It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Configure VLANs

  • Last updated on

VLANs allow you to split one physical network interface (with one MAC address) into several virtual LANs. The physical interface behaves like several interfaces, and the switch behaves like multiple switches. VLANs are useful when not enough network interfaces exist on the unit. The Barracuda NextGen Firewall F-Series can use up to 256 VLANs on one physical network interface and a maximum of 4096 VLANs globally. The VLAN interfaces are named <physical interface>.<VLAN id> (e.g., eth2.200). Only tagged traffic is handled by the Firewall - traffic on the physical interface is discarded. You must use a properly configured 802.1q VLAN capable switch and NICs that use one of the following kernel modules that are capable of 802.1q VLAN tagging on the Barracuda NextGen Firewall F-Series:

Step 1. Add a VLAN interface

  1. Go to CONFIGURATION > Configuration Tree > Box > Network.
  2. In the left menu, select Virtual LANs.
  3. Click Lock.
  4. Add an entry in the VLAN table:
    • Name – Enter a name and click OK.
    • Physical VLAN Interface – Select the physical interface that will host the VLAN. E.g., eth2 
    • VLAN Tag – Enter the VLAN tag that was configured on the switch port the physical interface is plugged in to. E.g., 200

    • Header Reordering – This setting makes the virtual interface seem like a real Ethernet interface. Keep disabled for better performance. Enable if you are experiencing problems with network services, such as DHCP running in the VLAN.

  5. Click OK.
  6. Click Send Changes and Activate.

Step 2. Create a Direct Route for the VLAN

Add a direct attached route for the VLAN network.

  1. Go to CONFIGURATION > Configuration Tree > Box > Network.
  2. In the left menu, select Routing.
  3. Click Lock.
  4. In the Routes table, add an entry for the VLAN route. Specify the following settings:
    • Target Network Address – Enter the network used on the VLAN. E.g.,
    • Route Type – Select directly attached network.
    • Interface Name – Select the virtual interface matching the VLAN and target network address. E.g., eth2.200
  5. Click OK.
  6. Click Send Changes and Activate.

Step 3. Activate the New Network Configuration

If you activate the network in failsafe mode, a short network interruption occurs, which may require a maintenance window. It is possible to carry out the network activation for VLAN interfaces without interruption by using the command line.

Failsafe activation with temporary network connectivity disruption:

  1. Go to CONTROL > Box.
  2. In the left navigation pane, expand Network and then click Activate new network configuration.
  3. Select the Failsafe mode.
  4. To verify that the VLAN interface and its pending direct route were successfully introduced, go to CONTROL > Network.

Soft activation without temporary network connectivity disruption:

  1. Change to the command-line interface and execute the following commands for each configured VLAN on device eth<n> with corresponding <VLAN-ID>:
    • /etc/phion/bin/vconfig add eth<n> <VLAN-ID>
    • ip link set eth<n>.<VLAN-ID> up
  2. Activate the network configuration by clicking the Soft activate button.

Next Steps

The virtual network interfaces can be used just like physical network interfaces. The virtual network interfaces are now listed on the CONTROL > Network page. If you want to combine VLANs and bridging, see Bridging.


Last updated on