This article documents how to implement IEEE 802.1Q Virtual LAN (VLAN) technology between Cyberoam appliance and 802.1Q-compliant devices, such as Cisco switches and routers.
Virtual Local Area Networks (VLANs) use tag-based LAN multiplexing technology to simulate multiple LAN’s within a single physical LAN using IP header tagging. VLAN ID/tags are 4-byte frame extensions that contain a VLAN identifier as well as other information.
VLANs multiply the capabilities of Cyberoam appliance. VLAN tags added to network frames increases the number of network interfaces (ports) beyond the available physical ports on the Cyberoam appliance.
- Increased Port density
Logical segmentation of Network irrespective of physical placement
Granular security on heterogeneous LANs
Improved Network throughput as VLAN confines broadcast domain
Using VLANs, a single Cyberoam appliance can provide security services and control connections between multiple domains. Traffic from each domain is given a different VLAN ID. Cyberoam can recognize VLAN IDs and apply security policies to secure network between domains. Cyberoam can also apply authentication, various policies, and firewall rule features for network.
Follow the below given steps from Web Admin console to configure VLAN:
Step 1: Define virtual subinterface
Go to System>Configure Network>Manage Interface and click “Add VLAN Subinterface” button to open the create page
Physical Interface: Select interface for which the virtual subinterface is to be defined. Virtual subinterface will be the member of selected physical Interface/Port. The dropdown menu will list only the LAN and DMZ interfaces.
VLAN ID: Specify VLAN ID. The interface VLAN ID can be any number between 2 and 4094. The VLAN ID of each virtual subinterface must match the VLAN ID of the packet. If the IDs do not match, the virtual subinterface will not receive the VLAN tagged traffic.
Virtual Interfaces added to the same physical interface cannot have the same VLAN ID. However, you can add virtual subinterfaces with the same VLAN ID to different physical interfaces
IP address: Specify IP address and netmask for the virtual subinterfaces. Assign static IP address only. Only static IP address can be assigned and Subnet ID should be unique across all the physical/virtual subinterfaces
Zone: Select virtual subinterface Zone. Virtual subinterface will be the member of the selected zone. Virtual subinterface created will remain unused until it is included in a zone. Virtual subinterface can be the member of LAN, DMZ or custom zone.
- Zone membership can be defined at the time of defining virtual subinterface or later whenever required.
Virtual subinterface can be the member of custom zone.
Virtual subinterface cannot be the member of WAN zone
On successful creation, Interface details (System>Configuration Network>Manage Interface page) will display newly defined virtual subinterface under the selected physical interface.
Step 2 : Restart Management services from CLI console
Logon to CLI console through SSH or Telnet and select option R Restart Management Services
Once the virtual interface is defined and is included in a zone, it can be treated exactly same as the physical interface. Customization of firewall rules that govern the traffic between VLANs and other interfaces, IDP policies and virus and spam scanning can be performed the same way as done with the physical interface.
If virtual subinterface is defined for custom zone, two default firewall rules for the zone are automatically created for the custom zone. For example, if virtual subinterface is defined for LAN zone, 2 default firewall rules under Virtual subinterface to WAN zone are automatically created based on the default LAN to WAN zone firewall rules.
From version 9.5.4 build 66 onwards, VLAN (Virtual LAN) tags will be preserved even when antivirus scanning, spam filtering and web filtering using Internet Access Policy (IAP) are applied to VLAN tagged traffic in Bridge mode.
Document version – 1.0-19/08/2008