- LAN-side VLAN with IP interface-to-VLAN binding
- Inter-VLAN routing groups to extend VLAN segmentation up through the IP routing layer.
❑ Bridged VLANs - these VLANs are used to bridge trafﬁc from LAN to WAN
❑ Prioritization per VLAN and per port
Ethernet Switching/Policy Setup
Before you conﬁgure any VLANs, the unconﬁgured Gateway is set up as a router composed of a LAN
switch, a WAN switch, and a router in the middle, with LAN and WAN IP interfaces connected to their
respective switches. These bindings between Ethernet switch ports, IP LAN interface, IP WAN interface
and WAN physical ports are automatically created.
When you conﬁgure any VLANs, the default bindings are no longer valid, and the system requires
explicit binding between IP interfaces and layer 2 interfaces. Each VLAN can be thought of as a layer 2
switch, and enabling each port or interface in a VLAN is analogous to plugging it in to the layer 2
Thereafter, in order for devices to communicate on layer 2, they must be associated in the same VLAN.
For devices to communicate at layer 3, the devices must be either on the same VLAN, or on VLANs that
have an Inter-VLAN routing group enabled in common.
When conﬁguring VLANs you must deﬁne how trafﬁc needs to be forwarded:
❑ If trafﬁc needs to be bridged between LAN and WAN you can create a single VLAN that encompasses
the WAN port and LAN ports.
❑ If trafﬁc needs to be routed then you must deﬁne four elements:
• LAN-side VLANs
• WAN-side VLANs
• Associate IP Interfaces to VLANs
• Inter-VLAN Routing Groups: conﬁguration of routing between VLANs is done by association of a
VLAN to a Routing Group. Trafﬁc will be routed between VLANs within a routing group. The LAN IP
Ethernet Interface can be bound to multiple LAN VLANs, but forwarding can be limited between an
Ethernet LAN port and a WAN VLAN if you properly conﬁgure Inter-VLAN groups.
Inter-VLAN groups are also used to block routing between WAN interfaces. If each WAN IP interface
is bound to its own VLAN and if you conﬁgure a different Inter-VLAN group for each WAN VLAN then
no routing between WAN IP interfaces is possible.
❑ Example: to route between a VCC and all the LAN ports, which effectively is similar to the default
conﬁguration without any VLANs:
Create a VLAN named "VccWan" consisting of vcc1, ip-vcc1, routing-group 1
Create a VLAN named "Lan" consisting of eth0.1, eth0.2, eth0.3, eth0.4, ssid1, ssid2, ssid3, ssid4
(etc.), ip-eth-a, routing-group 1