06-14-2018 06:16 AM
Hi all,
I'm confused as to what the difference is between the "VLAN" tab under "Interfaces" in "Network and the "VLANs" section in the sidebar in "Network"? My goal is to create a couple of different VLANs for a network where certain traffic has to be segmented from other traffic. All of my ports are operating on L3.
Thanks!
06-14-2018 08:40 AM
So if we look at your stated goal you don't actually need to be configuring VLAN objects or VLAN interfaces at all, because you already have all the ports operation on Layer3. In this situation what you would do is the following.
1) Configure a 'Trunk' port on the switch that connects to the firewall via one of those Layer3 interfaces that you have configured. Allow whatever VLANs you want on that Trunk port.
2) Create subinterfaces on the Layer3 interface that is connected to the Trunk port and properly setup the 'Tag' value to match the VLAN that has been configured on the switch.
3) Assign the Default-Gateway IP of the VLAN to the subinterface associated with that VLAN.
4) Assign the subinterface whatever Security Zone you want on the firewall. If you are looking to segment traffic you may have a 'Server' 'Client' 'Internal' or whatever zone that you configure depending on what you are segmenting in the VLANs.
5) Update the security policy so that this new configuration is taken into account.
6) Update any routing statements that need to be made.
06-14-2018 06:48 AM
The VLAN listing directly under the Network tab is where you essentially configure the common name of the VLAN that you want to setup along with any static MAC config that you need. The VLAN interface configureation is where you are actually going to setup the interface tag, assign the VLAN you configured earlier to the VLAN interface, assign the interface to the virtual router and security zone and give the VLAN interface it's IP address.
06-14-2018 07:00 AM
Hey BPry,
Thanks so much for getting back to me. Just one more question for you if you don't mind. What is the purpose of assigning an IP address to the VLAN interface? Shouldn't it just use the IP address I have specified for the subinterface by default?
Thanks again for taking the time. I greatly appreciate it!
06-14-2018 07:32 AM
Depending on your LAN routing you could assign the default gateway of the VLAN as the VLAN interface IP and no matter what path is up the gateway would be assessible. So the interface on the firewall may be assigned 10.191.132.2 and another interface might be 10.191.132.3, since the VLAN interface is acting as the gateway it doesn't matter if one of the interfaces go down.
Now if you only have 1 interface acting as a 'Trunk' so to speak it doesn't matter what you do here because you won't see a benefit of assigning the VLAN interface as the gateway as if that 'Trunk' interface ever loses connection you still won't have a path to the gateway. In this scenario you mise as well assign the gateway ip to the interface in question instead of the VLAN interface.
06-14-2018 07:43 AM
So are you saying then that it is possible to create the VLANs without assigning them an IP? Or is it required that they have an IP? What I'm getting from your previous response is that the VLAN relies on the interface IP address anyway and therefore it is optional whether or not I want to assign an IP address to the VLAN. Is this correct?
06-14-2018 08:34 AM
You don't need to configure an IP address on the VLAN interface or the subinterface if you don't want to and the config will be valid, but how are you going to route that?
I think we might be confusing a few things here though. So I'm going to feed a little bit of information about each example here and you can pick whichever one is applicable to your enviroment.
Layer3
You aren't configuring a VLAN on a Layer3 interface, you are simply configuring a Tag, usually on a sub-interface.
1) I have ethernet1/8 configured as a Layer3 interface; this interface does not have an IP address.
2) I create a subinterface of ethernet1/8.232 (doesn't need to be 232, but to me it's cleaner) and set the Tag value as 232 as I have a VLAN 232 on the switch I want to utilize this interface for.
3) I configure 1/8.232 to be assigned VR 'default' and then the Security Zone as 'trust' and assign it the IP address 10.191.232.1/22, as I want the interface to act as my default gateway as all hosts in vlan232.
4) Repeat the process for any VLAN you have on the switch.
Notes:
- The link between ethernet1/8 and the switch needs to be a 'trunk' so that the VLAN tag is applied to the header of the packet.
- Subinterface 1/8.232 is going to match any traffic with the VLAN tag '232', and since it's the default gateway will handle all VLAN232 traffic.
- This is NOT adding the VLAN to the firewall at all. This is specifying that subinterface 1/8.232 should handle any traffic with the tag '232' but nothing else. The Firewall doesn't participate in the VLAN, it simply handles the routing and forwarding for the VLAN as we've configured it as the gateway.
- You don't need to create a VLAN interface or a VLAN object for this configuration; the VLAN doesn't matter as you are only looking for the VLAN Tag on the packets.
- The subinterface 1/8.232 needs an IP address as otherwise you can't properly route the traffic. The configuration is considered valid without an IP address, but you will not be able to route traffic properly.
Layer2:
This is where the firewall actually functions as a member of the VLAN and doesn't just process the traffic. The firewall will participate in the VLAN the same as a switch would, and the configuration is a little bit harder to explain as there's a couple way to set this up.
1) You create the VLAN interface that will be used by the physical interfaces which are configured as Layer2 interfaces. You assign this interface an id (Doesn't need to be VLAN tag), assign the Virtual Router, and the Zone. You can configure an IP address directly to the VLAN interface but whether or not you do so is up to you.
2) You'll assign the VLAN interface a VLAN that you've created or that you create right now. This doesn't really contain much of anything unless you have Static MAC configuration statements that you need to configure.
3) One of your interfaces will need to be configured as a Layer2 interface, and you'll set the VLAN to the VLAN object that we just created in 2 and select the security zone that you wish to assign the interface to (Note that you can't mix Layer2 and Layer3 in the same security zones).
4) If you are looking to route via Layer2 interfaces (and lets face it you are otherwise you would have just used v-wire) you generally put the IP address directly on the VLAN interface that you created.
5) Create any routes that you need in the selected VR.
Notes:
- You can create a 'native' or untagged Layer2 interface as the physical interface (ex ethernet1/8).
- Additional VLANs can be configured as subinterfaces on any Layer2 interface, you simply need to configure the interface with the proper Tag and assign it to the proper VLAN.
- Layer2 is the only configuration that allows the firewall to actively participate in the VLAN the same way that a switch would.
06-14-2018 08:40 AM
So if we look at your stated goal you don't actually need to be configuring VLAN objects or VLAN interfaces at all, because you already have all the ports operation on Layer3. In this situation what you would do is the following.
1) Configure a 'Trunk' port on the switch that connects to the firewall via one of those Layer3 interfaces that you have configured. Allow whatever VLANs you want on that Trunk port.
2) Create subinterfaces on the Layer3 interface that is connected to the Trunk port and properly setup the 'Tag' value to match the VLAN that has been configured on the switch.
3) Assign the Default-Gateway IP of the VLAN to the subinterface associated with that VLAN.
4) Assign the subinterface whatever Security Zone you want on the firewall. If you are looking to segment traffic you may have a 'Server' 'Client' 'Internal' or whatever zone that you configure depending on what you are segmenting in the VLANs.
5) Update the security policy so that this new configuration is taken into account.
6) Update any routing statements that need to be made.
03-16-2021 04:38 AM
Thank you for information !
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
