A VLAN is a logical network that is run on a switch or on top of a physical network. A VLAN jointly uses the same physical interface that is used for the physical network.
Because both the sending and the receiving interface must be able to distinguish which traffic belongs to which kind of network, the transmitted traffic packets must be distinguishable. This is achieved by a tag – a label that is added to each packet of a session. Both communication partners must support this feature. You must use a properly configured 802.1q VLAN-capable switch and NICs that use drivers capable of tagging VLAN traffic.
The Barracuda CloudGen Firewall can use up to 256 VLANs on one physical network interface and a maximum of 4094 VLANs globally. The VLAN interfaces are named <physical interface>.<VLAN id> (e.g., eth2.200), where the VLAN id represents the tag.
The firewall can serve both untagged and tagged VLANs simultaneously. Because untagged VLANs do not use the tagging information, an untagged VLAN is the same as a connection that uses its own physical interface. Therefore, if you want to use an untagged VLAN, assign a direct attached network to an interface of your choice. For more information, see How to Configure Directly Attached Routes.
To use tagged VLANs solely or simultaneously with an untagged VLAN, follow the steps below and use the same interface as for the untagged VLAN interface.
Configure the VLAN Interface
Step 1. Add a VLAN Interface
- Go to CONFIGURATION > Configuration Tree > Box > Network.
- In the left menu, select Virtual LANs.
- Click Lock.
- Add an entry in the VLAN table:
- Name – Enter a name and click OK.
- Physical VLAN Interface – Select the physical interface that will host the VLAN. E.g., eth2
VLAN Tag – Enter the VLAN tag that was configured on the switch port the physical interface is plugged into. E.g.,
200Header Reordering – This setting makes the virtual interface seem like a real Ethernet interface. Keep disabled for better performance. Enable if you are experiencing problems with network services, such as DHCP running in the VLAN.
- Click OK.
- Click Send Changes and Activate.
Step 2. Activate the Network Configuration
VLANs can be activated without interruption to the network subsystem. For more information, see How to Activate Network Changes.
- Go to CONTROL > Box.
- In the left navigation pane, expand Network and then click Activate new network configuration.
- Click Activate now.
To verify that the VLAN interface and its pending direct route were successfully introduced, go to CONTROL > Network.
Configure IP Addresses
According to the concept of the 2-layer architecture (which was released with firmware 8.0.1) where services are operated on top of the box layer, you now have aside from Additional Local IPs another option for configuring IP addresses on the configured interface:
- Configure an Additional Local IP: Use this option if you want the IP address to be available even if the service layer is not available. However, consider that this is a drawback in high-availability configurations where IP addresses must be 'moveable' between the HA partners.
- Configure a SharedIP: Use this option if you have a preference for using flexible IP addresses, like for HA configurations.
For more information on the concept of SharedIPs, see Understanding the Usage of Operational-Relevant IP Addresses on the CloudGen Firewall and How to Configure Shared Networks and IPs.
Option #1: Configure an Additional Local IP
For ARP requests to work on multi-homed VLAN interfaces, use additional local IPs instead of the direct attached route and shared network for the VLAN interface.
- Go to CONFIGURATION > Configuration Tree > Box > Box > Network.
- Click Lock.
- Click + to add the VLAN network and IP address as an Additional Local IP.
- Enter a Name and click OK. The IP Address Configuration window opens.
- Interface Name – Select the VLAN interface.
- IP Address – Enter the IP address from the VLAN network.
- Associated Netmask – Select the netmask of the VLAN network.
- Responds to Ping – Set to yes.
- Management IP – Set to no.
- Click OK.
- Click Send Changes and Activate.
The virtual network interfaces are now listed on the CONTROL > Network page.
If you want to combine VLANs and bridging, see Bridging.
Option #2: Configure a Shared IP for the Virtual LAN
If you want to configure a shared IP address, follow the instructions in the article How to Configure Shared Networks and IPs.
This option assumes that you want to use the following data:
Configuration Parameter | Value |
|---|---|
| The VLAN tag of your configured VLAN interface | 20 |
| The interface of your VLAN | eth3 |
| The effective name of your VLAN interface | eth3.20 |
| The network address | 10.0.20.0/24 |
| A shared IP address in this network | 10.0.20.1 |
The following screenshots show the related configurations:
- Virtual LAN: Go to CONFIGURATION > Configuration Tree > Network > Virtual LANs.
- This configuration contains the following values in detail:
- The configuration for SharedIPs now bundles the VLAN configuration with IP addresses:
The virtual network interface is now listed on the CONTROL > Network page.
