VLAN - Bridge Configuration
The Barracuda Web Security Gateway can filter and route tagged traffic for multiple VLANs to the Internet, preserving the segregation of the VLANs on the WAN port (to the Firewall). In a VLAN deployment, the LAN and WAN ports behave like trunk ports much like a switch or router. For cases in which multiple VLANs need to send traffic through the Barracuda Web Security Gateway to the Internet, and you want to preserve the segregation of these VLANs, use the Bridge VLAN deployment, connecting multiple VLANs to the LAN side of the Barracuda Web Security Gateway.
You can also use this deployment configuration to route multiple networks (not VLANs, but untagged traffic) sending outbound traffic through the Barracuda Web Security Gateway.
If you have deployed Barracuda Web Security Gateways in High Availability mode with Barracuda Load Balanced ADC, use the Loopback Port as mentioned in How to Load Balance Barracuda Web Security Gateway With the Barracuda Load Balancer ADC.
Figure 1: Bridge VLAN Deployment.
To configure, from the web interface, navigate to the ADVANCED > Advanced Networking page. In the VLAN Configuration section, first select Bridge for VLAN Interface.You will need to create a name and ID for each VLAN. For example, if the marketing department is on one VLAN and the finance department is on another, call them MRK_VLAN and FIN_VLAN. Each ID should be unique, in the range specified on the ADVANCED > Advanced Networking page.
Every VLAN or subnet that you are routing to the Barracuda Web Security Gateway needs to be associated with a valid IP address, and you make that association by creating a virtual interface. In the Virtual Interfaces section of the ADVANCED > Advanced Networking page, you will need to enter the IP address and associated information for each VLAN or subnet. Click the Help button on the page for details on VLAN configuration.
VLAN Deployment - LAN Configuration
If you have multiple VLANs or subnets and you want to filter the traffic but not expose the traffic outside of your network, use the LAN configuration of a VLAN deployment. In this case, all VLAN or subnet traffic is NAT'ed by the Barracuda Web Security Gateway and requests are proxied via the WAN port to the Internet.
Figure 2: LAN-VLAN Deployment.
To configure, from the web interface, navigate to the ADVANCED > Advanced Networking page. In the VLAN Configuration section, first select LAN for VLAN Interface. You will need to create a name and ID for each VLAN. Then, using the Virtual Interfaces section of the page, associate each VLAN with a Virtual Interface which is defined with an IP address, a Netmask and a Gateway address.
For example, if the marketing department is on one VLAN and the finance department is on another, you might name your VLANs "MRK_VLAN" and "FIN_VLAN". Each ID should be unique, in the range specified on the ADVANCED > Advanced Networking page. Click Help on the page for more details on VLAN configuration.
VLAN Deployment - System Configuration
Use the System VLAN when the Barracuda Web Security Gateway does NOT reside in the native VLAN. The system is now only accessible from its own VLAN. Set System VLAN to one of the VLAN Interfaces you added in the VLAN CONFIGURATION section of the ADVANCED > Advanced Networking page.