Dfl-260E/860E Port Based Vlan - D-Link NetDefendOS User Manual

Appendix E: DFL-260E/860E Port Based VLAN
VLAN support on the NetDefend DFL-260E and DFL-860E firewalls is divided into two types:
• On Ethernet interfaces other than LAN interfaces, VLANs are created by configuring them in
NetDefendOS in the normal way. It is NetDefendOS that then takes on the task of adding and
recognizing VLAN tags in packets. It is not a hardware function.
Setting up these standard types of VLAN with the DFL-260E and DFL-860E is discussed in
Section 3.4.4, "VLAN".
• For the LAN interfaces only, VLANs are configured in NetDefendOS in a different way.
All the LAN interfaces are connected together by a common hardware switch fabric and this
fabric also takes care of managing the packet tagging for any VLANs configured on the
interfaces. This allows the ability to configure Port Based VLANs.
This appendix describes configuring port based VLANs for of the LAN interfaces.
The arrangement of VLANs on the LAN interfaces has the following characteristics:
• Each one of the DFL-260E and DFL-860E LAN interfaces has the possibility of being a separate
VLAN or part of a VLAN group.
• The DFL-260E and DFL-860E LAN interfaces can be grouped together onto VLANs with
arbitrary numbers of physical ports in each VLAN. For example, the interfaces could be
divided so that the first 2 interfaces are part of one VLAN, the next 2 interfaces are part of a
second VLAN and the remainder are left in normal operation.
• The LAN interfaces that are not part of a VLAN will continue to operate as a single interface
with the logical interface name LAN.
Configuring VLANs
How to configure port based VLANs will be illustrated with an example. Assume that the
requirement is to divide the LAN interfaces as follows:
• The first LAN interface will continue to operate normally through the switch fabric. This will
therefore be the logical NetDefendOS interface lan.
• The LAN interfaces 2, 3 and 4 will become a single VLAN with the logical name lan_port2-4.
• The remaining LAN interfaces will become a single VLAN with the logical name lan_5_plus.
This will include just the 5th interface on the DFL-260E and the 5th to 8th interfaces on the
DFL-860E.
To configure these VLANs, perform the following steps in the Web Interface:
1. Define the VLAN objects
In the Web Interface, go to Network > Interfaces and VPN > VLAN > Add and add 2 new VLAN
objects. Each VLAN should have an arbitrary value assigned for the VLAN ID, IP Address and
Network properties. Only the VLAN ID needs to be unique for the LAN interface. The IP addresses
should not be public IPv4 addresses.
A screenshot of how the resulting VLAN list might look in the Web Interface is shown below.
893