It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda Web Security Gateway
Overview Documentation Training Certification Materials

VLAN Deployments

  • Last updated on

VLAN - Bridge Configuration

The Barracuda Web Security Gateway can filter and route tagged traffic for multiple VLANs to the Internet, preserving the segregation of the VLANs on the WAN port (to the Firewall). In a VLAN deployment, the LAN and WAN ports behave like trunk ports much like a switch or router. For cases in which multiple VLANs need to send traffic through the Barracuda Web Security Gateway to the Internet, and you want to preserve the segregation of these VLANs, use the Bridge VLAN deployment, connecting multiple VLANs to the LAN side of the Barracuda Web Security Gateway.

You can also use this deployment configuration to route multiple networks (not VLANs, but untagged traffic) sending outbound traffic through the Barracuda Web Security Gateway.

If you have deployed Barracuda Web Security Gateways in High Availability mode with Barracuda Load Balanced ADC, use the Loopback Port as mentioned in How to Load Balance Barracuda Web Security Gateway With the Barracuda Load Balancer ADC.

Important Notes
  • Barracuda Networks recommends testing your VLAN deployment during low traffic periods or outside of regular business hours.
  • Note that transporting multiple VLANs across the same Ethernet connection requires a trunk line.
    Bridge VLAN deployment is the most common.
  • If you need to contact technical support you should have the Barracuda Web Security Gateway connected to see traffic into the unit. Also, having a network diagram available to show Barracuda Networks Technical Support will greatly assist in understanding your deployment configuration.

  • The Barracuda Web Security Gateway needs to be part of a VLAN to pass tagged 802.1Q traffic. To set up for 802.1Q traffic, you will need:

    •  A list of all VLANs that pass through the Barracuda Networks appliance (name and number).
    •  The Subnet mask for each VLAN. 
    • Corresponding Default Gateway IP addresses for each VLAN.  
    • An unused IP address within each VLAN that is exempt from DHCP.

For more details about VLAN configuration, click the Help button on the ADVANCED > Advanced Networking page. Note that the ADVANCED > Advanced Networking page is available only on Barracuda Web Security Gateway appliances, for all models.

Figure 1: Bridge VLAN Deployment.

VLAN Bridge With LabelsBWSG.png

To configure, from the web interface, navigate to the ADVANCED > Advanced Networking page. In the VLAN Configuration section, first select Bridge for VLAN Interface.You will need to create a name and ID for each VLAN. For example, if the marketing department is on one VLAN and the finance department is on another, call them MRK_VLAN and FIN_VLAN. Each ID should be unique, in the range specified on the ADVANCED > Advanced Networking page.

Every VLAN or subnet that you are routing to the Barracuda Web Security Gateway needs to be associated with a valid IP address, and you make that association by creating a virtual interface. In the Virtual Interfaces section of the ADVANCED > Advanced Networking page, you will need to enter the IP address and associated information for each VLAN or subnet. Click the Help button on the page for details on VLAN configuration.

VLAN Deployment - LAN Configuration

If you have multiple VLANs or subnets and you want to filter the traffic but not expose the traffic outside of your network, use the LAN configuration of a VLAN deployment. In this case, all VLAN or subnet traffic is NAT'ed by the Barracuda Web Security Gateway and requests are proxied via the WAN port to the Internet.

Figure 2: LAN-VLAN Deployment.

LAN_VLAN_BWSG.png

To configure, from the web interface, navigate to the ADVANCED > Advanced Networking page. In the VLAN Configuration section, first select LAN for VLAN Interface. You will need to create a name and ID for each VLAN. Then, using the Virtual Interfaces section of the page, associate each VLAN with a Virtual Interface which is defined with an IP address, a Netmask and a Gateway address.

For example, if the marketing department is on one VLAN and the finance department is on another, you might name your VLANs "MRK_VLAN" and "FIN_VLAN". Each ID should be unique, in the range specified on the ADVANCED > Advanced Networking page. Click Help on the page for more details on VLAN configuration.

VLAN Deployment - System Configuration

Use the System VLAN when the Barracuda Web Security Gateway does NOT reside in the native VLAN. The system is now only accessible from its own VLAN. Set System VLAN to one of the VLAN Interfaces you added in the VLAN CONFIGURATION section of the ADVANCED > Advanced Networking page.