Creating a VLAN

VLANs are configured via a wizard that allows you to create the interface easily.

Select the interface or the bridge for which you wish to associate a VLAN. Then click on Add and Add a VLAN.

Select the type of VLAN you wish to create.

VLAN attached to a single interface (VLAN endpoint)

Stormshield Network firewalls can be placed at the end of VLANs to add or remove a VLAN tag. The firewall carries out the filtering and takes care of communications between the VLANS and the networks connected to the other firewall interfaces.

 

The firewall recognizes the VLANs as belonging to virtual interfaces, which enables them to be fully integrated into the company’s security system.

 

If you select this option, by clicking on Next, the screen for Step 2 will appear. The creation process takes place in 2 steps.

VLAN attached to 2 interfaces (crossing VLAN)

This option allows creating a crossing VLAN, meaning a bridge containing 2 VLANs with the same ID.

 

If you select this option, by clicking on Next, the screen for Step 3 will appear

VLAN attached to a single interface (VLAN endpoint)

VLAN identification

Parent interface

Select the interface to which the VLAN will be attached.

Name

Enter a unique name for your VLAN (Cf. section Allowed names).

Comments

You may also enter a description.

Color

Color assigned to the VLAN.

VLAN IDs

This field allows specifying the value to be associated with the VLAN in packets passing through the network. This tag identifies the VLAN and is used at the Ethernet level. It must be unique and be any value between 1 and 4094 inclusive.

Priority (CoS) This CoS (Class of Service field) priority will then be imposed for all packets sent by the VLAN.
This interface is

Determine whether the VLAN should be defined as an external or internal (protected) interface.

Address range

Dynamic IP (obtained by DHCP)

Select this option to give the VLAN a dynamic address.

Fixed IP (static)

By selecting this option, the interface will have a static address range. In this case, its IP address and network mask must be indicated.

Click on Finish.

VLAN attached to 2 interfaces (crossing VLAN)

When configuring VLANs for bridges, the same tag can be used for two VLAN interfaces , making the Firewall appear transparently on the network. This method requires the use of one VLAN interface per physical interface.

Unlike the option Keep VLAN IDs (cf. in the advanced properties of an Ethernet interface) which makes the firewall fully transparent to the VLAN and which prevents the use of features which would interrupt VLAN traffic, such as proxies, this method of keeping the VLAN tag between several interfaces on the same bridge allows the use of all firewall features.

VLAN identification

Name

Enter a unique name for your VLAN

VLAN IDs

This field allows specifying the value to be associated with the VLAN in packets passing through the network. This tag identifies the VLAN and is used at the Ethernet level.

Color

Color assigned to the VLAN.

VLAN address range

Use an existing bridge

By selecting this option, you will need to select from the drop-down list the bridge to which VLANs will be attached.

Create a new bridge

If this option is selected, a wizard will allow creating a new bridge which will contain both interfaces.

Dynamic IP (obtained by DHCP)

The assigned IP address can be matched to a domain name via a DNS service provider (dyndns.org for example) in order to contact this firewall without having to know its IP address. This option is used when your firewall does not have a static IP address (e.g., your service provider, or DHCP renews its IP address regularly).

 

This feature can be enabled by selecting a dynamic DNS account that you would have configured earlier. The configuration of dynamic DNS clients is explained further in the document Dynamic DNS module.

 

This field allows specifying to the firewall that the configuration of the bridge (IP address and mask) is defined by DHCP. In this case, the “DHCP” zone in the Advanced properties tab will be enabled.

Fixed IP (static)

By selecting this option, the interface will have a static address range. In this case, its IP address and the mask of the sub-network to which the interface belongs, have to be indicated.

Click on Next.

Identification of the incoming VLAN

Name (mandatory)

Unique name for your VLAN. This field is pre-entered with the name indicated in the Name field in Step 3 suffixed with “1”.

Interface (mandatory)

Select the interface to which the VLAN will be attached.

This interface is

If “internal (protected)” is selected, this indicates that the interface is private. Addresses of internal interfaces cannot be used as destinations for packets coming from unprotected interfaces, except if they have been translated.

NOTE

You will notice that “internal (protected)” implies being on a protected interface. Therefore the options “internal (protected)” and “external (public)” are incompatible.

 

If you select “external (public)” this indicates that this section of the network is connected to the internet. In most cases, the external interface, linked up to the internet, has to be in external mode. The interface’s security, represented by a shield (), disappears when this option is checked.

Priority (CoS) This CoS (Class of Service field) priority will then be imposed for all packets sent by the VLAN.
Use the same priority for the outgoing VLAN When this checkbox is selected, an identical value will be automatically assigned to the Priority (CoS) field in the properties of the outgoing VLAN.

Click on Next again.

Identification of the outgoing VLAN

Name (mandatory)

Unique name for your VLAN. This field is pre-entered with the name indicated in the Name field in Step 3 suffixed with “2”.

Interface

Enter a unique name for your VLAN

This interface is

If “internal (protected)” is selected, this indicates that the interface is private. Addresses of internal interfaces cannot be used as destinations for packets coming from unprotected interfaces, except if they have been translated.

NOTE

You will notice that “internal (protected)” implies being on a protected interface. Therefore the options “internal (protected)” and “external (public)” are incompatible.

 

If you select “external (public)” this indicates that this section of the network is connected to the Internet. In most cases, the external interface, linked up to the internet, has to be in external mode. The interface’s security, represented by a shield (), disappears when this option is checked.

Priority (CoS) This CoS (Class of Service field) priority will then be imposed for all packets sent by the VLAN. This priority may be different from the one assigned to the incoming VLAN.

The following screen summarizes the configuration that you have just created.

Adding a VLAN

If you wish to create a new VLAN and you have reached the maximum number of dynamic VLANs possible, a pop-up window will appear to allow you to add others. This number can also be modified manually by going to System\Configuration\Network\Available VLANs (max 128).