HomeHome ArticlesArticles Most Popular ArticlesMost Popular Articles Most Helpful ArticlesMost Helpful Articles Request New ArticleRequest New Article
RSS Feeds
DrillDown Icon Table of Contents Back
 . . . . . . . . . . . . .
DrillDown Icon FAQs on Cyberoam and Sophos Firewall
DrillDown Icon Vulnerability Security Advisories
DrillDown Icon Best Practices & Policies
DrillDown Icon Protect Your Cyberoam Appliances from Power Fluctuations
DrillDown Icon Technical Library
DrillDown Icon Compatibility
DrillDown Icon Archives
DrillDown Icon Version 9.x
DrillDown Icon How To
DrillDown Icon Anti Spam
DrillDown Icon Anti Virus
DrillDown Icon Authentication
DrillDown Icon Blocking
DrillDown Icon Clients
DrillDown Icon Content filtering
DrillDown Icon Firewall
DrillDown Icon IPS
DrillDown Icon Logs & Reports
DrillDown Icon SNMP
DrillDown Icon System
DrillDown Icon Registration
DrillDown Icon User
DrillDown Icon VPN
DrillDown Icon Intimation Regarding US New Daylight Saving Time Support
DrillDown Icon Verify the integrity check of Cyberoam Upgrade file using MD5 checksum
DrillDown Icon Troubleshooting
DrillDown Icon FAQ
DrillDown Icon Tech Notes
  Subscribe Print PreviewPrint Current Article and All Sub-Articles
Configure VLAN


This article documents how to implement IEEE 802.1Q Virtual LAN (VLAN) technology between Cyberoam appliance and 802.1Q-compliant devices, such as Cisco switches and routers.

Virtual Local Area Networks (VLANs) use tag-based LAN multiplexing technology to simulate multiple LAN’s within a single physical LAN using IP header tagging. VLAN ID/tags are 4-byte frame extensions that contain a VLAN identifier as well as other information.

VLANs multiply the capabilities of Cyberoam appliance. VLAN tags added to network frames increases the number of network interfaces (ports) beyond the available physical ports on the Cyberoam appliance.

  • Increased Port density
  • Logical segmentation of Network irrespective of physical placement
  • Granular security on heterogeneous LANs
  • Improved Network throughput as VLAN confines broadcast domain

Using VLANs, a single Cyberoam appliance can provide security services and control connections between multiple domains. Traffic from each domain is given a different VLAN ID. Cyberoam can recognize VLAN IDs and apply security policies to secure network between domains. Cyberoam can also apply authentication, various policies, and firewall rule features for network.

Cyberoam Configuration

Follow the below given steps from Web Admin console to configure VLAN:

Step 1: Define virtual subinterface

Go to System>Configure Network>Manage Interface and click “Add VLAN Subinterface” button to open the create page

Physical Interface: Select interface for which the virtual subinterface is to be defined. Virtual subinterface will be the member of selected physical Interface/Port. The dropdown menu will list only the LAN and DMZ interfaces.

VLAN ID: Specify VLAN ID. The interface VLAN ID can be any number between 2 and 4094. The VLAN ID of each virtual subinterface must match the VLAN ID of the packet. If the IDs do not match, the virtual subinterface will not receive the VLAN tagged traffic.

Virtual Interfaces added to the same physical interface cannot have the same VLAN ID. However, you can add virtual subinterfaces with the same VLAN ID to different physical interfaces

IP address: Specify IP address and netmask for the virtual subinterfaces. Assign static IP address only. Only static IP address can be assigned and Subnet ID should be unique across all the physical/virtual subinterfaces

Zone: Select virtual subinterface Zone. Virtual subinterface will be the member of the selected zone. Virtual subinterface created will remain unused until it is included in a zone. Virtual subinterface can be the member of LAN, DMZ or custom zone.


  1. Zone membership can be defined at the time of defining virtual subinterface or later whenever required. 
  2. Virtual subinterface can be the member of custom zone. 
  3. Virtual subinterface cannot be the member of WAN zone

On successful creation, Interface details (System>Configuration Network>Manage Interface page) will display newly defined virtual subinterface under the selected physical interface.


Step 2 : Restart Management services from CLI console

Logon to CLI console through SSH or Telnet and select option R Restart Management Services

Once the virtual interface is defined and is included in a zone, it can be treated exactly same as the physical interface. Customization of firewall rules that govern the traffic between VLANs and other interfaces, IDP policies and virus and spam scanning can be performed the same way as done with the physical interface.

If virtual subinterface is defined for custom zone, two default firewall rules for the zone are automatically created for the custom zone. For example, if virtual subinterface is defined for LAN zone, 2 default firewall rules under Virtual subinterface to WAN zone are automatically created based on the default LAN to WAN zone firewall rules.

From version 9.5.4 build 66 onwards, VLAN (Virtual LAN) tags will be preserved even when antivirus scanning, spam filtering and web filtering using Internet Access Policy (IAP) are applied to VLAN tagged traffic in Bridge mode.

Document version – 1.0-19/08/2008

Article ID: 1065