Vlan - D-Link DFL-1660 User Manual

3.3.3. VLAN

For a complete list of all CLI options see the CLI Reference Guide.
3.3.3. VLAN
Overview
Virtual LAN (VLAN) support in NetDefendOS allows the definition of one or more Virtual LAN
interfaces which are associated with a particular physical interface. These are then considered to be
logical interfaces by NetDefendOS and can be treated like any other interfaces in NetDefendOS rule
sets and routing tables.
VLANs are useful in several different scenarios. A typical application is to allow one Ethernet
interface to appear as many separate interfaces. This means that the number of physical Ethernet
ports on a NetDefend Firewall need not limit how many totally separated external networks can be
connected.
Another typical usage of VLANs is to group together clients in an organisation so that the traffic
belonging to different groups is kept completely separate in different VLANs. Traffic can then only
flow between the different VLANs under the control of NetDefendOS and is filtered using the
security policies described by the NetDefendOS rule sets.
As explained in more detail below, VLAN configuration with NetDefendOS involves a combination
of VLAN trunks from the NetDefend Firewall to switches and these switches are configured with
port based VLANs on their interfaces. Any physical firewall interface can, at the same time, carry
both non-VLAN traffic as well VLAN trunk traffic for one or multiple VLANs.
VLAN Mechanisms
NetDefendOS follows the IEEE 802.1Q specification for VLAN which functions by adding a
Virtual LAN Identifier (VLAN ID) to Ethernet frame headers. A VLAN ID is a number between 0
and 4095 which is used to identify the specific Virtual LAN to which each frame belongs. With this
mechanism, Ethernet frames can belong to different Virtual LANs but can still share the same
physical interface. With NetDefendOS, the VLAN ID must be unique for the physical interface and
the same VLAN ID can be used on different physical interfaces.
Packets received through Ethernet frames on a physical interface by NetDefendOS, are examined
for a VLAN ID. If a VLAN ID is found and a matching VLAN interface has been defined for that
interface, NetDefendOS will use the VLAN interface as the logical interface for further rule set
processing. If VLAN tagged traffic is received on a physical interface and there is no VLAN defined
for that interface with a corresponding VLAN ID then that traffic is dropped by NetDefendOS and
an unknown_vlanid log message is generated.
A NetDefend Firewall interface does not need to be dedicated to VLANs and can carry a mixture of
VLAN and non-VLAN traffic. If there is no VLAN ID attached to an Ethernet frame received on an
interface then the source of the frame is considered to be the physical interface.
Physical VLAN Connection with VLAN
The illustration below shows the connections for a typical NetDefendOS VLAN scenario.
Figure 3.1. VLAN Connections
90
Chapter 3. Fundamentals