Virtual LAN interfaces

This section includes the following topics:

Amaranten Firewall is fully compliant with the IEEE 802.1Q specification for Virtual LANs. On a protocol level, Virtual LANs work by adding a Virtual LAN identifier (VLAN ID) to the Ethernet frame header. The VLAN ID is a number from 0 to 4095 and is used to identify a specific Virtual LAN. In this way, Ethernet frames can belong to different Virtual LANs, but still share the same physical media.

The Virtual LAN support in Amaranten Firewall works by defining one or more Virtual LAN interfaces. Each Virtual LAN interface is interpreted as a logical interface by the firewall, with the same filtering, traffic shaping and configuration capabilities as regular interfaces.

Ethernet frames received by the firewall are examined for a VLAN ID. If a VLAN ID is found, and a matching Virtual LAN interface has been defined, the firewall will consider that interface to be the receiving interface for the frame before further processing in the firewall takes place.

Virtual LANs in Amaranten Firewall are useful in several different scenarios, for instance, when firewall filtering is needed between different Virtual LANs in an organization, or when the number of interfaces needs to be expanded. For more information about the latter, please see the section Using Virtual LANs to expand firewall interfaces below.

Note: The number of Virtual LAN interfaces that can be defined in the firewall is regulated by the Amaranten Firewall license.

Virtual LAN interface configuration

Virtual LAN interfaces are defined in the Virtual LAN configuration section located in the Interfaces folder.

General parameters

Name ?Specifies the name of the Virtual LAN interface.

Interface ?Specifies on which Ethernet interface the Virtual LAN is defined.

VLAN ID ? Specifies the Virtual LAN ID used for this Virtual LAN interface. Two Virtual LANs cannot have the same VLAN ID if they are defined on the same Ethernet interface.

Address Settings

An optional IP address and a broadcast address can be specified for the Virtual LAN interface. If no IP address is specified, the Virtual LAN interface will use the IP address of the corresponding Ethernet interface.

IP Address ?(optional) Specifies the IP address of the Virtual LAN interface.

Broadcast ?(optional) Specifies the broadcast address of the Virtual LAN interface.

Using Virtual LANs to expand firewall interfaces

Virtual LANs are excellent tools for expanding the number of interfaces in Amaranten Firewall. The Amaranten Firewall Appliance M1080A, for instance, is equipped with two gigabit Ethernet interfaces and six 10/100 Ethernet interfaces, but can easily be expanded to, say, 24 interfaces by using a 16-port Ethernet switch with gigabit uplink port and Virtual LAN support.

The process outlined below describes the steps required to perform an interface expansion. Please note that the specific configuration of switch and firewall is highly model dependent and outside the scope of this documentation.

Connect the gigabit uplink port of the switch to one of the gigabit interfaces on the M1080A.
Create 16 Virtual LANs in Amaranten Firewall, named, for instance, vlan01 to vlan16, each with a unique VLAN ID.
In the switch, map each VLAN ID to a switch port, and make sure the uplink port is configured as a trunk port for all the VLAN IDs.
Each port of the switch will now be seen as a logical interface in the firewall. Thus, traffic entering the switch through, for instance, port 12 will be received by interface vlan12 in the firewall.

In the example above, a gigabit uplink port on the switch and a gigabit interface on the firewall was used. Gigabit interfaces are not a requirement from a functionality perspective; any type of interface would have worked. However, from a performance perspective, gigabit interfaces are recommended. Remember that one single Ethernet link is used to carry all traffic from the 16 switch ports, each with an interface link speed of 100 Mbps.