type of supplicant: Single—Authenticate only the first end device. All other end devices that connect to the port later are allowed access without any further authentication. The subsequent devices effectively piggyback on the first end device’s authentication. Single Secure—Allow only one end device to connect to the port at a time. No other end device can connect until the first device logs out. Multiple—Allow multiple end devices to connect to the port. Each end device is authenticated individually. Dot1.X—Click to configure dynamic VLAN assignment on Layer 2 interfaces that are also 802.1X authenticator interfaces. Click the Configure Authentication Control 8021.x checkbox to configure the Layer 2 LAN port as an authenticator. Role (Required)—Select the interface role: Authenticator—Interface acts as the authenticator. Supplicant—Interface acts as a supplicant. Supplicant (Required)—Select the type of supplicant. Single—Authenticate only the first end device. All other end devices that connect to the port later are allowed access without any further authentication. The subsequent devices effectively piggyback on the first end device’s authentication. Single Secure—Allow only one end device to connect to the port at a time. No other end device can connect until the first device logs out. Multiple—Allow multiple end devices to connect to the port. Each end device is authenticated individually. Enable Dynamic VLAN—Click to enable dynamic VLANs. Guest VLAN ID (Required)—Click the Select VLAN ID list, select the VLAN ID for the guest VLAN, and then click Continue. The guest VLAN provides limited access for devices that have failed authentication or that are nonresponsive end devices that are not 802.1X-enabled. If no device authenticates using 802.1X authentication, the guest VLAN ID is assigned to the interface. Default VLAN ID (Required)—Click the Select VLAN ID list, select the VLAN ID for the default VLAN, and then click Continue. If 802.1X device authentication succeeds and if RADIUS dynamic VLAN is disabled, or if VLAN information is not received from the RADIUS server, the authentication default VLAN ID is assigned to interface. Enable RADIUS Dynamic VLAN—Click to enable RADIUS dynamic VLANs.VLAN assignment is done based on the response from the RADIUS server authentication server.
   Trunk Mode	Enter information for the following fields. VLANs (Required)—Click the Select VLAN ID list, select the VLAN ID, and then click Continue. To add a new VLAN ID, click the icon. See Configure Virtual LANs (Layer 2 and Layer 3 Switching). Native VLAN—Click the Select Native VLAN ID list, select the VLAN ID, and then click Continue.
   MTU	Enter the maximum transmission unit size, in bytes, of the largest protocol data unit that the port can receive or transmit. Range: 72 through 9000 bytes Default: 1500 bytes
   Cost	Enter a value for the link cost associated with the interface. Range: 1 through 200000000
   Priority	Enter the port priority value. A lower priority value configures a higher priority. If there is a loop in the network, the port priority value is used to decide which ports to place in blocking state. Range: 0 through 240 (must be a multiple of 16) Default: 32
   Edge	Click to configure ports that are connected to end nodes in order to bridge ports. Ports configured as spanning-tree edge ports directly transition to the forwarding state. Edge ports do not generate topology changes when the link state changes.

8. Click Save.

Configure VLAN Tagging on Ethernet Ports

VLANs enhance performance by reducing the need to send broadcasts and multicasts to unnecessary destinations. VLANs also ease network configuration by logically connecting devices without physically relocating those devices. You cannot change the VLAN configuration after it is added.

To configure VLAN tagging:

1. Hover over the device in the honeycomb, and click Configure to open the site information window.
2. Click Next to open the Configuration > Network screen.
3. Click ;the LAN box to open the Network > LAN screen.
4. Click the Ethernet and WiFi Ports box to open the Network > LAN > Ethernet Ports screen.
   
   
    
5. In the Ethernet Ports screen, select LAN, click the menu to view a list of available ports and corresponding LAN numbers, and then select a LAN port.
6. Click the VLAN Tagging toggle to turn on VLAN configuration and then click Select VLAN ID.
   
   
    
7. Select the VLAN ID and then click Continue. To add a new VLAN ID, click the icon. See Configure Virtual LANs (Layer 2 and Layer 3 Switching)..
   
   
8. Click Continue, and then click Save.

Configure an HA Cross-Connect Port

A cross-connect link is the physical connection between the redundant CPE devices in a branch that emulates the missing transport domain and provides redundancy to the attached clients. HA deployments use the cross-connect port. You must allocate one port on each CPE device for the cross-connect port. You can select any of the LAN ports as a cross-connect port. You configure the HA cross-connect port on the primary device, and you cannot delete the cross-connect port from the primary or secondary device.

You must enable the HA cross-connect port in device save mode. After you deploy and activate the device, you cannot change the cross-connect port. Also, the cross-connect port is not displayed in the list of LAN ports.

To configure an HA cross-connect port:

1. Click Configure in the left menu bar to open the Configure dashboard.
2. Hover over the device in the HA honeycomb, and then click Configure to open the site information window.
3. Click Next to open the Configuration > Network screen.
4. Click the LAN box to open the Network > LAN screen.
5. Click the Ethernet Ports box to open the Network > LAN > Ethernet Ports screen.
6. Select a port from the menu to the right of Quick Picks.
   
   
    
7. Click the HA Cross-Connect Port toggle to enable the HA cross-connect port.
   
   
    
8. Click Save.

Edit LAN Interfaces on an Active Device

After you configure LAN interfaces and deploy or activate the device, you can make the following changes to a LAN interface:

• Add or remove a WAN, LAN, or LTE interface.
• Switch the gateway on or off.
• Update the transport from internet to MPLS, or vice versa.
• Enable or disable PPPoE.

To make changes to a LAN interface, you must first lock the device using the enable lock mode option in the honeycomb view in the Titan Portal home screen. The lock icon displays only if the device is deployed. A blue lock icon indicates that the device is unlocked, and a red lock icon indicates that the device is locked. After you publish the changes to Titan Portal, you must unlock the device.

To edit LAN interfaces:

1. Click Configure in the left menu bar to open the Configure dashboard.
   
   
    
2. Click the icon in the honeycomb to lock the device.
3. Enter the reason for lock in the Enable lock mode popup window, and then click Yes.
   
   
    
4. Hover over the device in the honeycomb, and click Configure to open the site information window.
5. Click Next to open the Configuration > Network screen.
6. Click the LAN box to open the Network > LAN screen.
7. Click the Ethernet Ports box to open the Network > LAN > Ethernet Ports screen.
   
   
    
8. Click the menu to the right of Easy Quick Picks to view a list of available ports and their LAN numbers.
9. Select a LAN/port from the menu.
   • Click the icon to delete the selected LAN.
   • Click +LAN in the menu, select available ports, and then click Continue to add a new LAN port.
     
     
     
     The +LAN is displayed only if number of ports are available to configure in the LAN.
10. Click Publish, and then click Continue.
    
    
11. Click the icon in the honeycomb to unlock the device, and then click Yes.
    
    

Configure WiFi Ports

You can assign a range of IP addresses to each WiFi port. To configure WiFi settings, such as SSID, for WiFi ports see Configure WiFi Networks.

To configure WiFi port settings:

1. Hover over the device in the honeycomb, and click Configure to open the site information window.
2. Click Next to open the Configuration > Network screen.
3. Click the LAN box to open the Network > LAN screen.
4. Click the Ethernet and WiFi Ports box to open the Network > LAN > Ethernet Ports screen.
   
   
    
5. In the Ethernet Ports screen, select WiFi, click the menu to view a list of available WiFi ports, and then select a WiFi port.
   
   
6. Click the DHCP Server checkbox. Enter information for the following fields.
    

   Field	Description
   Port	Click Port toggle to enable or disable the WiFi port.
   VRF	Click the VRF list, and then select the VRF. To configure routing, VRF must be associated with a specific LAN or WAN port. To add a new VRF, click the icon. In the Add VRF popup window, enter a VRF name, click the icon, and then click Continue. When you add a new VRF, do not use the keyword LAN-VR along with the VRF name.
   Address Pool
   IP Address/Mask	Enter the IP address and prefix length. The prefix length must be /25.
   DHCP Server
   IP Subnet	Enter a valid IP prefix and length. The length must be /25, for example, 172.16.4.0/25.
   IP Start Range	Enter the lowest IP address in the DHCP address pool.
   IP End Range	Enter the highest IP address in the DHCP address pool.
   DHCP Lease Profile	Select the lease profile for the network level. To add a DHCP lease profile, click the icon. For more information, see Add a DHCP Lease Profile.
   Name Servers	By default, primary and secondary DNS name servers are configured automatically. To manually configure these servers, click Manual and enter the IP addresses of the primary and secondary DNS name servers.
   DHCP Relay
   DHCP Relay IP	Enter the IP address of the DHCP relay.

7. Click Publish.