| Home Prev |  cOS Stream 4.00.03 Administration Guide
|
Next |
|---|
Overview
Virtual LAN (VLAN) support in cOS Stream allows the definition of one or more Virtual LAN interfaces which are associated with a particular physical interface. These are then considered to be logical interfaces by cOS Stream and can be treated like any other interface in rule sets and routing tables.VLANs are useful in several different scenarios. A typical use is to allow one physical Ethernet interface to appear as multiple VLAN interfaces. This means that the number of available physical interface ports need not limit the number of connected external networks.
Another usage is to group together clients and/or hosts in an organisation so that the traffic belonging to different groups is kept completely separate in separate VLANs. Traffic can then only flow between the different VLANs under the control of cOS Stream and is filtered using the security policies described by the rule sets.
As explained in more detail below, VLAN configuration with cOS Stream involves a combination of VLAN trunks from the Clavister NetShield Firewall to switches and these switches are configured with port based VLANs on their interfaces. one or multiple VLANs.
![[Note]](images/note.png) |
Note: VLAN traffic can be combined with other traffic |
|---|---|
|
Any physical interface can carry both non-VLAN traffic as well VLAN trunk traffic at the same time. A physical interface does not need to be devoted to VLAN traffic. |
VLAN Processing
The Clavister NetShield Firewall follows the IEEE 802.1Q specification. The specifies how VLAN functions by adding a Virtual LAN Identifier (VLAN ID) to Ethernet frame headers which are part of a VLAN's traffic.The VLAN ID is a number between 1 and 4094 which is used to identify the specific Virtual LAN to which each frame belongs. With this mechanism, Ethernet frames can belong to different Virtual LANs but can still share the same physical Ethernet link.
The following principles underlie the processing of VLAN tagged Ethernet frames at a physical interface:
Ethernet frames received on a physical interface by cOS Stream, are examined for a VLAN ID. If a VLAN ID is found and a matching VLAN interface has been defined for that interface, cOS Stream will use the VLAN interface as the logical source interface for further rule set processing.
If there is no VLAN ID attached to an Ethernet frame received on an interface then the frame is treated in the normal way and not as coming from a VLAN.
If VLAN tagged traffic is received on a physical interface and there is no VLAN defined for that interface in the configuration with a corresponding VLAN ID then that traffic is dropped by cOS Stream and an unknown_vlanid log message is generated.
The VLAN ID must be unique for a single physical interface but the same VLAN ID can be used on more than one physical interface. In other words, the same VLAN can span many physical interfaces.
A physical interface does not need to be dedicated to VLANs and can carry a mixture of VLAN and non-VLAN traffic.
VLAN Connections
The illustration below shows the connections for a typical VLAN scenario.With VLANs, the physical connections are as follows:
One or more VLANs are configured on a physical Clavister NetShield Firewall interface and this is connected directly to a switch. This link acts as a VLAN trunk. The switch used must support port based VLANs. This means that each port on the switch can be configured with the ID of the VLAN or VLANs that a port is connected to. The port on the switch that connects to the firewall should be configured to accept the VLAN IDs that will flow through the trunk.
In the illustration above the connections between the interfaces if1 and if2 to the switches Switch1 and Switch2 are VLAN trunks.
Other ports on the switch that connect to VLAN clients are configured with individual VLAN IDs. Any device connected to one of these ports will then automatically become part of the VLAN configured for that port. In Cisco switches this is called configuring a Static-access VLAN.
On Switch1 in the illustration above, two interfaces are configured to be dedicated to VLAN1 and the third to VLAN2.
The switch could also forward trunk traffic from the firewall into another trunk if required.
More than one interface on the firewall can carry VLAN trunk traffic and these will connect to separate switches. More than one trunk can be configured to carry traffic with the same VLAN ID.
Summary of VLAN Setup
Below are the key steps for setting up a VLAN interface.Assign a name to the VLAN interface.
Select the interface for the VLAN. Either a physical interface or another VLAN object which has been configured as a service VLAN.
Assign a VLAN ID that is unique on the physical interface.
Optionally specify an IP address for the VLAN. If not specified, it defaults to the address of the associated interface.
Optionally specify an IP broadcast address for the VLAN.
Create the required route(s) for the VLAN in the appropriate routing table.
Create rules in the main IP rule set to allow traffic through on the VLAN interface.
For a standard, non-service VLAN, the Type property does not need to be specified. This is only required for a service (QinQ or stacked) VLAN. See Section 3.3, Service VLANs for more about this topic.
It is important to understand that the administrator should treat a VLAN interface just like a physical interface in that they require both appropriate IP rules and routes to exist in the configuration for traffic to flow through them. For example, if no IP rule with a particular VLAN interface as the source interface is defined allowing traffic to flow then packets arriving on that interface will be dropped.
Enabling the DHCP Client Function
By default, all VLAN interfaces have their IPv4 addresses allocated manually. However, any interface can have DHCP client functionality enabled for automatic assignment of IPv4 addresses and this is discussed further in Section 21.3, DHCP Client.VLAN advanced settings
There is a single advanced setting for VLAN:Unknown VLAN Tags
What to do with VLAN packets tagged with an unknown ID.Default: DropLog
